Criipto
  1. eIDs
  2. Danish MitID Erhverv

JWT/Token examples

MitID for company signatories

{
"identityscheme": "dkmitid",
Overall eID used to authenticate
"nameidentifier": "0f9960a0d28d4353a3e2ea07f8ffa185",
Legacy format of 'sub'
"sub": "{0f9960a0-d28d-4353-a3e2-ea07f8ffa185}",
Persistent pseudonym. Uniquely identifies an eID user (per Criipto Verify tenant)
"uuid": "74ffcd31-fbaf-4c33-bdac-169f25c1e416",
Danish MitID Person-ID (a persistent pseudonym which the DK authorities can use to identify the person). For citizens, it identifies the natural person. For employees, it identifies the legal person.
"cprNumberIdentifier": "2101270087",
Danish SSN (CPR Nummer)
"birthdate": "1927-01-21",
"age": "93",
"name": "Ditlev Von Testesen",
"cvrNumberIdentifier": "12345678",
Danish Business Registry Number (CVR Nummer)
"2.5.4.10": "Testorganisation nr. 12345678",
Company Name
"companySignatory": "true",
Company signatories can enter legal agreements on behalf of the company (DK readers: Ledelsesrepræsentant/tegningsberettiget)
"country": "DK"
}

MitID Erhverv (MitID for business)

{
"identityscheme": "dkmitid",
Overall eID used to authenticate
"nameidentifier": "159d89fca2db4300a52ab7865f7b1ff3",
Legacy format of 'sub'
"sub": "{159d89fc-a2db-4300-a52a-b7865f7b1ff3}",
Persistent pseudonym. Uniquely identifies an eID user (per Criipto Verify tenant)
"uuid": "3c6d9757-1e70-438a-8dd3-5f84398c2e25",
Danish MitID Person-ID (a persistent pseudonym which the DK authorities can use to identify the person). For citizens, it identifies the natural person. For employees, it identifies the legal person.
"cvrNumberIdentifier": "12345678",
Danish Business Registry Number (CVR Nummer)
"2.5.4.10": "Testorganisation nr. 12345678",
Company Name
"name": "Firstname Lastname",
"employee": "true",
"country": "DK",
"productionUnit": "1092738120",
P-number: production unit number; denotes the addresses where the company has employees and/or carries out economic activity
"ridNumberIdentifier": "8636770830",
Danish NemID Employee-ID (a persistent pseudonym representing a legal person)
"seNumber": "98202298"
SE-number: administrative unit an employee belongs to (in case a company runs different activities under the same legal entity)
}

The sub, nameidentifier and uuid values here will not be the same as for a corresponding citizen-MitID login, even if the user chose to use their personal MitID for login.

Collecting CPR numbers (optional)

Business users (both employees and company signatories) may not always have CPR numbers associated with their profiles.

CPR numbers are also not required for accessing information about the business entities where the user holds a position as a signatory or an employee. Criipto relies on the user's UUID to retrieve this information from the MitID Erhverv API. Therefore, if you don't need CPR numbers in business logins, no additional configuration is required.

If you do require CPR numbers, you can collect them by enabling the two toggles in the management dashboard:

  • Add CPR for MitID logins
  • CPR Optional

CPR toggles

When the "CPR Optional" toggle is enabled, a user will be prompted to provide their CPR number ONLY if the CPR number is registered in their profile. This feature can be useful in a scenario where you offer both MitID citizen logins and business logins, and require CPR numbers for the citizen logins.

Request business logins

You can request a login in business context via the following acr_values: urn:grn:authn:dk:mitid:business.
Alternatively, you can send a login_hint=business or login_hint=business_optional query parameter in the authorize request.
This will allow company signatories and employees to log in to your site or application with their personal MitID or their dedicated employee MitID (depending on how they have been setup in MitID Ervherv).

login_hint=business will allow logging in as a business user.
login_hint=business_optional will give an option to choose to log in as a private individual, or a business user.

You can read more about the login_hint here.

You can determine which kind of option the user selected by inspecting the claim values in the JWT payload.

  • Employee logins will have an employee claim with value true.
  • Company signatory logins will have a companySignatory claim with value true.
  • Private logins will have neither of the above.

Prefill VAT ID (CVR number)

If you already have an expectation of what company the user will login on behalf of, you can prefill the VAT ID (CVR number) to limit their selection choice (if multiple roles in the same company) or skip the company selector all together.

  • When activating MitID Erhverv via acr_values: urn:grn:authn:dk:mitid:business: login_hint=vatid:DK<CVR>
  • When activating MitID Erhverv via login_hint: login_hint=business vatid:DK<CVR>

Test users

To test business logins with MitID Erhverv, you will start by creating a test organization and a test user, and then connect the test user to the organization as an employee.

Detailed instructions, along with a video demonstration, are provided below to guide you through the process.

Create test organization

  1. Go to the test organization creation page and fill in the form: https://testportal.test-devtest4-nemlog-in.dk/

  2. The wizard will generate an organization admin account with username/password credentials. The password is self-supplied, and the username is autogenerated.
    You can then follow the Link til MitID Erhverv - IntTest to login as the organization admin:

Nemlog-in test login

  1. Open the "Test login" tab and log in as the organization admin with username and password.

Nemlog-in test login

  1. After you login with the organization admin user, you will have access to the NemLog-in IdP (aka "EIA"): https://erhvervsadministration.test-devtest4-nemlog-in.dk/. There, you must explicitly enable the use of personal MitID (per organization) under Settings (Indstillinger => Identifikationsmidler).

Private MitID

Create test users

Manually create a test user in both:

Test users CAN HAVE the same user ID. Test users MUST HAVE a CPR number, and it MUST BE the same in the 2 test-user creation tools listed above. When creating a test user with MitID Simulator, make sure to add a CPR number and check the Private MitID checkbox:

MitID Simulator form

In general, and most likely for MitID Erhverv production, CPR numbers are expected to be optional.

Connect user to organization as an employee

Please note: creating test users is a required step. The auto-generated admin user you created for a test organization CANNOT be used for employee login.

  1. Once the test users are created, the organization admin can create an employee in EIA.

When logged in as an admin user, you have the option to choose additional information to include when creating test users. For instance:

  • SE number (administrative unit a user belongs to)
  • P number (location a user is associated with)
  • RID (Resource Identification Number)

This can be done under Settings (Indstillinger => Oprettelse af brugere):

Test Users Additional Info

If P and SE numbers are enabled for an organization after test users have been created, each user must be manually updated to get these values.
This is done by editing the user configuration section, under "Organisation":

Add P- and SE- numbers to users

  1. An activation link will be sent to the specified employee email: follow the link to log in as an employee. You can use your personal email for both the organization admin and the employee email.
    If you don't receive the activation email, you can log in to EIA as an employee using the MitID tab. (You'll need to log out of your EIA admin account first, or use a different browser.)
    If you followed the steps correctly, your EIA dashboard will look something like this: EIA Success State

  2. If the organization admin has enabled use of personal MitID, the test employee can use their own test MitID for activation/onboarding, but a unique employee MitID username MUST BE specified during enrolment.

Video