Criipto
  1. eIDs
  2. Danish MitID Erhverv

JWT/Token examples

MitID for company signatories

{
"identityscheme": "dkmitid",
Overall eID used to authenticate
"nameidentifier": "0f9960a0d28d4353a3e2ea07f8ffa185",
Legacy format of 'sub'
"sub": "{0f9960a0-d28d-4353-a3e2-ea07f8ffa185}",
Persistent pseudonym. Uniquely identifies an eID user (per Criipto Verify tenant)
"uuid": "74ffcd31-fbaf-4c33-bdac-169f25c1e416",
Danish MitID Person-ID (a persistent pseudonym which the DK authorities can use to identify the person). For citizens, it identifies the natural person. For employees, it identifies the legal person.
"cprNumberIdentifier": "2101270087",
Danish SSN (CPR Nummer)
"birthdate": "1927-01-21",
"age": "93",
"name": "Ditlev Von Testesen",
"cvrNumberIdentifier": "12345678",
Danish Business Registry Number (CVR Nummer)
"2.5.4.10": "Testorganisation nr. 12345678",
Company Name
"companySignatory": "true",
Company signatories can enter legal agreements on behalf of the company (DK readers: Ledelsesrepræsentant/tegningsberettiget)
"country": "DK"
}

MitID Erhverv (MitID for business)

{
"identityscheme": "dkmitid",
Overall eID used to authenticate
"nameidentifier": "159d89fca2db4300a52ab7865f7b1ff3",
Legacy format of 'sub'
"sub": "{159d89fc-a2db-4300-a52a-b7865f7b1ff3}",
Persistent pseudonym. Uniquely identifies an eID user (per Criipto Verify tenant)
"uuid": "3c6d9757-1e70-438a-8dd3-5f84398c2e25",
Danish MitID Person-ID (a persistent pseudonym which the DK authorities can use to identify the person). For citizens, it identifies the natural person. For employees, it identifies the legal person.
"cvrNumberIdentifier": "12345678",
Danish Business Registry Number (CVR Nummer)
"2.5.4.10": "Testorganisation nr. 12345678",
Company Name
"name": "Firstname Lastname",
"employee": "true",
"country": "DK",
"productionUnit": "1092738120",
P-number: production unit number; denotes the addresses where the company has employees and/or carries out economic activity
"ridNumberIdentifier": "8636770830",
Danish NemID Employee-ID (a persistent pseudonym representing a legal person)
"seNumber": "98202298"
SE-number: administrative unit an employee belongs to (in case a company runs different activities under the same legal entity)
}

The sub, nameidentifier and uuid values here will not be the same as for a corresponding citizen-MitID login, even if the user chose to use their personal MitID for login.

Request business logins

You can request a login in business context via the following acr_values: urn:grn:authn:dk:mitid:business.
Alternatively, you can send a login_hint=business or login_hint=business_optional query parameter in the authorize request.
This will allow company signatories and employees to log in to your site or application with their personal MitID or their dedicated employee MitID (depending on how they have been setup in MitID Ervherv).

login_hint=business will allow logging in as a business user.
login_hint=business_optional will give an option to choose to log in as a private individual, or a business user.

You can read more about the login_hint here.

You can determine which kind of option the user selected by inspecting the claim values in the JWT payload.

  • Employee logins will have an employee claim with value true.
  • Company signatory logins will have a companySignatory claim with value true.
  • Private logins will have neither of the above.

Test users

To test business logins with MitID Erhverv, you will start by creating a test organization and a test user, and then connect the test user to the organization as an employee.

Detailed instructions, along with a video demonstration, are provided below to guide you through the process.

Create test organization

  1. Go to the test organization creation page and fill in the form: https://testportal.test-devtest4-nemlog-in.dk/

  2. The wizard will generate an organization admin account with username/password credentials. The password is self-supplied, and the username is autogenerated.

  3. The organization admin can then log in with username and password in the "Test login" tab in the NemLog-in IdP (aka "EIA"): https://erhvervsadministration.test-devtest4-nemlog-in.dk/

Nemlog-in test login

  1. After you login with the organization admin user, you must explicitly enable the use of personal MitID (per organization) under Settings (Indstillinger => Identifikationsmidler).

Private MitID

Create test users

Manually create a test user in both:

Test users CAN HAVE the same user ID.
Test users MUST HAVE a CPR number, and it MUST BE the same in the 2 test-user creation tools listed above. When creating a test user with MitID Simulator, make sure to add a CPR number and check the Private MitID checkbox:

MitID Simulator form

In general, and most likely for MitID Erhverv production, CPR numbers are expected to be optional.

Connect user to organization as an employee

Please note: creating test users is a required step. The auto-generated admin user you created for a test organization CANNOT be used for employee login.

  1. Once the test users are created, the organization admin can create an employee in EIA.

When logged in as an admin user, you have the option to choose additional information to include when creating test users. For instance:

  • SE number (administrative unit a user belongs to)
  • P number (location a user is associated with)
  • RID (Resource Identification Number, can be used for linking to NemID)

This can be done under Settings (Indstillinger => Oprettelse af brugere):

Test Users Additional Info

If P and SE numbers are enabled for an organization after test users have been created, each user must be manually updated to get these values.
This is done by editing the user configuration section, under "Organisation":

Add P- and SE- numbers to users

  1. An activation link will be sent to the specified employee email. You can use your personal email for both the organization admin and the employee email.
    If you followed the steps correctly, your EIA dashboard will look something like this: EIA Success State

  2. If the organization admin has enabled use of personal MitID, the test employee can use their own test MitID for activation/onboarding, but a unique employee MitID username MUST BE specified during enrolment.

Video