eIDs
Learn more about Danish NemID token contents, how to create test users and how to gain access to production.
Also, you may additionally opt-in to having and address
lookup enabled. This will add the following property to the payload:
Existence of this field is not guaranteed, even if the you have opted in to lookup.
No social security number in this case, but the combination of cvrNumberIdentifier
and ridNumberIdentifier
identifies the legal person corresponding to the login.
For personal NemID test users, you may create them at https://appletk.danid.dk/testtools. Login in with username oces
and password nemid4all
. Don't worry about the message about not being supported.
First, note that you can search out already created test users by filling out the search field at the top of that page. This may be convenient if you've lost the link to the user page.
If you just need to do a quick login test, you may use this test user instead of going throught the steps below: https://appletk.danid.dk/testtools/viewstatus.jsp?userid=TOMINE317. (If all the OTP codes have been used, just issue a new OTP card, but click the link for that.)
That said the steps to create a test user are fairly simple:
java.lang.NullPointerException
in red
The current OTP card(s) can be accessed on the same testtools-site as above.
Unfortunately, it is not possible to use the testtools-site to create your own test-employee users. If you need to have your own test-MOCES accounts created, you must contact NETS directly.
You must enter a PID-CPR agreement with NETS in conjuction to your NemID TU agreement, and enter your SPID in the "SPID for PID/CPR service" field in the management dashboard. Criipto Verify will prompt the user for their CPR number and validate that it belongs to the NemID user that is logging in.
For applications configured to use a static
scope
strategy, the CPR will be added to the issued token.
For applications configured to use a dynamic
scope
strategy, supply scope=openid ssn
in the authorize request.
Criipto provides users with the option to store their CPR number for 1 year, after which the user must provide explicit CPR consent again.
Criipto stores CPR numbers in encrypted format. The consent is per-tenant only.
You can add a "forget-me" link on your website if you want to let users revoke the consent again. Use a normal authorize request as target, but add a prompt=consent_revoke query parameter to the request. Criipto will then run a login flow (to be able to recognize the end user), and delete the granted consent.
You can learn more about authorize requests in our authorize URL builder.
If you collect the users CPR number, the users current address can also be made available. Address lookups incur an additional charge.
Data processor and dedicated billing agreements are needed, contact sales@criipto.com for the legal and financial arrangements.
For applications configured to use a static
scope
strategy, address data will automatically be added.
For applications configured to use a dynamic
scope
strategy, supply scope=openid address
in the authorize request.
If you do not also request the ssn
scope, Criipto Verify will query the user for the CPR number anyway, as this is needed to look up the users address.
The CPR number will not be issued in the JWT in this case, even if the user was prompted for it during login.
https://YOUR_SUBDOMAIN.criipto.id/oauth2/authorize?scope=openid address&...
Alternatively, you can send it in the login_hint
https://YOUR_SUBDOMAIN.criipto.id/oauth2/authorize?...&login_hint=scope:address&...
which can be a useful if you are working with technology that does not let you control the scope
value.
To start accepting real users with Danish NemID, you must first enter into a service provider agreement (Danish: "Tjenestedudbyderaftale") with Nets, the operator of NemID.
In order to become a NemID service provider, your organisation must meet a few basic requirements:
First of all follow the guide provided by Nets. It takes you through the 4 steps and includes the relevant download links etc.:
As you fill out the forms please check the section below for a few details related to the Criipto Verify service.
When filling out the online sevice provider agreement keep this in mind:
- This is where you download, fill out and sign the CPR agreement, and attach it
Opsætning af testsystem (setup of test system). Answer yes here only if you need to be able to generate test users for NemID employee signatures, MOCES.That's basically it. Once you've filled out and submitted the service provider agreement form, you will, typcically after a week or so, receive an email with the details you need to start using production NemID. Use this information and the company certificated to configure Criipto Verify as described below.
Keep and eye out for an email from Nets with the details of your NemID service provider agreement. It should be sent from tu-support@nemid.nets.eu
with a subject "RE: Bestilling af NemID tjenesteudbyder". In that email you will need the production informtion listed after the test details.
Now fill matching fields in the Criipto Verify UI:
That's - finally - it! You have ordered, received, and configured the necessary information and certificates to start accepting real NemID logins and signatures.
You are now ready to set up your application to use real NemID in production. Please refer to the guide on how to move to production.