BankID (SE)

​​​​Used by almost 8 million Swedes, BankID has become a household brand and a highly trusted digital identification and signing s​​ervice for Swedish citizens.​ Almost 7 million has a mobile BankID and this eID was used in 96 % of logins and signings. It is also available as BankID on file and BankID on card.​​

​Enable BankID in ​your services

To enable BankID to login using E-Ident it is necessary with a merchant certificate ("förlitande certifikat") to be used in the communication between E-Ident (on your behalf) and with BankID. Nets is reseller of BankID and will help establish this certificate. 

More information about BankID:

Merchant certificate ​​​​("Förlitande certifikat")

​BankID agreement through Nets as reseller

​To establish the "Förlitande certifikat". Nets need the following information:

  • Your organisation name 
  • Certificate display name (this is visible in the BankID security application during the end user's login)
  • ​VAT number
Nets will handle the communication with a bank issuing the certificate. 
 

BankID agreement directly with an​​​ issuing bank​

It is also possible to have a BankID agreement directly with a bank issuing BankID. You will need to enter into an agreement with the bank. To establish the "Förlitande certificat", these steps must be done:

  1. ​Provide Nets with information about your organisation name, VAT number, certificate display name (visible during end user login) and the bank name.
  2. Nets will generate a certificate request based on this information and send it to you.
  3. You need to forward this certificate request to your bank. Do not make your own certificate request.
  4. ​The bank will issue the certificate based on the certificate request. Please forward this to Nets. 
  5. Nets will install and setup you configuration with BankID. 

Test "Förlitande certifikat"

​Nets has a default test certificate that all customers can use. This will be set up during configuration, and you do not need to do anything.

BankIDs for end users 

BankID for end users are available as either BankID on file, BankID on card or mobile BankID. The client used can be deducted from the CERTPOLICYOID attribute in the SAML assertion or from the certpolicyoid​ in the OIDC ID Token.

These are the possible values (from BankID's own documentation):

The values for production BankIDs are:

  • "1.2.752.78.1.1" - BankID on file
  • "1.2.752.78.1.2" - BankID on smart card
  • "1.2.752.78.1.5" - Mobile BankID
  • "1.2.752.71.1.3" - Nordea e-id on file and on smart card.

The values for test BankIDs are:

  • ​"1.2.3.4.5" - BankID on file
  • "1.2.3.4.10" - BankID on smart card
  • "1.2.3.4.25" - Mobile BankID
  • "1.2.752.71.1.3" - Nordea e-id on file and on smart card.
  • ​“1.2.752.60.1.6” - Test BankID for some BankID Banks​

Test users

See here for more information on how to get a BankID test user.

Information about the end user

​Type​OIDC​SAML​Comments
​Country

​c

Requires scope=cert

​CThe end user's country.
​End user certificate

certificate

Requires scope=cert

CERTIFICATE​The end user's certificate.
​Certificate policy OID

certpolicyoid

Requires scope=cert

CERTPOLICYOID​The certificate policy OID from the end user certificate.
​Common name

cn

Requires scope=cert

​CN​The common name from the end user's certificate.
Distinguished ​name

dn​

Requires scope=cert

DN​​The distinguished name from the end user's certificate.
​Family name

family_name

Requires scope=profile

SURNAMEEnd user's family name. ​
​Given name

given_name

Requires scope=profile

GIVENNAMEEnd user's first name(s).
​Level of Assurance
​acr
​ACR
Accepts acr_values as urn:eident:acrp:level:substantial or urn:eident:acrp:level:low
Always returns- urn:eident:cert:eidas:substantial​
​Swedish SSN

​se_ssn / ssn

Requires scope=ssn

​SE_SSN

​The end user's social security number. For the OIDC protocol, this is returned in both the se_ssn and ssn claim.  

​Handling of SSN

​A user's SSN is a part of the end user certificate and always available from a BankID login. The SSN is the same as the SERIALNUMBER part of the dn claim in the ID Token (OIDC) or the DN attribute in the assertion (SAML). An example of this:

CN=Olav Widen, OID.2.5.4.41=(180427 13.09) Olav Widen - BankID på fil, SERIALNUMBER=195310021935, GIVENNAME=Olav, SURNAME=Widen, O=Testbank A AB (publ), C=SE 

​User experience

BankID client

Step 1 (autostart, presetid/login_hint identification request parameters not set). The picture is an illustration of the UI in standalone and pop-up UI.:​

BankID SE - device selection_updated.PNG 

Note: The above screen was recently updated. Previously, when using another device for identification, the user had to enter their national identity number. With the introduction of QR code scanning, this is not longer necessary.

Step 2 (if selecting Mobile BankID):

BankID SE - QR code.PNG

​Step 2 (if autostart is set or by clicking "BankID on this computer" in step 1). The display name from the "Förlitande certifikat" is "Test av BankID" in this example:

BankID SE - step2_uten.png

Step 3 (on mobile phone app):

BankID SE - mobile.jpg

Control the start of BankID app

BankID is available using two different versions of the BankID app; one for computers and one for mobile. To control the user interface presented to the end user, the autostart, presetid/login_hint and forcepkivendor/amr_values ​identification request parameters can be used.

​Name​
​Description
​Constraints
​autostart
​true - A link will be shown to open the BankID app.

false -
The user will be presented with a below choice of authorization- 
Desktop users - BankID on this computer or Mobile BankID 
Mobile users - Mobile BankID on this device or Mobile BankID on another device.
​Values : [true | false(default)]
​presetid/login_hint
​The user will be presented with a choice of authorization. If the value is provided, then it will exclude other SSN than the given SSN. 
If value is passed in presetid then it should be base64 encoded.
​Value : [<SSN of user>]
​forcepkivendor/amr_values
​se_bankid - The user will be presented with a choice of authorization.

se_bankid:mobile -
Desktop users- The user will be redirected to page which will show a QR code to scan.

Mobile users- The user will be presented with a choice of authorization.
​Values : [se_bankid | se_bankid:mobile]​

BankID logo

If needed, the BankID logo can be downloaded from https://www.bankid.com/om-oss/pressmaterial and https://www.bankid.com/assets/bankid/logo/BankID-varumarkesguide-v10-SE-2019-06-11.pdf.

Transaction text

A transaction text may be connected to the BankID transaction through either the regular OIDC identification flow or the OIDC CIBA flow. For the OIDC identification flow, the transactiontext parameter may be appended to the identification request. For the CIBA flow, the binding message must be used.

This feature will invoke the BankID signing flow. How to support markdown see section below​ ​

​​​ Eident_context

If an OIDC signed request is provided with parameter eident_context then given value can be used as transaction text which will get displayed on end user's device. Eident_context should be base64 encoded in below JSON format-

{

   “transactiontext": “base64encoded (content from merchant)",

   “transactiontext_type": “<text/markdown>"

}

“transactiontext" can have values in plain text or in markdown. It can accept maximum of 1500 base64 encoded characters. “transactiontext_type" will accept only “text" or “markdown" value.

Known issues​

​​It is not always possible to detect if the BankID app is installed on the device used for identification when using a mobile device. When the BankID app is closing, E-Ident tries to redirect the user back to the browser. However, it is not guaranteed that the user is redirected back to the same browser as the one that started the session. The customer implementation must support that the user is redirected back in a new web browser, eg cookies cannot be used. ​​