Release notes

​Release notes for the E-Ident and FTN service.

Release 20220302

  • Signed request

Signed request

In this release E-Ident supports Signed Request Object (Signed JWT) in OIDC requests. Read for more information.

Release 20220112

  • Mobile-ID support in E-Ident

Mobile-ID support

In this release Nets added support for Mobile-ID authentication. Read for more information. 

Release 20211201

  • Smart-ID support in E-Ident

Smart-ID support

In this release Nets added support for Smart-ID authentication. Read for more information.

Release 20211117

  • Get NemID PID value during a MitID authentication

Get NemID PID value during a MitID authentication

As part of the MitID authentication you can retrieve the user's NemID PID. Read for more information.

Release 20210916

  • English as system default language
  • CIBA flow for BankID (SE) and BankID on mobile (NO)
  • Transaction text for BankID (SE) and BankID on mobile (NO)
  • MitID CPR step-up flow

English as system default language

From this release, English will be the system default language in the E-Ident service. The default language has previously been Norwegian. The supported languages and the rules regarding which language to display to the user are described here.

CIBA flow for BankID (SE) and BankID on mobile (NO)

In this release, the CIBA flow support was extended to also include the eIDs BankID (SE) and BankID on mobile (NO). Read more about the CIBA flow.

Transaction text for BankID (SE) and BankID on mobile (NO)

This release also include the possibility to connect a transaction text to the transaction when using the eIDs BankID (SE) and BankID on mobile (NO). For BankID (SE), this is supported in both regular OIDC flow and OIDC CIBA flow, while for BankID on mobile (NO) this is support for the OIDC CIBA flow. Read more about the feature in BankID (SE) and BankID on mobile (NO).

MitID CPR step-up flow

The CPR step-up flow can be used to request the CPR number for already authenticated users. If the CPR number is not already known when the user has authenticated, you can start CPR step-up using the current authentication transaction. The user is then prompted to enter CPR, but does not have to re-authenticate.

Read for more information.

Release 20210506

Production date: 06.05.2021

  • CIBA flow
  • Verimi and level of assurance

CIBA flow

In this release, the E-Ident service was updated with support for the Client Initiated Backchannel Authentication (CIBA) flow when using the OIDC protocol during identification requests. The CIBA flow enables authentication sessions to be initiated and processed in a different channel than the browser through the E-Ident web UI. Read more about the CIBA flow.

Verimi and level of assurance

From this release, it is possible to set the required level of assurance on the Verimi identification. Read more about the functionality here.

Release 20210217

Production date: 17.02.2021

Content of this release:

  • OIDC PKCE flow

OIDC PKCE flow

In this release, E-Ident will be updated with support for the optional OIDC PKCE flow that allows Single Page Application (SPA) and native apps to retrieve the ID token directly in a secure way without revealing the password and not through a backend call.

Read more about the new functionality.

Release 20210210

Production date: 10.02.2021

Content of this release:

  • UI updates
  • BankID SE QR code

UI updates

The E-Ident service will in this release be updated with a new look and feel for standalone UI. In addition, a new UI solution, pop-up UI, is launched.

The standalone UI is modernised with focus on responsiveness and user experience. The UI has better support  for all different user devices. The UI is built up with a Nets header and footer and a customer information box with possibility to add customer logo and a customer text. The UI previously used an iframe to display the different eID user dialogues. This has been removed except for the few eID's still supporting iframe.

Notice:

  • Customer logos are now supported as SVG files in addition to PNG. To update your logo, contact support
  • Customer information text can be presented in different languages. Support can help you with text updates. 
  • Available languages in the standalone UI are now configurable.
  • All modern browsers are supported.

Pop-up UI is a new UI option. The identification dialog will open as a new window in front of the current window. The URL to E-Ident will be displayed for the end user, so that the end user know where he/she actually is. The UI is built up with a customer information box with possibility to add customer logo and customer text to have a connection to the originating site in addition to the eID user dialogues.

There are no updates to the embedded (iframe) UI option, but we encourage users of embedded UI (iframe solution) to have a look at the updated standalone UI and the new pop-up UI.

Both the customer test environment and the E-Ident demo app has been updated and can be used to test out the new UI options.

Read more about the user experience in E-Ident.

BankID SE QR code

This release will also include the usage of QR code scanning when using the BankID mobile app for identification. Users selecting to login on a mobile device from another device will now be asked to scan a QR code instead of entering their national identification number. This is a new page displayed after device selection.

 BankID SE - QR code.PNG

Read more about BankID SE identification.

Release 20210120

Production date: 20.01.2021

Content of this release

  • BankID SE and new launch method

BankID SE and new launch method

E-Ident is in this release upgraded to the preferred Swedish BankID launch method for mobile devices based on https://app.bankid.com/, replacing the old bankid:/// method. The new method supports initiating BankID identification from within mobile apps, but should otherwise work as before.

Release 20210105

Production date: 05.01.2021

Content of this release:

  • Changes to the order of eIDs on the eID selection page  

Changes to the order of eIDs on the eID selection page

From this release, the order of the eIDs have been changed. EIDs from the different countries will be displayed after each other. In addition, it is also possible for customers to determine the order. This is done by using the amr_values / forcepkivendor parameter on the OIDC or SAML identification request respectively. The eIDs will be displayed in the order the eIDs have been listed in the parameters.

Read more about the eID selection page.

Release 20201102

Production date: 02.11.2020

Content of this release:

  • NemID JS client bug fix

NemID JS client bug fix

The NemID JS client in limited mode could be experienced as too big for a mobile phone screen. This release makes sure that the client fits the screen.

Release 20201021

Production date: 21.10.2020

Content of this release:

  • New eID: Nets One time code

New eID: Nets One time code

This release includes a new eID - Nets One time code. The eID is a low level authentication method based where the user is identified by entering a received code. Read more about Nets One time code.  

Release 20200916

Production date: 16.09.2020

Content of this release:

  • OIDC: Encrypted ID Tokens
  • Nets Passport Reader: Authentication files     
  • Given and family name support for BankID (NO) and BankID on mobile

OIDC: Encrypted ID Tokens

Customers can request Nets to encrypt all ID Tokens. The ID Token will be encrypted using RSA-OAEP and AES, as described by RFC 7516. The encryption is done after signing, which means that the customer needs to decrypt the ID Token before being able to validate the signature.

Read more about encrypted ID Tokens.

Nets Passport Reader: Authentication files

After successful authentication with the Passport Reader, a customer can also retrieve/download authentications files for reference or archive purposes. The downloaded files can either be in PNG (photo images), or PDF (photo and authentication attributes).

Read more about Nets Passport Reader authentication files.

Given and family name support for BankID (NO) and BankID on mobile

From this release, the end user's first and last name will be mapped to the given_name/GIVENNAME and family_name/SURNAME claims/attributes in the ID Token (OIDC)/assertion (SAML). This update applies to BankID (NO) and BankID on mobile identification. For information about other claims/attributes returned about the end user, see the specific eID page.  

Release 20200902

Production date: 02.09.2020

Content of this release:

  • Updated logo for Finnish bank Säästöpankki

Updated logo for Finnish bank Säästöpankki 

The E-Ident/FTN service has been updated with a new logo for the Finnish bank Säästöpankki. The logo is visible for end user's when selecting the Finnish bank to log in with. See the Finnish Bank ID page for image of the bank selection page.

Release 20200819

Production date: 19.08.2020

Content of this release:

  • OIDC: New claims - ssn and pid
  • OIDC compliance fixes - amr and nonce

OIDC: New claims - ssn and pid

The OIDC protocol has also been updated to support the claims ssn and pid. The ssn claim is returned if ssn scope has been set, and this value is set to the user's SSN (social security number) if available. The country specific ssn claims are still present and will have the same value. Future return of SSN for other countries will be mapped to the ssn claim. The pid claim will always be returned. The value differs from eID to eID. See the eID specific page for more information about this value.

OIDC compliance fix - amr and nonce

 

The ID token returned by E-Ident contains an amr claim (Authentication Methods References). This claim identifies the eID used for authentication and it is currently returned as a plain string  (no_bankid, dk_nemid_js, etc.) to existing customers. However, this is not compliant with the OpenID Connect Core spec, which describes it as a JSON array of strings. In order to be compliant, E-Ident has add the option of returning amr as a JSON array as in the spec.

In addition, E-Ident accepts a nonce parameter in the OIDC authentication request, which is later returned in the nonce claim in the ID token. This is correct and according to the OIDC spec. However, the nonce value was also returned to the client in the authentication response, which is not according to the spec. A fix has been made to E-Ident, but in order to maintain backwards compatibility it is configurable per customer.

Existing customers will not be affected by this change, but need to contact support in order to change their amr claim format setting and the nonce handling. New customers will get the corrected behaviour for the amr claim and nonce parameter.

Release 20200805

Production date: 05.08.2020

Content of this release:

  • OIDC: New scopes and claims

OIDC: New scopes and claims

The OIDC protocol has been updated to support the email and phone scopes. The email scope will return email and email_verified claims and the phone scope will return phone_number and phone_number_verified if available in the used eID.

Note: For some eIDs, the phone_number claim will be returned when using the openid scope to ensure backwardcompatibility.

Release 20200603

Production date: 03.06.2020

Content of this release

  • Verimi as new eID

Verimi as new eID

Customers can now identify end user's with Verimi eID. The eID can be added to your configuration by contacting our support

Read more about Vermi in E-Ident.

Release 20200515

Production date: 15.05.2020

Content of this release:

  • Nets Passport Reader as new eID

Nets Passport Reader as new eID

Customers can now identify end user's with a passport. The Nets Passport Reader eID and iOS and Android apps will together identify a user with a passport The eID can be added to your configuration by contacting our support. 

Read more about Nets Passport Reader in E-Ident.

Release 20200417

Production date: 17.04.2020

Content of this release:

  • Additional info as new parameter

Additional info as new parameter

​A new identification parameter has been defined; additional_info. The additional info parameter can be used by any customer to enter their own information. The parameter value will be returned as it was entered in the corresponding claim in the ID Token or attribute in the SAML assertion.

In addition, the information is added to E-Ident statistics and may be returned to the customers as part of statistics. The last part must be agreed with Nets in each case. Read more about optional identification request parameters for OIDC and SAML.

Release 20200212

Production date: 12.02.2020

Content of this release:

  • Buypass as new eID in E-Ident

Buypass as new eID in E-Ident

Customers can now identify end user's with Buypass eID. The eID can be added to your configuration by contacting our support.  

Read more about Buypass in E-Ident.

Release 20200109

Planned production date: 09.01.2020

Content of this release:

  • Added service provider name for S-Pankki

Added service provider name for S-Pankki

The service provider name "Nets Trust Services" will now be displayed when a user logs in with S-Pankki for Finnish Bank IDs. This has been missing up until this release.

Release 20191016

Planned production date: 16.10.2019

Content of this release:

  • Updated logo for Mobiilivarmenne

Updated logo for Mobiilivarmenne

The logo used by mobiilivarmenne will be updated with the correct logo at the eID selection page.

Release 20190926

Planned production date: 26.09.2019

Content of this release:

Legal person support

The E-Ident/FTN service is updated with legal person support when identifying using Bank ID (FI). If the user that logs on has a legal person ID and the OIDC scope is set to organisation or returnorg=true, information about the organisation name and number will be returned.

Return SATU value

Some of the Finnish banks may return a SATU value (Finnish unique identification number - sähköinen asiointitunnus). If you are allowed to receive SSN (HETU), you will also get this in return. Note: For OIDC you need to set scope to ssn.

Release 20190821

Planned production date: 21.08.2019

Content of this release:

Breaking out of iframe and improved responsiveness on bank selection page

This release includes two user experience improvements. During the change from the old bank interface (between Nets and the bank) to the new interface, several of the banks will not allow the usage of iframe. To have a consistent user experience all bank clients will break out of the iframe after the user has selected his/her bank.

Previously (in iframe - Aktia used as example):

Aktia-iniframe.PNG 

Now (Aktia as sample):

Aktia-outofiframe.PNG

Note: The Aktia UI has been updated by the bank and the new UI will be seen the days after release.

In addition, the bank selection page has been updated to be fully responsive.

bank selection page.PNG 

 

New claims (OIDC) / attributes (SAML)

Nets is currently changing the interface between the E-Ident / FTN service and the Finnish banks from Tupas to OIDC/SAML. In the new interface, we will from some banks get more information about the user's name such as the given name and the family name (surname). This is information that we will return as new claims in the ID Token (OIDC) and as new attributes in the assertion (SAML). The values will be returned from the time that we change your configuration. The change will happen pr bank. The first five (Aktia, Handelsbanken, Pop pankki, Säästöpankki and OMA SP) will be done in the days after this release. The rest of the banks will come one by one when they are made available.

The new claim/attribute values are:

OIDC:

  • family_name
  • given_name

SAML:

  • GIVENNAME
  • SURNAME

See also the OIDC and SAML specification pages.

OIDC compliance fix

When an error occurs during authentication, E-Ident returns a specific code. After an earlier change, E-Ident returned this code in the "error" parameter. This is not compliant with the OIDC standard. After this change, E-Ident will return either "cancel" or "server_error" in the error parameter. The specific error code is still returned in the "code" parameter.

Release 20190626

Content of this release:

Control the CPR number handling

For NemID to a private person, the handling of CPR number can now be controlled for each identification request. To do this, you need to do one of following (dependent on protocol you use):

  • OIDC: Set the scope parameter to ssn (in addition to other values)
  • SAML: Append the returnssn=true parameter to the identification request.

When this is set, the user will be prompted for their CPR number and this will be returned in the ID Token (OIDC) and Assertion (SAML).

Up until now the handling of CPR number has been a configuration setting on the customer configuration. To be backward compatible, this setting is still set for all existing customers. To turn off this setting, please contact support.