Enable MitID in your services
MitID is the new eID in Denmark, and it will replace NemID. The Nets E-Signing service offers two ways of signing with MitID:
In the migration phase from NemID to MitID it is recommended to support both NemID and MitID for document signing as users will be migrated during 2022.
More information about MitID:
MitID signing through NemLog-in
The MitID signing through NemLog-in is integrated in the E-Signing service and the usage of it is described on this page. MitID signing through NemLog-in requires an agreement with Digitaliseringsstyrelsen through the below link:
Timeline for MitID signing through NemLog-in in E-Signing:
- Customer test:
- MitID signing through NemLog-in was made available in E-Signing from Summer 2021
- A coming release will include support for CPR as the SignerID and identification before signing functionality when using MitID signing through NemLog-in. The date for this release is not set, and it is dependent on the release of a matching service from NemLog-in.
- Production: 4th April 2022
Two signing formats
MitID through NemLog-in offers two different signing formats:
In the E-Signing service, the XAdES signature will be packaged in a SDO. By using this signing format, E-Signing continues to support that several users can sign one document and that the user can sign with either MitID or NemID (or any other eID supported by E-Signing). The XAdES signature can be extracted from the SDO using the
GetSignature call.
MitID will also support PAdES as an output format directly. This can't be used in combination with NemID and it only supports one signature on each document.
Read more about MitID PAdES.
Note: E-Signing still supports a PAdES generated based on a SDO where the last page will include all signers of the document.
Read more about PAdES generated from SDO.
Handling of SSN and SignerID
E-Signing offers a functionality to define the signer that will sign a specific document using a SignerID. For NemID, the SignerID is either CPR or the PID from the user's NemID certificate. For MitID, the unique SignerID is either the user's CPR (SSN) or the user's CPR UUID. The CPR UUID can be found in the user's signature when using the
GetSignature call.
The SignerID may only be set to SSN if the customer is allowed to handle SSN. This is a configuration on your merchant setup.
Note: Setting the SignerID to SSN with the user's CPR number is currently not supported. As soon as a CPR matches signer function is delivered from NemLog-in, the E-Signing service will be updated to support SSN as SignerID.
The SDO will include the CPR number if the customer is allowed to handle CPR numbers and if the SignerID element has been set to SSN. The CPR number will be returned as a custom property named "national-identifier".
Read for more information about custom properties.
User experience
Step 1 - eID selection
The eID selection page is displayed if there are more than one possible eID to display to the user. The usage of the AcceptedPKIs element in the sign order or adding the forcepkivendor parameter to the sign URL can control the number of eIDs to display to the user.
eID selection page for standalone and pop-up UI:
eID selection page for embedded UI:
Step 2 - read document
The document is opened in an iframe. The minimum recommended iframe height is 600px. The document title displayed is the value from the
Document -> Title element in the sign order. The reference code is set by NemLog-in3 and this is also displayed when the user authenticates.
Step 3 - authentication
The user is redirected to NemLog-in for authentication. The NemLog-in page opens in a new browser window. In the first test version of MitID signing, the customers must use the Test login tab to authenticate.
See the test users page for test users.
The user must accept the terms to complete the signing.
Step 5 - sign
Select the user and sign as private user. The document title and reference code is following the transaction.
Step 6 - finalizing document signing
The NemLog-in browser window is closed and the user is directed back to the document signing page. The document is now being signed and the user is directed to the wanted exit url.
Document types and sizes
The following document formats are supported using NemID:
Note: XML/XSL and HTML may be available later. If you need signing with these formats, please contact
support.esecurity@nets.eu to inform us about your need.
The size limit of a document in E-Signing is set to 10 MB base64 encoded document. An encoded document adds approximately 30 % extra to a non-encoded document.
PDF validation
The supported PDF format is based on the PDF format supported by the NemID Signing Client with some exceptions.
See appendix D in
https://migrering.nemlog-in.dk/media/fcej4wyk/signeringsdokumentation-v1-0-1.zip
MitID PAdES
MitID offers PAdES as an output format when signing PDF documents and this is supported in the E-Signing service. Each PAdES may only include one MitID signature, and this is restricted in the sign order.
Note: MitID PAdES can't be used in combination with NemID signing.
Also note, that the MitID PAdES signing may be used in combination with Norwegian BankID PAdES signing. The MitID PAdES signing must be defined in the first step of the order, and the Norwegian BankID PAdES signing in later steps.
Authentication-based signing
The E-Signing service offers the possibility to sign a document based on an authentication. To create a sign order with authentication-based signing, please have a look at the
authentication-based signing page.
The MitID specific values are listed in the table below:
AuthenticationID
| This element can be used to indicate that MitID is one of the eID's the signer can sign with. | mitid
|
IncludeSSN
| This element can be used to request the return of the user's SSN in the signed document. The SSN will be returned as a custom property value - ID Token. Note: If the SignerID has been set to the user's SSN, the SSN will also be returned in the ID Token custom property.
| [true | false]
|
SignerID
| The SignerID element can specify which user that will sign the document. For authentication-based signing with MitID, this is either the user's CPR number or the MitID UUID (can be retrieved from a user authentication).
If the PID is used as SignerID, the first screen in the authentication dialogue will be skipped.
| IDType: SSN, PID or RID
IDValue: - SSN: User's CPR number
- PID: User's mitid.uuid
- RID: mitid erhverv user’s persistent profesional ID or CVR and RID.
|
forcepkivendor | The forcepkivendor parameter can be used to point the user directly to this eID.
Read more about forcepkivendor. | abs:mitid
|
MitID Erhverv authentication-based signing
Below are two examples of MitID Erhverv Signer settings for an InsertOrder request. The first example has both MitID Private and MitID Erhverv options defined with PID and RID SignerID respectively, the latter in CVR-RID format. The second example has one MitID Erhverv signer with RID in persistent professional ID format.
<Signers>
<Signer>
<EndUserSigner>
<LocalSignerReference>signerref1</LocalSignerReference>
<Name>Test User 1</Name>
<AcceptedPKIs>
<Nets>
<Authentication>
<AuthenticationID>mitid</AuthenticationID>
<SignerID>
<IDType>PID</IDType>
<IDValue>cebde323-b6f3-41aa-9ed3-21ce6d235e23</IDValue>
</SignerID>
<SignerID>
<IDType>RID</IDType>
<IDValue>CVR:29915938-RID:64284701</IDValue>
</SignerID>
</Authentication>
</Nets>
</AcceptedPKIs>
</EndUserSigner>
</Signer>
<Signer>
<EndUserSigner>
<LocalSignerReference>signerref2</LocalSignerReference>
<Name>Test User 2</Name>
<AcceptedPKIs>
<Nets>
<Authentication>
<AuthenticationID>mitid</AuthenticationID>
<SignerID>
<IDType>RID</IDType>
<IDValue>e0930d2a-7b16-41d4-96ca-e0d38c5d5122</IDValue>
</SignerID>
</Authentication>
</Nets>
</AcceptedPKIs>
</EndUserSigner>
</Signer>
</Signers>
The first signer above will be presented with the two selection options for MitID and MitID Erhverv.
Note: Any use of IncludeSSN will be ignored if SignerID is defined with IDType = RID
Requesting MitID Erhverv signature
There are 4 different ways to request a signature with MitID ervherv, as shown in the below examples:
1: Document can be signed by anyone:
<AuthenticationID>mitid</AuthenticationID>
<SignerID>
<IDType>RID</IDType>
</SignerID>
2: Document can be signed by anyone in company with provided CVR:
<AuthenticationID>mitid</AuthenticationID>
<SignerID>
<IDType>RID</IDType>
<IDValue>CVR:29915938</IDValue>
</SignerID>
3: Document can only be signed by user with a given CVR and RID:
<AuthenticationID>mitid</AuthenticationID>
<SignerID>
<IDType>RID</IDType>
<IDValue>CVR:29915938-RID:64284701</IDValue>
</SignerID>
4: Document can only be signed by user with a given PPI:
<AuthenticationID>mitid</AuthenticationID>
<SignerID>
<IDType>RID</IDType>
<IDValue>e0930d2a-7b16-41d4-96ca-e0d38c5d5122</IDValue>
</SignerID>
User experienceRead the document
The document is presented by E-Signing. The UI below is based on the Standalone UI.
User authentication
The user is redirected to Signaturgruppens eID broker. This page may be customized for each customer.
See MitID description at the E-Ident page for more information.
Selection page
The below selection page will only be shown if the user is allowed to sign with both MitID Private and MitID Erhverv.
Provide user ID
For MitID Private, the page below may be skipped if the user's MitID UUID is known and defined as the SignerID. In those cases, the user will be directed straight to the next step in the MitID authentication flow. This may be the page informing the user to open the MitID app.
The next steps in the MitID authentication flow. This may be information to open the MitID app, but may be other steps also.