BankID in Browser is an integration with the standard national electronic authentication methods in the Nordic with support for BankID in Sweden, Finland, Denmark and Norway
The login workflow runs in a ZignSec controlled browser session.
Here you can find the Nordic eID provider’s public web portals.
API Calls
Set up: POST to https://env
.zignsec.com/v2
/eid/bankid_selector
Result: GET from https://env
.zignsec.com/v2
/eid/sessionid
where
env
is API or testbankid_selector
is for example sbid-another, nemid, nbid_oidc, smartid/auth or smartid/sign, see the bankid_selector alternatives belowsessionid
is the session identifier retrieved from the setup call, named id’in the response
v2
for fbid, nbid products
Call Sequence
- Step 1. Set up session The returned
redirect_url
is used for starting the browser workflow, identified bysessionid
. - Step 2. Run the login workflow Simply navigate to the
redirect_url
in a web browser. The workflow’s user interactions are very specific for the country and bank, and may include an external device like the Swedish mobile BankID. - Step 3. Get status/results Collect status and data about the logged in person, using the unique workflow
sessionid
code. Make this call during or after the workflow is completed. The workflow can signal the status pending, completed or error (exception, user abort, timeout) via a browser redirect to thetarget
URL and/or via a configured webhook. There is also JavaScript notification via this Window.postMessage() event.
Step 1. Set up session
POST to https://env
.zignsec.com/v2/eid/bankid_selector
where env
is API or testbankid_selector
is for example sbid-another, nbid_oidc or nemid, see the bankid_selector alternatives below.
Available Methods
This is the list of possible options for bankid_selector
, i.e., the type of authentication.
[bankid_selector] in URL | Description |
sbid-another | Swedish BankID Authentication on any device, local or other. In this case a button Start BankID app will be shown on the waiting form. If pressed the locally installed BankID app will be shown if it is configured with the selected personal number |
sbid | Swedish BankID Authentication on same device. If a local BankID app is installed and it is configured for the entered personal number (either through API parameter or through the browser form), it will be automatically triggered to start in a few seconds. IMPORTANT: For autostart of the Swedish BankID app from an IFRAME the following script needs to loaded on the container page:
|
sbid-sign | Swedish BankID Signing. These two parameters are a requirement: PersonalNumber and UserVisibleData. UserNonVisibleData is optional. |
fbid | Finnish BankID authentication both via the mobile app and through banking. |
nemid | Danish NemID Authentication. |
nbid_oidc | Norwegian BankID web or mobile Authentication. See the request body parameter login_hint below for lots of configuration alternatives, such as limiting to mobile and a specific mobile number. |
nbid | Norwegian BankID web Authentication. Forwards to nbid_oidc with login_hint = BID |
nbid_mobile | Norwegian BankID web Authentication. Forwards to nbid_oidc with login_hint = BIM |
nbid_pep | Norwegian BankID web or mobile Authentication with PEP check |
[cc] | [cc] is a two letter country code (ISO standard) to let the use select from a button list of available identification method(s) for that particular country. |
swissid | SwissId web Authentication |
Headers
In order to send a message you need to authenticate yourself using the credentials given by ZignSec.
Authorization | This header parameter is the personal access token you received from ZignSec during the registration process. Example: Authorization: 00000000-e2a2-4968-b651-5352305c9fb0 | Required |
Content-Type | Specifies the media type of the request body data. Set to application/x-www-form-urlencoded. for post data and application/json if JSON object. Example: Content-Type: application/x-www-form-urlencoded | Required |
Host | Use test.zignsec.com for test environment and api.zignsec.com for production environment. Example: api.zignsec.com | Required |
Request Parameters
Parameter | Description | Required |
---|---|---|
personalnumber | Set up of identity number. This optional parameter has somewhat different meanings for each country: SE: Means that for Sweden only this specific person can be identified; No need to fill in PersonalNumber; The BankID app starts up for this person only. DK: Danish Nemid does not return personal number (CPR), instead a technical substitute key called PID. However, if the PersonalNumber parameter is present then a background matchPidCpr call is run that verifies that given PersonalNumber matches the logged-in PID, Where after the PersonalNumber is set in response symbolizing the PersonalNumber is verified by a NemID login. NO: If PersonalNumber is sent in only that person can login, because the first page for entering PersonalNumber is skipped entirely. This is a convenient way to verify a specific PersonalNumber. Another alternative is the field The PersonalNumber formats per country:
| No |
relaystate | This semi-optional parameter will be returned to you at the redirect back to your server. Use it to link an unique ID of your choice that you can parse. If not relaystate is specified, ZignSec will automatically set the ZignSec’s unique session identifier, the RequestID token here. Example: | No |
configid | Here you can send in a GUID that represent a specific configuration. This is used to separate between multiple certificates, different layouts or to make different Webhook calls. If only one configuration it is used automatically. Example: | No |
target | If this parameter is supplied the browser session will finally be redirected to this URL-value. The URL-parameter value must be URL-encoded. Example: | No |
targetError | targetError works as target except it is navigated on user cancel or error situations. | No |
layout | If this parameter is left out this is set to the current default layout, contact ZignSec for layouts and default selection. | No |
language | Decides web form user interface language. The default language is taken from the merchants setting ‘DefaultLanguage’ or EN=English if none is set there. Language can be changed both on a request level here, or on setting level. For example, if a customer mainly uses the Swedish BankID ZignSec will change the ‘DefaultLanguage’ setting to SV for best user experience. The code format should be in this 2-letter ISO 639-1 language code, case-insensitive. | No |
AskForCpr | Only works with Danish NemID [who don’t return the Danish personal number (CPR)]. If this parameter is set to true , an input form for entry of CPR number is shown after then NemID login step. The entered CPR number is verified with current NemID PID with a call to the Match service at NemID, and the verified CPR is stored in the identity PersonalNumber response field. | No |
AskForCprCallback | Only works with Danish NemID [who don’t return the Danish personal number (CPR)]. This merchant callback allows for a slimmed login process, showing the CPR validation dialog only when necessary (such as on a customer’s first login to a site). If this callback is present the merchant can decide in runtime whether the CPR validation is needed or not. A callback URL parameter can be for example: Process details: a GET to the URL will be issued by ZignSec with the PID from NemID-login replaced at Our recommendations: * Since the PID is always returned it can be stored together with a verified CPR after first NemID login, and then on the next visits you don’t need to show the CPR dialog since the PID can be used as the unique lookup key to find the known customer. * Also keep in mind that if the customer´s CPR is known in advance it can be sent in with the PersonalNumber parameter with the NemID initiation, and the CPR will be silently verified with a Match call and if correct be put in the PersonalNumber response field. | No |
login_hint | Only works with Norwegian BankID and when method is set to For example | No |
userVisibleData | Only works with Swedish BankID Signing. The text message to be signed by an end user. Must be UTF-8 and Base64 encoded. Max 40’000 characters. CR/LF/CRLF means new line. | Yes (at Signing) |
userNonVisibleData | Only works with Swedish BankID Signing. Optionally used for document or message hashes. Must be UTF-8 and Base64 encoded. Max 200’000 characters. | No |
lookupPersonAddress | Currently works for Swedish BankID and Swedish Banking API. If set to true will automatically do a Swedish person address lookup from the verified personalNumber using LookupPerson API and the official population register. The call is charged separately, which means that additional charges will be incurred. | No |
webhook | A url where success/error results will automatically be POST:ed. It can be set either here or on the merchant’s setting, see this general page web hooks for success and error During test you try https://webhook.site/ for free web hook URLs. | No |
requirement | NOTE: Include setting AutoStartTokenRequired=Yes to require that login must be performed scanning a QR code. Adding this setting will also show the QR-code on the waiting form. Used by RP to set requirements how the authentication or sign operation Example: | No |
allowRetries | Optional, default is Default expiration setting is 7 days. Example: | No |
Scope | Only works with Norwegian BankID . Following scope values can be used as space separated string: Note: Example: Above example will prompt consent to provide national identity number, address and phone. | No |
PEP_Check | Works with nbid_pep only. Configures Example:
| No |
Layouts
There are different layouts, that can be chosen dynamically or configured statically, for determining the BankID app triggering during the browser workflow in the Swedish BankID integration /sbid
It is always possible to start the BankID app by a button click.
Layout2
Desktop | Android | iOS | |
Autostart BankID app (without user gesture/button-click) | Yes | No | No |
Redirect after login | To previous app | To previous app | To previous app (need to click back button in app) |
Layout3 (default layout)
Desktop | Android | iOS | |
Autostart BankID app (without user gesture/button-click) | Yes | No | Yes |
Redirect after login | To previous app | To previous app | To previous or default browser (new tab will be created) |
Need https://zignsec-cdn.azureedge.net/scripts/zignsecautostart.js on website | Yes |
Layout4
- Use click on button without redirect to another page, just load iframe on the same page
Desktop | Android | iOS | |
Autostart BankID app (without user gesture/button-click) | Yes | Yes | Yes |
Redirect after login | To previous app | To previous app | To previous or default browser (new tab will be created) |
Need https://zignsec-cdn.azureedge.net/scripts/zignsecautostart.js on website | Yes |
Response
id | A unique session identifier generated for each workflow instance. |
errors | A JSON array of error conditions, see error handling FAQ |
redirect_url | The URL that the user needs to be redirected to complete the data via the web interface. It is possible to load the URL in an iframe. Timelife of url can be managed over the settings RedirectUrl_ExpirationInMinutes_PROD / RedirectUrl_ExpirationInMinutes_TEST . |
Error Codes
Code | Description |
INVALID_PERSONALNUMBER | Invalid Personal number, for example missing |
INVALID_APPID | Invalid AppId |
MISSING_CONFIG | Your account has a missing config, contact ZignSec for help |
INVALID_REQUEST | Something unexpected has gone wrong, contact ZignSec for help |
Note: For Swedish BankID integrations google for and read the BankID Integration guide which describes all API calling details such as parameters, return values and error conditions.
Setup-request Example: (sbid-another=app on any device)
POST https://test.zignsec.com/v2/eid/sbid-another HTTP/1.1 Authorization: 00000000-e2a2-4968-b651-5352305c9fb0 Content-Type: application/x-www-form-urlencoded Host: test.zignsec.co target=http%3A%2F%2Flocalhost%3A8080%2Fzignsec%2Freturn
Setup-response example
{ "id":"ebe756c4-24db-4eb7-8b54-874434f212ec", "errors":[], "redirect_url":"https://test.zignsec.com/v2/Hosted/ebe756c4-24db-4eb7-8b54-874434f212ec/sbid-another/" }
Setup-request SwissID Example
POST https://test.zignsec.com/v3/eid/swissid HTTP/1.1 Authorization: 00000000-e2a2-4968-b651-5352305c9fb0 Content-Type: application/json { "scopes": "openid profile email phone", "webhook": "https://my.site/webhook", "target": "https://my.site/logged-in", "targetError": "https://my.site/error", "relayState": "my-session-id", "environment": "Test", "language": "en", "acrValues": "qoa1" }
Step 2. Run the login workflow
Simply navigate to the redirect_url
to start the login workflow in a browser. It may be convenient to load the URL into an HTML IFrame element to get a windowed login integration in an existing web site. In parallel, a separate eID session is handshaked in the background either on the server (Sweden) or in the client with Javascript (Denmark and Norway).
Contact ZignSec to setup custom CSS for Html IFRAME.
Step 3. Get status/results
GET from https://env
.zignsec.com/v2
/eid/sessionid
where env
is API or testsessionid
is retrieved in the setup call, named id in the response.
How to get notified of Workflow Finished
There is both active and passive notification for when the workflow is finished:
- Callback: Set Target URL parameter in step 1 and when the target URL is navigated you can do the above collect-GET.
- Webhook. To set up a webhook URL for callback, contact ZignSec. Results will be posted to the URL, see this example.
- Polling: Repeatedly call the above collect-GET until the results contain a final result.
Response
id | A unique session identifier generated for each workflow instance. | ||||||||||||||||||||||||||
errors | A JSON array of error conditions, see error handling. | ||||||||||||||||||||||||||
result | Note: This node is missing (deemed unnecessary) if the authentication is successful, ie when a identity node is present. An object that describes the main result of the service call. It contains the following parameters:
| ||||||||||||||||||||||||||
Identity | This is a verified identity of the customer. The following parameters can be found in this object.
| ||||||||||||||||||||||||||
method | The name of the method initiated, for Example “sbid ” or “sbid-another ” | ||||||||||||||||||||||||||
BankIDSE | This sub item contains certificate validation data only relevant to the Swedish BankID. signature This is for tracking and source verification of the total result returned from the Swedish BankID, both for the Authenticate and the Sign processes. The content is long a base64-encoded xmldsig document – the IETF-standard for signing of Xml . It contains for example the signed object in parsable format, and the result in element after signing with the merchant’s X509-certificate. Validity can be checked with standard methods available for example in .Net framework. ocspResponse This is for tracking and source verification of the customer certificate used in the Swedish BankID, both for the Authenticate and the Sign processes. |
Example response
{ "identity": { "CountryCode": "SE", "FirstName": "RAGNAR PER", "LastName": "GREN", "FullName": "RAGNAR PER GREN", "PersonalNumber": "198711260070", "DateOfBirth": "1987-11-26", "Age": 30, "IdProviderName": "BankIDSE", "IdentificationDate": "2018-09-19T11:53:46.4726217+02:00", "IdProviderRequestId": "", "IdProviderPersonId": "", "CustomerPersonId": "" }, "BankIDSE": { "signature": "base64 too long to display ...", "ocspResponse": "base64 too long to display ..." }, "method": "sbid-another" };
Example response when LookupPersonAddress=true
{ "identity": { "CountryCode": "SE", "FirstName": "RAGNAR PER", "LastName": "GREN", "FullName": "RAGNAR PER GREN", "PersonalNumber": "198711260070", "DateOfBirth": "1987-11-26", "Age": 30, "IdProviderName": "BankIDSE", "IdentificationDate": "2018-10-26T11:38:39.7515839+02:00", "IdProviderRequestId": "", "IdProviderPersonId": "", "CustomerPersonId": "" }, "BankIDSE": { "signature": "base64 too long to display ...", "ocspResponse": "base64 too long to display ..." }, "LookupPersonAddress": { "PersonStatus": "", "FirstName": "Ragnar Per", "LastName": "Gren", "MainFirstName": "Ragnar", "Address": "Tranvägen 4", "Address2": null, "PostalCode": "18452", "Location": null, "City": "Sollentuna", "Province": null, "CountryCode": "se", "Phone": null, "PhoneNumbers": [ "08-51234567", "073-1234567" ], "Email": null, "DateOfBirth": "19871126", "BirthYear": 1987, "BirthMonth": 11, "BirthDayOfMonth": 26, "Age": 30, "PersonalNumber": "198711260070", "_DataSource": "DP05" }, "method": "sbid-another" }