MitID Erhverv integration test environment: Test MitID Erhverv features

Fill in the form on the test portal (no login required):

NemLog-in.dk: Create test user organisation (available only in Danish)

You need to fill out 6 fields:

• Administrator email address: Enter an email address that you will use when you need to reset your password.
• Password: Enter the password you will use to log in.
• API access key: If you choose to provide an API access key, others cannot modify the user organisation.
• Approve qualified certificates: If you need to test qualified certificates, you can check this option.
• Organisation type: If you want to test as a private company, select "Private Company". If you are testing as a public organisation, select "Public Organisation".
• Assurance level for identification process: Here, you can specify the NSIS assurance level for the identification process of business users

Once completed the form, tap the "Create" button at the bottom of the page. The "New BO test organisation created with the following data" page will open. Here, you will find details about the test organisation, including a fictitious CVR number and a new test user. You can also find the username and password. These details are required for logging in, be sure to save them both.

The test user can now act as the administrator for the test organisation.

Digitaliseringsstyrelsen: Internal Test SP OIOSAML-3.0

The administrator created in step 1 can now:

• create (test) business users
• issue certificates
• assign rights and business powers of attorney.

Test users can also log in (and sign) with service providers in the MitID Erhverv integration test environment.

If you would like to test Local IdP and IdM integration, you should contact the MitID Erhverv Administration for access. When you contact MitID Erhverv Administration, be sure to provide:

• The CVR (Central Business Register) number of your test organisation
• Specify that the request concerns the integration test environment
• Whether you wish to test IdM integration or Local IdP.

The administration can enable the functions for your test organisation with the information provided.

MitID Erhverv Administration: Email

To have test users in your test organisation in the MitID Erhverv integration test environment, you must first create fictitious private test users in the MitID Simulator.

MitID Simulator

In the MitID Simulator, you must enter following details:

• User name: This should be a fictitious name
• Password
• First name
• Middle name
• Last name
• Fictitious CPR number
• Email address

Note that you can instead tap "Autofill," which will automatically fill in the following details:

• Username
• Name
• Middle name
• Last name

Tick the box "Private MitID" if the user is to be used for private MitID login. This should be done in most cases, as it is the recommended way to manage test business users. By ticking the box "Private MitID", the test user is created as a private identity in the MitID Simulator. The user can then be linked as a business user in the test environment and use the private MitID created in the MitID Simulator as a login method.

Test certificates are easiest to order via the MitID Erhverv application interface in the integration test environment or through the associated APIs. Additionally, you can download an example of a system certificate, although it will not be linked to your own test organisation's CVR number.

OCES3 System Certificate (.p12)

Password: c5,PnmF8;m4I

The key files generated via MitID Erhverv are in PKCS#12 format and encrypted using the AES algorithm. This may cause issues with older software. If this happens, the files can be repacked into a different encryption algorithm using tools like:

• XCA
• OpenSSL
• Other similar tools.

The root certificate and the certificate issued for the test can be retrieved from the test certificate's .12 file using the relevant software for the purpose.

Blacklists and OCSP services in the OCES3 infrastructure are not accessible via fixed IP addresses due to DDoS protection. As a result, any firewall rules for outgoing traffic in your organisation must be defined based on the host name and not on IP addresses.

Organisations wishing to manage their users within their own local systems can integrate with the IdM API in MitID Erhverv. This enables you to create users in your local systems, and they will also be automatically created in MitID Erhverv. Please note that a local user can only access self-services via Local IdP once the user has been created in MitID Erhverv following the synchronisation between the local system and MitID Erhverv.

If you would like to test IdM integration, contact the MitID Erhverv Administration for access via email providing the following details:

• The CVR (Central Business Register) number of your test organisation.
• Indicate that the request concerns the integration test environment.
• Notify that your organisation would like to test IdM integration.

MitID Erhverv Administration can then enable the necessary features for your test organisation.

MitID Erhverv Administration: Email

The documentation package for integration with the IdM API in MitID Erhverv has been updated to include the requirement for email validation. If you issue certificates containing an email address, you must validate the email provided.

The package comprises:

• an introduction and descriptions of concepts
• flow descriptions, e.g. authentication
• data models
• REST OpenAPI specifications (.yaml)
• SOAP WSDL.

Additionally, the package contains separate documentation for the Certificate API, which allows you to issue and renew certificates.

Download the documentation package:

Documentation package (V1.12) for IdM and certificate API (zip) (updated 21 November 2024)

Please note that users do not have certificates attached by default in NemLog-in, as certificates are not used for login.

When synchronising large numbers of users (thousands) via the API, it is recommended to do so overnight or, at the very least, spread the synchronisation over an extended period (e.g. 60-120 minutes). Furthermore, avoid authenticating every individual user during updates. Instead, update multiple users using login session.

There is a limit on API usage based on the number of calls within a specific time frame. This measure is implemented to prevent exessive system load and maintain operational stability. If this limit is exceeded, the system will return an HTTP 429 (Too Many Requests) response code.

For example, attempting to synchronise a large number of users (thousands) in a short period may trigger this error. Should this occur, we recommend halting the synchronisation immediately and resuming it later, ensuring a delay between requests to avoid further issues.

If you would like to test Local IdP, please contact MitID Erhverv Administration to request access. When doing so, please ensure you provide the following details:

• The CVR (Central Business Register) number of your test organisation
• Indicate that the request concerns the integration test environment
• Notify that your organisation would like to test Local IdP.

MitID Erhverv Administration can then enable the necessary features for your test organisation.

MitID Erhverv Administration: E-mail

When integrating a Local IdP and assuming responsibility for authenticating your local users, the OIOSAML Local IdP Profile must be adhered to for integration with NemLog-in's broker.

Below, you will find guides, specifications, and metadata for the integration test environment for NemLog-in as a SAML Service Provider, which should be imported into your Local IdP:

Integration with NemLog-in – Local IdP (pdf) (latest updated 14 December 2023)

Remember to:

• set the lifetime of assertions for Local IdP to a maximum of 10 minutes to prevent rejection by NemLog-in
• use the Log viewer on the environment if you need to debug a rejected request.

NemLog-in test environment: Log viewer

The metadata required for the integration test environment can be found on NemLog-in.dk:

NemLog-in.dk: Metadata (available only in Danish)

The organisation administrator must open the following page in a new tab in the same browser:

MitID Erhverv: Access the integration test environment for your organisation

Under "Integration test environment details", you are required to fill in the:

• email address of the new administrator
• password the new administrator should select.

Tap "Approve".

The new administrator will now be created with a username and password. Please make a note of them and send the details to the new administrator.

Please note:

• the email address must not have been used previously used for an administrator in the integration test environment.
• it is not possible to have the username and password resent. If you lose the username or password, you must create a new administrator with a different email address.

The organisation administrator must open the following page in a new tab in the same browser:

MitID Erhverv: Access the integration test environment for your organisation

Under "Integration test environment details", you mustto provide a new API key, ensuring that only your organisation can call the API.

Then, tap "Approve".

The API key for your organisation in the integration test environment will now be updated.

Please note the organisation administrator does not need to enter the current API key in order to change it.