BankID BankID Relying Party Guidelines Version: 2.7 Page 1(27) 2014-11-13 BankID Relying Party Guidelines Version: 2.7 2014-11-13 BankID Page 2(27) BankID Relying Party Guidelines 1 Version: 2.7 Introduction .................................................................................................................................. 4 1.1 Versions...............................................................................................................................................4 1.2 Terms and definition..........................................................................................................................5 1.3 How it Works......................................................................................................................................5 1.4 BankID on file and BankID on smart cards ....................................................................................5 1.5 Mobile BankID ...................................................................................................................................6 1.6 Client Platforms .................................................................................................................................6 2 Use Cases ...................................................................................................................................... 6 2.1 Basic Use cases....................................................................................................................................7 2.2 Flow of events .....................................................................................................................................7 2.3 Exceptions ...........................................................................................................................................7 3 Launching ..................................................................................................................................... 8 3.1 Launching the BankID app from a browser ...................................................................................8 3.2 How to Start........................................................................................................................................8 3.3 Behaviour in Different Browsers ......................................................................................................8 3.3.1 3.3.2 3.3.3 3.4 Chrome ....................................................................................................................................................... 8 Internet Explorer ......................................................................................................................................... 8 Parameters in the start URL ........................................................................................................................ 8 Launching the BankID app from Native App on Mobile Device.................................................10 3.4.1 3.4.2 3.4.3 Android ..................................................................................................................................................... 10 iOS ............................................................................................................................................................ 10 Windows Phone ........................................................................................................................................ 10 4 Technical Requirements ............................................................................................................. 11 5 Recommended User Messages ................................................................................................... 12 6 Production Environment ............................................................................................................ 14 7 Test Environment ....................................................................................................................... 14 8 Information regarding the Web Service API ............................................................................ 16 8.1 Versions.............................................................................................................................................16 8.2 Test Environment.............................................................................................................................17 8.3 No soapAction...................................................................................................................................17 9 Support ........................................................................................................................................ 17 10 Recommended Terminology ................................................................................................... 17 11 File Signing ............................................................................................................................. 18 12 Appendix: RP Interface Description ...................................................................................... 19 12.1 12.1.1 12.1.2 12.2 12.2.1 12.2.2 12.3 12.3.1 Method Auth .................................................................................................................................19 In parameters ............................................................................................................................................ 19 Return value.............................................................................................................................................. 19 Method Sign ..................................................................................................................................19 In Parameters ............................................................................................................................................ 19 Return value.............................................................................................................................................. 19 Method FileSign - Deprecated .....................................................................................................19 In Parameters ............................................................................................................................................ 20 BankID Page 3(27) BankID Relying Party Guidelines 12.3.2 Version: 2.7 Return value.............................................................................................................................................. 20 12.4 PersonalNumberType ..................................................................................................................20 12.5 EndUserInfoType .........................................................................................................................20 12.6 RequirementAlternativesType ....................................................................................................21 12.6.1 OrderResponseType ................................................................................................................................. 22 12.7 Error codes for Auth/Sign/FileSign ............................................................................................22 12.8 Method Collect..............................................................................................................................23 12.8.1 12.8.2 12.8.3 12.8.4 12.8.5 12.9 12.9.1 12.9.2 In Parameters ............................................................................................................................................ 23 Return Value ............................................................................................................................................. 23 ProgressStatusType .................................................................................................................................. 23 UserInfoType ............................................................................................................................................ 24 Error codes Collect ................................................................................................................................... 24 More information about requirement alternatives ...................................................................26 Syntax ....................................................................................................................................................... 26 Examples .................................................................................................................................................. 26 BankID Page 4(27) BankID Relying Party Guidelines 1 Version: 2.7 Introduction This document contains guidelines for Relying Parties (RP, Förlitande Part in Swedish) when using BankID in their own services. Please check www.bankid.com/rp/info and verify that you have the latest version of this document. 1.1 Versions Version Date Change 1.0 2013-09-11 First English version 1.0.1 2013-09-30 Removed the iframe tip in the Mobile Web App use case since it doesn’t work in Chrome for Android version 25 and later. 1.0.2 2013-10-21 Added Android, iOS and Windows Phone sections in the Mobile Web App use case. 2.0 2013-11-29 Possible to use the interface to access BankID on file, BankID on smart cards as well as Mobile BankID New name of document New version of RP-Interface 2.1 2013-12-20 Changes in the instructions for launching the iOS and Windows Phone BankID app. Changes in the user message requirements. Added information in the Test Environment chapter regarding how the BankID Security Application should be configured for test. 2.2 2014-01-23 Details on how to configure the PC-client for test. We recommend the autostarttoken to be used. The redirect parameter must be used together with autostarttoken on PC:s. Minor change in the recommended text RFA15. 2.3 2014-03-25 How to start: The parameters must be in lower case. How to start: Error message if client started multiple times User message RFA17: updated with link to install.bankid.com Test environment: You need to remove the config file if the selector file is changed. Web Service: Validity time for previous versions of the web service API. Appendix RP Interface: max file size is 5 Mb Added REQ_BLOCKED (Not used) and ALREADY_COLLECTED (Not Used) as error codes for collect. 2.4 2014-05-13 Parameters in the start URL: Removed the note for redirect in iOS, it was not reliable. The general recommendation is to use redirect=null when it is possible. A clarification in the note for Windows and Mac OS X. Technical Requirements: New requirement RFT11 describing which cert to be configured as trusted. User Message Requirements: Changed RFA14 and RFA15 to two different texts depending on if the user access the service using a PC or a mobile device. Test Environment: Updated how to configure the PC-client for test. Error Codes Collect: RFA3 should be used for CANCELLED 2.5 2014-06-03 Method fileSign is deprecated. Changed the examples of requirementAlternatives to include Nordea E-leg. 2.6 2014-09-17 Launching from browser: The start URL for mobile devices shall include three backslash (bankid:///). Launching from native app (Android): intent.addCategory and intent.setType not needed to launch in Android. Three backslash in the URI. Launching from native app (iOS): Three backslash in the URL. Launching from native app (WP): Three backslash in the URI. More information about requirement alternatives: Added one more example. Commented the examples. BankID Page 5(27) BankID Relying Party Guidelines 2.7 2014-11-05 Version: 2.7 Parameters in the start URL: It is possible to use a new parameter rpref. Production Environment: The client also uses IP address 194.242.109.208 and 159.72.128.183. Test Environment: The client also uses IP address 194.242.109.169 and 159.72.128.183. Use Cases: RP:s should consider to offer manual start of BankID app if the automatic start fails. RequirementAlternativesType: typing error; “type” changed to “key”. 1.2 Terms and definition Term BankID Security Application BankID app Description The client software that needs to be installed in the end users mobile device or personal computer (PC). The same term is used for PCs and mobile platforms. BankID app is the short form used in this document. In Swedish the client software installed on PCs is called “BankID säkerhetsprogram”. In Swedish the client software installed on mobile platforms is called “BankID säkerhetsapp” RP Relying Party that uses the BankID web service to provide login and signing functionality to the end user. 1.3 How it Works To be able to use BankID’s identification and signature features users must install BankID Security Application (the BankID app) in a mobile device or PC. They also need to order a BankID from their bank.An RP uses the identification or signature service of BankID via a web service API provided by BankID (see Appendix: RP Interface Description). The web service API can only be accessed by an RP that has a valid SSL client certificate (an RP certificate). The RP certificate is obtained from the bank that the RP has purchased the BankID service from. If the BankID app is installed in the same device as the RP service executes in, the BankID app can be launched automatically by the RP service. In this case the users do not need to enter their ID number in the RP service. If, on the other hand, the RP service is used in a web browser on a PC and the users want to use a Mobile BankID the users will have to manually launch the BankID app in their mobile device. In this case the users need to provide their ID number in the RP service. 1.4 BankID on file and BankID on smart cards This section includes general information for RP’s that have used BankID on file and BankID on smart cards via the old BankID browser plugin solution. Some of the simplifications and changes are: Installation and version control of the BankID app does not need to be done by the RP. The version control is performed within the BankID system. If the user has not installed the BankID app a special status will be returned via the RP-interface. BankID Control Server is no longer needed. The signature and all other controls are done within the BankID system. There is no need to have different code for different browsers to start the BankID app. Instead of using the plugins or activeX controls in the BankID app to authenticate the user and let the user sign, the RP uses web services provided by BankID. The RP interface has support for all different types of BankID (BankID on file, BankID on smart cards and Mobile BankID). If an RP only wants to support BankID on file or BankID on smart cards or Mobile BankID they need to use the requirementalternatives parameter to specify this (the certificatePolicies should be set to 1.2.752.78.1.1 and/or 1.2.752.78.1.2 and/or 1.2.752.78.1.5). Support for Nordea e-legitimation is included in the system. The filter parameter is replaced with requirementalternatives. See RequirementAlternativesType for more information. BankID Page 6(27) BankID Relying Party Guidelines Version: 2.7 1.5 Mobile BankID This section includes a description for RPs’ that have used previous versions of the RP interface (which supported Mobile BankID only). Some of the changes are: The new RP interface has support for all different types of BankID (BankID on file, BankID on smart cards and Mobile BankID). If RP only wants to support Mobile BankID they need to use the requirementalternatives parameter to specify this (the certificatePolicies should be set to 1.2.752.78.1.5). The sign and authenticate methods returns an orderResponse which contains the orderReference. Users do not need to enter their ID number to sign or login. For this to work the BankID app must be started using the autoStartToken which is returned in the orderResponse. The following status and error codes are changed: o “SIGN_VALIDATION_FAILED” and “INVALID_DEVICESW” is replaced with “CLIENT_ERR”. o “CLIENT_ERR” is a new error indicating various problems with the client. o “UNKNOWN_USER” is deprecated. o “ALREADY_COLLECTED” is replaced with “INVALID_PARAMETERS”. o “TIME_BLOCKED” was not used in previous version and is now deprecated. o “START_FAILED” is a new error used if auto start with autostarttoken fails. o “CERTIFICATE_ERR” is a new error indicating that the BankID is expired or revoked. 1.6 Client Platforms BankID is supported in PCs running Windows, Mac OS X, mobile phones and tablet computers running Android and iOS and mobile phones running Windows Phone 8. Up to date information on platform support can be found at http://support.bankid.com. BankID Security Application for mobile devices BankID Security Application for PCs - NOTE Login Sign fileSign Support for multiple users Support for smart cards - User does not need to enter ID number at login NOTE: fileSign is deprecated and will not be included in future versions of the RP Service API. We strongly recommend RP not to use fileSign. See chapter 11 - File Signing for more information. 2 Use Cases There are a number of use cases that can be implemented using the new BankID solution. In this document we describe the most common use cases to keep it simple and to give the reader a basic understanding of the solution. If the BankID app is installed on the same device the user uses to access the service the RP should help the user to start the BankID app automatically. A description is found in Launching. In this case the users do not need to provide their ID number. If the BankID app is installed on another device the users must provide their ID number and manually start the BankID app. If the BankID app is installed on the same device the user uses to access the service, but the BankID app cannot be automatically started, the user must provide their ID number and manually start the BankID app on the same device. RP:s should consider this use case as a fallback in case the automatic start fails. BankID Page 7(27) BankID Relying Party Guidelines Version: 2.7 To make the user experience consistent the RP must use the recommended messages and error messages in Recommended User Messages. The possibilities to restrict the types of BankID that can be used and how to define other requirements are described in RequirementAlternativesType. 2.1 Basic Use cases The following basic use cases exist: A. The user access the service using a browser on a personal computer. Users should be asked if they want to login or sign using “BankID on this computer” or “Mobile BankID”. Message RFA19 should be used. a. Users that select to use BankID on this computer does not need to enter their ID number and the RP must start the BankID app on the computer. b. Users that select Mobile BankID must enter their ID number and the RP must give the instruction to manually start the BankID app on their mobile device. B. The user access the service using a browser on a mobile device. Users should be asked if they want to login or sign using “Mobile BankID on this device” or “Mobile BankID on another device”. Message RFA20 should be used. a. Users that select to use this device do not need to enter their ID number and the RP must start the BankID app on the mobile device. b. Users that select to use another device must enter their ID number and the RP must give the instruction to manually start the BankID app on the other device. C. The user access the service using a native app on a mobile device. In this case the user most likely wants to use a BankID on the same device. The RP may however provide possibilities to use another device in this case as well. a. The users do not need to enter their ID number and the RP app launches BankID App programmatically (see Native App on Mobile Device). b. Users that select to use another device must enter their ID number and the RP App must give the instruction to manually start the BankID app on the other device. In some cases it may be impossible to automatically start the BankID app. The reason could be browsers blocking it or that the RP app does not have the capabilities to launch external URL:s. In this case the users always can start the BankID app manually. In this case the users need to enter their ID number. 2.2 Flow of events 1. 2. 3. 4. 5. 6. 7. 8. Users that select “another device” are asked to enter their ID number if it’s not already saved or known by the RP. The RP uses the Authenticate or Sign call of the web service API. The web service returns an autoStartToken and an orderReference. If the user selected “another device” RP should set condition “certificatePolicies” to “1.2.752.78.1.5” to restrict the transaction to mobile devices only. If the user selected “same device” the RP tries to start the BankID app. The autoStartToken must be used in the start command if the ID number is not provided in the web service call, see Launching. Once the BankID app has finished execution, focus will be returned to the browser/app. If the user selected “another device” the RP informs the user to start the BankID app manually. The RP service displays a progress indicator. The login or sign transaction is displayed in the BankID app. The RP name (as stated in the RP certificate) is displayed. The user enters personal security code or cancels. The RP periodically uses the Collect call of the web service API, until a final response is received and continuously updates the message displayed to the user. See Recommended User Messages. RP removes the progress indicator. 2.3 Exceptions 1. 2. 3. The web service call in step 2 fails. The use case is cancelled and the RP shall instruct the user according to Recommended User Messages. The RP must not try to start the BankID app. The Collect call in 7 fails. The use case is cancelled and RP shall instruct the user according to Recommended User Messages. The automatic start in 3 fails due to different reasons: o The user has not installed the BankID app o Erroneous start command o User did not allow the browser to launch the URL BankID Page 8(27) BankID Relying Party Guidelines 4. 5. 3 Version: 2.7 The web browser will inform the user that the URL cannot be opened. Status “START_FAILED” will be delivered to the RP as response to the Collect call in 7 if the automatic start of the BankID app has not been completed within a certain time limit. The RP shall instruct the user according to Recommended User Messages. The automatic start in 3 is successful but the user has no BankID of correct type. The BankID app will display an error message. Status “STARTED” will be delivered to the RP as response to the Collect call in 7. RP shall instruct the user according to Recommended User Messages. In step 4, the user fails to manually start the BankID app or no BankID of correct type exists in the started client. Different status codes will be delivered to RP as response to the Collect call in 7. The RP shall instruct the user according to Recommended User Messages. Launching 3.1 Launching the BankID app from a browser When the BankID app is installed the schema “bankid” is registered in the operating system. When the bankid schema is requested from the browser the operating system launches the BankID app. The URL works in Android, iOS and Windows Phone 8 when the built-in web browser is used. The URL works in PCs with all commonly used browsers. Some differences exist on different platforms. The URL syntax is: bankid:///?autostarttoken=[TOKEN]&redirect=[RETURNURL] Note that the redirect parameter must be last in the parameter list. The autostarttoken, filehash and rpref parameters are optional. Note that the parameter names must be lower case. 3.2 How to Start We recommend using the following technique to start the BankID app from a browser. 1. Make the call to the web service, check the result. 2. Try to start the Bankid app in a frame with zero size. <iframe src="bankid:///?autostarttoken=[TOKEN]&redirect=[RETURNURL]" height=0 width=0></iframe>" 3. If the BankID app is not installed the error presented by the browser will be in the zero size window and not visible for the user. After 5 seconds display a link or button with the BankID URL. Use text RFA18. <a href="bankid:///?autostarttoken=[TOKEN]&redirect=[RETURNURL]”>[RFA18] Using a href this way is the most reliable method to start the BankID app. If the start in 2 is successful, the link in 3 will be hidden by the BankID app. If the start in 2 is unsuccessful, the user will have a second chance to start. If the BankID app is started but no matching call to Authenticate or Sign has been done, an error message will be displayed in the app. To avoid this, we recommend that the link or button is inactivated immediately after the user presses it. 3.3 Behaviour in Different Browsers 3.3.1 Chrome In current version of Chrome (version 31) a known problem blocks BankID from being started from a frame. Using the recommended method above solves the problem, see https://code.google.com/p/chromium/issues/detail?id=318788. 3.3.2 Internet Explorer Internet Explorer manipulates the URL in the redirect parameter. In this specification we state that the RETURNURL must be URL-encoded. However, Internet Explorer decodes the content prior passing it to the BankID app. This is why it must be last in the list of parameters. In the same way, Internet Explorer may decode the content of the RETURNURL when the BankID app passes the return URL back to the browser. If the RP includes session information that is affected by URL-encoders/decoders problems may occur. It is recommended to use only URL-encoding safe characters in the parameters. 3.3.3 Parameters in the start URL Parameter autostarttoken Description Optional. BankID BankID Relying Party Guidelines Page 9(27) Version: 2.7 Holds the autoStartToken that was returned from the web service call. If the user ID number was not included in the web service call the autostarttoken must be provided. We strongly recommend to always use the autostarttoken when the URL is used to start the client. If it is not included and the user reloads the page or if the page erroneously repeats the start command the user may get an error claiming that the BankID is missing. The likelihood of this to happen is reduced if autostarttoken is used. filehash redirect rpref Deprecated. Optional. Not supported in mobile devices. Holds a filehash. When a file is signed the RP may provide the SHA256 computed over the binary file content of the file being signed. The filehash will be compared with the SHA2 computed over the file content in the file sent to the BankID Server. If the hashsums differ an error will be returned when collecting the result. If filehash is used, autostarttoken must be used as well. Hexadecimal number. Note that the fileSign method is deprecated. Mandatory. The BankID app uses the request parameter redirect to launch the RP web app after completed (including cancelled) authenticate or sign. The redirect URL must be UTF-8 and URL encoded and should match the web address the user is visiting when RP web app launches the BankID app. It may include parameters to be passed to the browser. For iOS and Windows Phone the redirect must have a value, but for all other platforms it may be empty (“redirect=”), or set to “null” (“redirect=null”). If it is empty or null the BankID app will terminate without launching any URL and the calling application will be in focus. The general recommendation is to use redirect=null when it is possible. Note for Windows and Mac OS X If redirect has a value the redirect parameter must be used together with autostarttoken. If autostarttoken is excluded, the content of redirect will be ignored and the behavior will be as if redirect=null. Note for Android If the user has several browsers installed on an Android device the user is sometimes presented with a question asking what browser to use. BankID recommends that redirect=null is used on Android. This ensures the user will return to the browser previously used. Note for Windows Phone When the browser on Windows Phone is started from an app it is considered a new session by the browser, hence any previous transient (session) cookies are unavailable. RP can use a persistent cookie or the RETURNURL to control the session. Relying Party Reference. Optional. Not supported in mobile devices. Any reference the RP wants to use. The value will be included in the resulting signature. A typical use case is to protect a file when it is transported from a client to a server (compute hashsum of the file content in the client, include the hashsum as rpref, compare it (server side) with a hashsum of the file content computed in the server). The value must be base64 encoded and URL encoded and 8 – 255 bytes (after encoding). rpref must be used together with autostarttoken. If autostarttoken is excluded, the content of rpref will be ignored. If the client software version is too old the parameter is not supported. An error will be displayed in the client. 3.3.3.1 Examples The RP wants the BankID app to open a browser with the following URL after finishing execution: https://demo.bankid.com/nyademobanken/CavaClientRedirReceiver.aspx?orderRef=bedea56d-7b46-47b1890b-f787c650bc93&returnUrl=./CavaClientAuth.aspx&Environment=Kundtest. The autostarttoken is included. The start URL is: bankid:///?autostarttoken=a4904c4c-3bb4-4e3f-8ac3-0e950e529e5f& redirect=https%3a%2f%2fdemo.bankid.com%2fnyademobanken%2fCavaClientRedirReceiver.aspx%3forder Ref%3dbedea56d-7b46-47b1-890bf787c650bc93%26returnUrl%3d.%2fCavaClientAuth.aspx%26Environment%3dKundtest BankID BankID Relying Party Guidelines Page 10(27) Version: 2.7 3.4 Launching the BankID app from Native App on Mobile Device 3.4.1 Android Intent intent = new Intent(); intent.setPackage("com.bankid.bus"); intent.setAction(Intent.ACTION_VIEW); intent.setData(Uri.parse("bankid:///?autostarttoken=<INSERT AUTOSTARTTOKEN HERE>&redirect=null ")) ; startActivityForResult(intent, 0); In Android, the RP app does not need to register a URL scheme to be successfully re-launched by the BankID app. onResume() will be called when RP app is re-launched. If the BankID app is not present on the device an android.content.ActivityNotFoundException is thrown. RP must inform the user. Message RFA2 should be used. 3.4.2 iOS openURL:[NSURL URLWithString: @”bankid:///? autostarttoken=<INSERT AUTOSTARTTOKEN HERE>&redirect=fp_app_x://”] If the BankID app is not present on the device NO is returned. RP must inform the user. Message RFA2 should be used. The RP app must register a unique URL scheme to make it possible for the BankID app to re-launch RP app. In Xcode select the project and in the Info tab expand URL Types and add the URL scheme rp_app_x. Note: rp_app_x is an example. The RP should use its own unique URL scheme. The RP must implement the following function that will be called when the RP app is re-launched. - (BOOL)application:(UIApplication *)application openURL:(NSURL *)url sourceApplication:(NSString *)sourceApplication annotation:(id)annotation 3.4.3 Windows Phone // Create the URI string var uriToLaunch = string.Format( "bankid:///www.bankid.com/autostarttoken={0}&redirect={1}", <INSERT AUTOSTARTTOKEN HERE>, Uri.EscapeDataString("fp-app-x://bank_x")); // Create the URI to launch from a string. var uri = new Uri(uriToLaunch); // Launch the URI. bool success = await Windows.System.Launcher.LaunchUriAsync(uri); If the BankID app is not present on the device the operating system presents a dialogue asking to open Windows Phone store. RP must inform the user. Message RFA2 should be used. The RP app must register a unique URL scheme to make it possible for the BankID app to re-launch RP app. In Visual Studio: BankID Page 11(27) BankID Relying Party Guidelines 1. 2. 3. 4. Version: 2.7 Open Package.appxmanifest Open the tab Declarations. Add a "Protocol". Under name enter ”rp_app_x”. Enter a logo and a "Display name". Note: rp_app_x is an example, RP should use its own unique URL scheme. RP must also implement the following to be successfully re-launched by BankID Security App. In Visual Studio add the class AssociationUriMapper: /// <summary> /// The association uri mapper. /// </summary> internal class AssociationUriMapper : UriMapperBase { /// <summary> /// When overridden in a derived class, converts a requested uniform resource identifier (URI) to a new URI. /// </summary> /// <returns> /// A URI to use for the request instead of the value in the <paramref name="uri"/> parameter. /// </returns> /// <param name="uri">The original URI value to be mapped to a new URI.</param> public override Uri MapUri(Uri uri) { var tempUri = System.Net.HttpUtility.UrlDecode(uri.ToString()); // URI association launch. if (tempUri.StartsWith("/Protocol")) { // Here we can redirect to the correct page, but for now we don't return new Uri("/MainPage.xaml", UriKind.Relative); } // Otherwise perform normal launch. return uri; } } In App.xaml.cs, add AssociationUriMapper as UriMapper by adding the following line to the method InitializePhoneApplication: // Assign the URI-mapper class to the application frame. RootFrame.UriMapper = new AssociationUriMapper(); 4 Technical Requirements Short Name Requirement BankID Page 12(27) BankID Relying Party Guidelines Version: 2.7 RFT1 When the BankID app is launched with a URL the content of the request parameter redirect must be UTF-8 and URL encoded. RFT2 When the BankID app is launched with a URL the URL must not exceed 2000 characters. RFT3 When the BankID app is launched with a URL the redirect URL should use HTTPS. RFT4 The ID number in the RP web service API must be 12 characters (YYYYMMDDNNNN). RFT5 When Collect returns COMPLETE RP shall read and store the parameters signature, userInfo and ocspResponse. RP does not need to verify the signature. BankID verifies the signature. RFT6 Collect should be called every two seconds and must not be called more frequent than once per second. RFT7 RP should display a progress indicator in its web app when waiting for the final response from Collect. RFT8 RP must contact BankID’s web service API from RP’s backend server. RP must NOT contact BankID’s web service API from RP’s client app. RFT9 RP should always use the latest version of the web service API, see Information regarding the Web Service API. RFT10 If the user selects to use Mobile BankID only, the certificatePolicies condition must be set to 1.2.752.78.1.5 RFT11 RP must use the issuer of the server cert as trusted root. If the server cert is used as trusted, the RP service will not be able to access the BankID server when the server cert is changed. 5 Recommended User Messages Short Name Swedish Text English Text Event or API Code Mapping RFA1 Starta BankID-programmet. Start your BankID App. OUTSTANDING_ TRANSACTION RFA2 Du har inte BankID-appen installerad. Kontakta din bank. The BankID app is not installed. Please contact your bank. The BankID app is not installed in the mobile device. RFA3 Åtgärden avbruten. Försök igen. Action cancelled. Please try again. ALREADY_IN_P ROGRESS, CANCELLED RFA5 Internt tekniskt fel. Försök igen. Internal error. Please try again. RETRY, INTERNAL_ERR OR, CLIENT_ERR RFA6 Åtgärden avbruten. Action cancelled. USER_CANCEL RFA8 BankID-programmet svarar inte. Kontrollera att det är startat och att du har internetanslutning. Försök sedan igen. The BankID App is not responding. Please check that the program is started and that you have internet access, then try again. EXPIRED_TRAN SACTION RFA9 Skriv in din säkerhetskod i BankIDprogrammet och välj Legitimera eller Skriv under. Enter your security code in the BankID App and select Identify or Sign. USER_SIGN RFA12 Internt tekniskt fel. Uppdatera BankID-programmet och försök igen. Internal error. Update your BankID App and try again. CLIENT_ERR RFA13 Försöker starta BankIDprogrammet. Trying to start your BankID App. OUTSTANDING_ TRANSACTION BankID Page 13(27) BankID Relying Party Guidelines Version: 2.7 RFA14 (A) Du har inget BankID som går att använda för den här inloggningen/underskriften på den här datorn. Om du har ett BankIDkort, sätt in det i läsaren. Om du inte har något BankID kan du hämta ett hos din Bank. Om du har ett BankID på en annan enhet kan du starta ditt BankID-program där. You do not have a BankID which can be used for this login/signature on this computer. If you have a BankID card, please insert it into your card reader. If you don’t have a BankID you can order one from your bank. If you have a BankID on another device you can start the BankID App on that device. STARTED The RP provided the ID number in the web service call. The user accesses the service using a personal computer. RFA14 (B) Du har inget BankID som går att använda för den här inloggningen/underskriften på den här enheten. Om du inte har något BankID kan du hämta ett hos din Bank. Om du har ett BankID på en annan enhet kan du starta ditt BankID-program där. You do not have a BankID which can be used for this login/signature on this device. If you don’t have a BankID you can order one from your bank. If you have a BankID on another device you can start the BankID App on that device. STARTED The RP provided the ID number in the web service call. The user accesses the service using a mobile device. RFA15 (A) Du har inget BankID som går att använda för den här inloggningen/underskriften på den här datorn. Om du har ett BankIDkort, sätt in det i läsaren. Om du inte har något BankID kan du hämta ett hos din Bank. You do not have a BankID which can be used for this login/signature on this computer. If you have a BankID card, please insert it into your card reader. If you don’t have a BankID you can order one from your bank. STARTED The RP did not provide the ID number in the web service call. The user accesses the service using a personal computer. RFA15 (B) Du har inget BankID som går att använda för den här inloggningen/underskriften på den här enheten. Om du inte har något BankID kan du hämta ett hos din Bank. You do not have a BankID which can be used for this login/signature on this device. If you don’t have a BankID you can order one from your bank. STARTED The RP did not provide the ID number in the web service call. The user accesses the service using a mobile device. RFA16 Det BankID du försöker använda är för gammalt eller spärrat. Använd ett annat BankID eller hämta ett nytt hos din bank. The BankID you are trying to use is revoked or too old. Please use another BankID or order a new one from your bank. CERTIFICATE_E RR RFA17 BankID-programmet verkar inte finnas i din dator eller telefon. Installera det och hämta ett BankID hos din bank. Installera programmet från install.bankid.com. The BankID App couldn’t be found on your computer or mobile device. Please install it and order a BankID from your bank. Install the app from install.bankid.com. START_FAILED RFA18 Starta BankID-programmet Start the BankID App The name of link or button used to start the BankID App RFA19 Vill du logga in eller skriva under med BankID på den här datorn eller med ett Mobilt BankID? Would you like to login or sign with a BankID on this computer or with a Mobile BankID? The user access the service using a browser on a personal computer. RFA20 Vill du logga in eller skriva under med ett BankID på den här enheten eller med ett BankID på en annan enhet? Would you like to login or sign with a BankID on this computer or with a BankID on another device? The user access the service using a browser on a mobile device. NB: RFA4, RFA7, RFA10 and RFA11 are deprecated and intentionally removed. BankID Page 14(27) BankID Relying Party Guidelines 6 Version: 2.7 Production Environment Description SSL certificate (RP certificate) Information Provided by the bank that RP purchases the Mobile BankID service. Web service URL https://appapi.bankid.com/rp/v4 Web service API specification https://appapi.bankid.com/rp/v4?wsdl Server certificate The server certificate is issued by the following CA: CN = BankID SSL Root Certification Authority OU = Infrastructure CA O = Finansiell ID-Teknik BID AB Certificate: -----BEGIN CERTIFICATE----MIID6jCCAtKgAwIBAgIQSvZNAy61UF6qO2zWqvN/3zANBgkqhkiG9w0BAQUFADB0 MSQwIgYDVQQKDBtGaW5hbnNpZWxsIElELVRla25payBCSUQgQUIxGjAYBgNVBAsM EUluZnJhc3RydWN0dXJlIENBMTAwLgYDVQQDDCdCYW5rSUQgU1NMIFJvb3QgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDgxMjE5MDg1OTAxWhcNMTkwNjAxMjE0 NTAwWjB0MSQwIgYDVQQKDBtGaW5hbnNpZWxsIElELVRla25payBCSUQgQUIxGjAY BgNVBAsMEUluZnJhc3RydWN0dXJlIENBMTAwLgYDVQQDDCdCYW5rSUQgU1NMIFJv b3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCzqv7Rn43VFyTGicb+qjSGNeJga6GWQkMEXn9NvqCfknpaz4kf RbNHoQvtmw7CsiL83hMNU5y0EI6wC45Whn8ZXJ5/eqj1zBSu7QqKctEbMjWf6sf2 VUyE7lns6FxRFAgbhM2RS5LnWCfRsSgjKLXbJk7S2O/qVWdlxU1fAYfjbja1xhQm jArtvCYv9D2f8MBgH9sOsabVdLEKtiXj9NpBiXIi+c9DUpzvY1qnY02dsSudVwm3 IwJlEljLfjcBQDtJlm/7TbKsnqvW8s+NT6JBputUZT8Mqsv63meEbhxcq6vNcNKZ SgeHZDmr9lY2hmmVK9TcgfWHHkymUAWTGRQzAgMBAAGjeDB2MA8GA1UdEwEB/wQF MAMBAf8wEwYDVR0gBAwwCjAIBgYqhXBOAQQwDgYDVR0PAQH/BAQDAgEGMB0GA1Ud DgQWBBS2GCMB5GeakO2/WOqKJJXGAop6tTAfBgNVHSMEGDAWgBS2GCMB5GeakO2/ WOqKJJXGAop6tTANBgkqhkiG9w0BAQUFAAOCAQEAe4vukBbEjzsYC8Mv1xLcUQVD gYTgnqvP8Lr8yABfNfhh+iIoFK7QvVD3Z+bIBnGEGutB5K78UTadKINittSKA4T4 3Uy/p/blqew8Sqhv0I5MVlW71++HiPth4xwHAoxfe4oyTQaJRgls1CCsCBnuT9IF 6nGUNziC46RqIlhiY7zDzROtBWjqJzq+QvO07s73m+GPk8kZVwQrtyFT2IuYMH23 od/sRe2W5GClo2d62SBrzywYJZAaBNY9yl6weMdqWRqJz0mYZHrvLCQ1xrq4nvpL bMDfs1wD3vctSXLBFfBU9qw+CYTBN4UJ7BHQw1r2KGeAjm5grkL7Z7lQzTWSqw== -----END CERTIFICATE----- Network information 7 The BankID app for mobile devices in production connects to the BankID server on the IP address 194.242.109.204 using the ports 4710, 443, 80, in the order mentioned. The BankID Security Application for personal computers in production connects to the BankID server on the IP address 194.242.109.207 using port 443 and address 194.242.109.208 using port 80. The BankID Security Application for personal computers also connects to a version control system on the address 159.72.128.183 using port 80. Test Environment BankID provides a test environment for an RP to use when developing and testing its service. To be able to use the test environment the RP will need: 1. An SSL certificate (RP certificate) for authorisation with the BankID web service API. 2. The URL for BankID’s web service API. 3. Trust the issuer of the SSL certificate. 4. A test version of BankID Security App and/or BankID Security Program 5. A BankID for test. Description SSL certificate (RP certificate for test) Information http://www.bankid.com/rp/info Passphrase for above certificate qwerty123 BankID Page 15(27) BankID Relying Party Guidelines Version: 2.7 Web service URL https://appapi.test.bankid.com/ rp/v4 Web service API specification https://appapi.test.bankid.com/rp/v4?wsdl Server certificate CN = BankID SSL Root Certification Authority TEST OU = Infrastructure CA O = Finansiell ID-Teknik BID AB Certificate: -----BEGIN CERTIFICATE----MIID8zCCAtugAwIBAgIRAODr4WfulmxifqSx8UEMbyIwDQYJKoZIhvcNAQEFBQAw eTEkMCIGA1UECgwbRmluYW5zaWVsbCBJRC1UZWtuaWsgQklEIEFCMRowGAYDVQQL DBFJbmZyYXN0cnVjdHVyZSBDQTE1MDMGA1UEAwwsQmFua0lEIFNTTCBSb290IENl cnRpZmljYXRpb24gQXV0aG9yaXR5IFRFU1QwHhcNMDgxMjA0MTMyNTU1WhcNMTkw NjAxMTIxODAwWjB5MSQwIgYDVQQKDBtGaW5hbnNpZWxsIElELVRla25payBCSUQg QUIxGjAYBgNVBAsMEUluZnJhc3RydWN0dXJlIENBMTUwMwYDVQQDDCxCYW5rSUQg U1NMIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgVEVTVDCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAOZh4Y7AkqrGb4LL/HCnqx0AmCdaHXKmJqbt NyIE3ppEnWYR6hGrZcSKRAYkU8ShS0Sf647Bj4tXiVQYg1msIvYgZ8h4QJqkqMYY 2nwJC2cDbtc3TL6ppXQVmIiS6wZewV1GL2xKUEPbKgDPiSgFyh3W1d/QihUwnwoa CGQ/crivftaNTnp4ZqQod9k35WfBy8xdB7cLHFeznfHoP1ZLOHza9bprT0F8YzEa u5CoCMxWPe0sY9aQC8oO3gKyohJrxnxTlDY2cMLXTCiUWIYh+ubybZ3Hqw1YFEmE 4IyiGyT9+LUChFhM0p53eR3GRUU7laxFVbVLuVdbIV0ZRL+0Eb8CAwEAAaN2MHQw DwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAIMAYGBCoDBAUwDgYDVR0PAQH/BAQD AgEGMB0GA1UdDgQWBBSlaUGnPvmNu9R9LsDgulauQCwrvTAfBgNVHSMEGDAWgBSl aUGnPvmNu9R9LsDgulauQCwrvTANBgkqhkiG9w0BAQUFAAOCAQEAY1zWz1oV3ZMC 78uhGYA+j6Zktps9IXzIw3v1T3wtYclUoJI594w7vmTMqFY9z2mnms+gKTxCO/70 MpCNMgKSLj2bGsrMWHCvnDWpmYY5ZkDP2GWB6aqy+ehRmlYjUbPhjD44Xfjh/Stq 1yXCUfesLUHZDcBxpDspOwldWl7rhkE7QPj5hdSP85l04oIcnYiMyOPTt+4LNYN+ ncb0a/ZkJcUL7Q9NGJfmEhAmHcCpK8j1coSh36D8JMeSblVTBEWpnBMP5zXKAkzf OzZLGyy9RnV51NhRMRnQtDOFCZ9vQuuyCE/TZeOp4IgZctEvt2Aab23fx5jWBbzC EtEmq/VqaQ== -----END CERTIFICATE----- Test version of BankID Security App for Android http://www.bankid.com/rp/info Installation instructions for Android http://www.bankid.com/rp/info Test version of BankID Security App for iOS Uninstall any existing version of BankID Security App. Install BankID Security App from App Store. In Settings BankID Developer Server enter businternal.test.bankid.com. BankID Security App will now connect to the test server. Please note that the app must be uninstalled to undo the change. Test version of BankID Security App for Windows Phone 8 Uninstall any existing version of BankID Security App. Install BankID Security App from Windows Phone Store. Start BankID Security App, select Settings Developer Server and enter businternal.test.bankid.com. Save, exit BankID Security App and launch again. BankID Security App will now connect to the test server. Please note that the app must be uninstalled to undo the change. Test version of BankID Security Application for PCs (Windows and OS X) To be able to use the client for test you must configure it for test. If you change configuration your existing BankID:s may be blocked. Follow the backup-restore procedure to avoid that. Start by backing up the configuration for production: 1. Stop BankID Security Application (BISP). 2. Open BISP configuration folder (see below). 3. Copy all files in the folder to a separate location to be able to restore the production configuration later on. Create a set-up for test: 1. Stop BISP. 2. Open configuration folder. 3. Delete all files in the folder. BankID Page 16(27) BankID Relying Party Guidelines Version: 2.7 4. Create a plain text file in the folder named ”CavaServerSelector.txt”, containing the text ”kundtest”. The content must be plain text. The file may be created using notepad or the Terminal.app. Switch between production and test later on: 1. Stop BISP. 2. Replace files in the configuration folder with the earlier copied files for the desired environment. Location of BISP configuration folder Windows: %appdata%\BankID\Config OS X: /Users/<användare>/Library/Application Support/BankID/Config IMPORTANT: Only a BankID that is enrolled in the present environment can be used or administered in the present environment. Trying to use or administer a BankID from the other environment will block it. BankID for test Perform step 1-4 above and verify that your web service client can successfully communicate with the RP Interface. Verify that you have BankID Security App configured for test (iOS, WP8, Windows, OS X) or that you use a test version of BankID Security app (Android). Use a production or test BankID and log in to https://demo.bankid.com/nyademobanken. Note that if you configured the client for test, you cannot use a production BankID and vice versa. Select “Hämta BankID för test” and click the “Hämta BankID” button below the name in order to request a BankID for test. In the next step you can enter the ID (“personnummer”) and name (“Namn”) for the test BankID and request a Mobile BankID or a BankID on file. This will open a pop-up window. Your browser must not block pop-up windows. Follow the instructions in the pop-up window. If you are unable to follow the instructions above, please contact teknikinfo@bankid.com. Network information The BankID app for mobile devices for test connects to the BankID server on the IP address 194.242.109.185 using the ports 4710, 443, 80, in the order mentioned. The BankID Security Application for personal computers for test connects to the BankID server on the IP address 194.242.109.177 using port 443 and address 194.242.109.169 using port 80. The BankID Security Application for personal computers also connects to a version control system on the address 159.72.128.183 using port 80. 8 Information regarding the Web Service API 8.1 Versions A new version of the web service API will be published on a new URL every time there is a change in the API. RP should always use the latest version of the API. The general rule is that old versions will shut down 2 years after the release of the successor. As new functionality is introduced to the system the behavior of an existing version of the interface may change, e.g. existing faults may also be used in new situations. This document is written for version 4 of the interface. V URL 1 https://appapi.bankid.com/RpServi ceEjb/RpService/RpService Changes The first version Release date September 2011 End of life January 20161 BankID Page 17(27) BankID Relying Party Guidelines Version: 2.7 2 https://appapi.bankid.com /RpServiceEjb/RpService/v2/RpSer vice 3 Not for public use 4 https://appapi.bankid.com/rp/v4 Mobile BankID, BankID on file, BankID on Card and Nordea e-leg merged to one solution. January 2014 4 Method fileSign in https://appapi.bankid.com/rp/v4 Decision to deprecate method fileSign June 2014 1) Added new types and parameters to existing methods. Added new fault to handle the new RP cancel functionality May 2012 Janaury 2016 October 2012 January 2016 June 2016 Extended 8.2 Test Environment New versions and release candidates are used in the test environment prior to being taken into use in the production environment. Due to this the content and functionality in the test environment and production environment may temporarily differ. 8.3 No soapAction The service uses URLs to specify the action to use. The soapAction header must be ”” or excluded all together. 9 Support In technical matters please contact teknikinfo@bankid.com. In any other business, please contact the bank through which you have purchased the BankID service. Requirement RFS1 RP should inform the user what to do in case of lost or forgotten security code (contact the issuer). RFS2 RP must provide support for its own service. RFS3 When the user is having problems the RP should redirect the user to test.bankid.com. Users that cannot successfully use their BankID at test.bankid.com should be redirected to the issuing bank in case of a BankID related problem and in case of network error to mobile phone carrier or the internet service provider. If the user can successfully identify and sign at test.bankid.com the user should be redirected to the RP support. 10 Recommended Terminology Description Recommended terminology in Swedish Recommended terminology in English Mobile BankID Mobilt BankID Mobile BankID BankID Security Application for mobile devices BankID säkerhetsapp BankID Security Application BankID Security Application for PCs BankID säkerhetsprogram BankID Security Application Security code, password, PIN Säkerhetskod Security code Sign Underteckna Sign Signature Underskrift Signature Identify Legitimera sig Identify BankID Page 18(27) BankID Relying Party Guidelines Identification/authentication Version: 2.7 Legitimering Identification 11 File Signing The method fileSign is deprecated and we strongly recommend RP not to use it. It will not be included in future versions of the RP Service API. The main reasons are: It is impossible to support fileSign in a proper manner for Mobile devices Only pdf supported Size restrictions Our recommendation is to use the sign method with the following notes: 1. Present the document to be signed to the user using your own application/website. 2. Compute a message digest of the binary representation of the document. 3. Compile an abstract of the content of the document. 4. Use method sign with userVisibleData set to abstract and userNonVisibleData set to the message digest. The benefits of using this method are that it is available for PC:s and mobile devices, that there is no sizelimitation and that all types of documents can be signed. A not yet planned and future fileSigning method will be in line with this recommendation. BankID Page 19(27) BankID Relying Party Guidelines Version: 2.7 12 Appendix: RP Interface Description 12.1 Method Auth Request an authentication order. The Collect method is used to query the status of the order. 12.1.1 In parameters Name Value personalNumber PersonalNumberType - The ID number of the user trying to be authenticated (optional). If the ID number is omitted the user must use the same device and the client must be started with the autoStartToken returned in orderResponse. endUserInfo List of EndUserInfoType (optional). Used to provide information related to the user and the user’s computer/device to the BankID-server. requirementAlternatives RequirementAlternativesType (optional). Used by RP to set requirements how the authentication or sign operation must be performed. Default rules are applied if omitted. 12.1.2 Return value Returns an orderResponse of type OrderResponseType or error. 12.2 Method Sign Request a signing order. The Collect method is used to query the status of the order. 12.2.1 In Parameters Name Value personalNumber PersonalNumberType - The ID number of the user trying to sign (optional). If the ID number is omitted the user must use the same device and the client must be started with the autoStartToken returned inorderResponse. endUserInfo List of EndUserInfoType (optional). Used to provide information related to the user and the user’s computer/device to the BankID-server. requirementAlternatives RequirementAlternativesType (optional). Used by RP to set requirements how the login or sign operation must be performed. Default rules are applied if omitted. userVisibleData The text to be displayed and signed. Must be UTF-8 encoded. The value must be base 64-encoded. 1-40 000 characters (after base 64-encoding). The text can be formatted using CR = new line, LF = new line and CRLF = new line userNonVisibleData Data not displayed to the user (optional). The value must be base 64-encoded. 0 - 200 000 characters (after base 64-encoding). 12.2.2 Return value Returns an orderResponse of type OrderResponseType or error. 12.3 Method FileSign - Deprecated Request a file signing order. The Collect method is used to query the status of the order. BankID Page 20(27) BankID Relying Party Guidelines Version: 2.7 12.3.1 In Parameters Name Value personalNumber PersonalNumberType - The ID number of the user trying to sign (optional). If the ID number is omitted the user must use the same device and the client must be started with the autoStartToken returned inorderResponse. endUserInfo List of EndUserInfoType (optional). Used to provide information related to the user and the user’s computer/device to the BankID-server. requirementAlternati ves RequirementAlternativesType (optional). Used by RP to set requirements how the login or sign operation must be performed. Default rules are applied if omitted. userVisibleData The text to be displayed and signed. Must be UTF-8 encoded. The value must be base 64encoded. 1-40 000 characters (after base 64-encoding). The text can be formatted using CR = new line, LF = new line and CRLF = new line userNonVisibleData Data not displayed to the user (optional). The value must be base 64-encoded. 0 - 200 000 characters (after base 64-encoding). fileName String. Base 64-encoded. 5-340 characters. Printable ASCII-characters (32-127), and åäöÅÄÖ. Characters not allowed in filenames are not allowed. The name must end with dot (".") and a suffix that describes the type of file. Example: Agreement130821.pdf. Allowed file types are .pdf and .txt fileContent MTOM/XOP-binary data. Must not be inline. Max 5Mb. The filecontent is sent as binary attachment outside the SOAP-envelope using XML-binary Optimized Packaging (XOP). The file is not base 64-encoded (even though the type is called base64binary). In some cases the support needs to be activated in the SOAP-client. The server will response with an error if XOP is not used. The support is activated differently depending on used framework. Note that MTOM only is required for fileSign and is not needed for other methods. In JAX-WS the support can be activated using the following (where port is the SOAP port) BindingProvider bindingProvider = (BindingProvider) port; SOAPBinding binding = (SoapBinding) bindingProvider.getBinding(); binding.setMTOMEnabled(true); In .Net you may need to set BasicHttpBinding.MessageEncoding to "Mtom". 12.3.2 Return value Returns an orderResponse of type OrderResponseType or error. 12.4 PersonalNumberType Example with personal number (“personnummer”) <!-- ID number--> <!-- 12 digits. Century must be included --> <personalNumber>198103091234</personalNumber> 12.5 EndUserInfoType Used to pass information related to the user and the user’s computer/device to the BankID server. A list of types and values. Allowed types are: IP_ADDR. used to include the users IP-address as seen by RP. It is recommended to use this parameter to enable future controls of the IP-address (no controls are done in the current solution). BankID Page 21(27) BankID Relying Party Guidelines Version: 2.7 Example with ip address <endUserInfo> <type>IP_ADDR</type> <value>192.168.0.1</value> </endUserInfo> 12.6 RequirementAlternativesType A list of alternative requirements. Used by RP to put one or more requirement on how the order must be created and verified. A requirement consists of one or more conditions. Every condition has a type/key and can have one or more values. If no requirement is included a set of default conditions is applied. The order of the requirement is significant. The first requirement where all conditions are true will be used. The used requirement is included in the resulting signature. <requirementAlternatives> <requirement> <condition> <key>TYPE OF CONDITION</key> <value>VALUE FOR THE CONDITION</value> </condition> </requirement> </requirementAlternatives> Type of conditions and values Type of condition CardReader CertificatePolicies Values Default "class1" - (default). The transaction must be performed using a card reader where the PIN-code is entered on the computers keyboard, or a card reader of higher class. "class2" - The transaction must be performed using a card reader where the PIN-code is entered on the reader, or a reader of higher class. <no value> - defaults to "class1". This condition should be combined with a CertificatePolicies for a smart card to avoid undefined behavior. No special type of card reader required. The oid in certificatePolicies in the user certificate. One wildcard ”*” is allowed from position 5 and forward ie. 1.2.752.78.* If no certificatePolicies is set the following are default in the production system: The values for production BankIDs are: 1.2.752.78.1.1, 1.2.752.78.1.2, 1.2.752.78.1.5, 1.2.752.71.1.3 "1.2.752.78.1.1" - BankID on file "1.2.752.78.1.2" - BankID on smart card "1.2.752.78.1.5" - Mobile BankID "1.2.752.71.1.3" - Nordea e-id on file and on smart card. The values for test BankIDs are: "1.2.3.4.5" - BankID on file "1.2.3.4.10" - BankID on smart card "1.2.3.4.25" - Mobile BankID The following are default in the test system: 1.2.3.4.5, 1.2.3.4.10, 1.2.3.4.25, 1.2.752.60.1.6, 1.2.752.71.1.3 If one certificatePolicy is set all the default policies are dismissed. BankID Page 22(27) BankID Relying Party Guidelines Type of condition Version: 2.7 Values Default "1.2.752.71.1.3" - Nordea e-id on file and on smart card. “1.2.752.60.1.6” - Test BankID for some BankID Banks IssuerCn The cn (common name) of the issuer. Wildcards are not allowed. Nordea values for production: If issuer is not defined all relevant BankID and Nordea issuers are allowed. "Nordea CA for Smartcard users 12" - E-id on smart card issued by Nordea CA. "Nordea CA for Softcert users 13" - E-id on file issued by Nordea CA Example Nordea values for test: "Nordea Test CA for Smartcard users 12" - E-id on smart card issued by Nordea CA. "Nordea Test CA for Softcert users 13" - E-id on file issued by Nordea CA AutoStartTokenRequired If set to Yes, the client must have been started using the autoStartToken. To be used if it is important that the BankID App is on the same device as the RP service. Default: No Additional information related to RequirementAlternatives is given in More information about requirement alternatives. 12.6.1 OrderResponseType Return value from auth/sign/filesign OrderRef must be used by RP when using the collect method. UUID-string: 36-50 characters. AutoStartToken must be used when the user ID is not provided. UUID-string: 36-50 characters. Example, response from Auth <AuthResponse> <orderRef>8e4dd041-e38f-463b-b286-a6c5e35d462d</orderRef> <autoStartToken>a5312da3-0c71-4a74-a14d-28bc11d6ed3a</autoStartToken> </AuthResponse> 12.7 Error codes for Auth/Sign/FileSign Code Reason Action by RP INVALID_PARAMETERS Invalid parameter. Invalid use of method RP must not try the same request again. This is an internal error within RP's system and must not be communicated to the user as a BankIDerror. ALREADY_IN_PROGRESS An order for this user is already in progress. The order is aborted. No order is created. RP must inform the user that a login or signing operation is already initiated for this user. Message RFA3 should be used. BankID Page 23(27) BankID Relying Party Guidelines Version: 2.7 Code Reason Action by RP INTERNAL_ERROR Internal technical error in the BankID system. RP must not automatically try again. RP must inform the user that a technical error has occurred. Message RFA5 should be used. RETRY Internal technical error in the BankID system. RP must not automatically try again. RP must inform the user that a technical error has occurred. Message RFA5 should be used. ACCESS_DENIED_RP RP does not have access to the service or requested operation. RP must not try the same request again. This is an internal error within RP's system and must not be communicated to the user as a BankIDerror. 12.8 Method Collect 12.8.1 In Parameters Name Value orderRef The orderReference in the orderResponse received from Auth, Sign or SignFile. (UUID-string) 12.8.2 Return Value Name Type progressStatus ProgressStatusType signature String (b64). XML-signature. (If the order is COMPLETE). The content of the signature is described in BankID Signature Profile specification. userInfo UserInfoType (If the order is COMPLETE) ocspResponse String (b64). OCSP-response (If the order is COMPLETE). The OCSP 0 response is signed by a certificate that has the same issuer as the certificate being verified. The OSCP response has an extension for Nonce. The nonce is calculated as: SHA-1 hash over the base 64 XML signature encoded as UTF-8. This is the value in the signature element in Collect output. 12 random bytes is added after the hash The nonce is 32 bytes (20 + 12) 12.8.3 ProgressStatusType Status Reason Action by RP OUTSTANDING_T RANSACTION The order is being processed. The client has not yet received the order. The status will later change to NO_CLIENT, STARTED or USER_SIGN. If RP tried to start the client automatically, the RP should inform the user that the app is starting. Message RFA13 should be used. If RP did not try to start the client automatically, the RP should inform the user that she needs to start the app. Message RFA1 should be used. BankID Page 24(27) BankID Relying Party Guidelines Version: 2.7 Status Reason Action by RP NO_CLIENT The order is being processed. The client has not yet received the order. If RP tried to start the client automatically: This status indicates that the start failed or the users BankID was not available in the started client. RP should inform the user. Message RFA1 should be used. If the user did not provide her ID number the error START_FAILED will be returned in this situation. If RP did not try to start the client automatically: This status indicates that the user not yet has started her client. RP should inform the user. Message RFA1 should be used. STARTED A client has been started with the autoStartToken but no usable ID exists in the started client. If RP does not require the autoStartToken to be used and the user provided her ID number the RP should inform the user of possible solutions. Message RFA14 should be used. If RP require the autostarttoken to be used or the user did not provide her ID number the RP should inform the user of possible solutions. Message RFA15 should be used. USER_SIGN The client has received the order. The RP should inform the user. Message RFA9 should be used. USER_REQ Not used COMPLETE The user has provided the security code and completed the order. Collect response includes the signature, user information and the ocsp response. RP should control the user information returned in userInfo and continue their process. 12.8.4 UserInfoType Name Value personalNumber PersonalNumberType - ID number (swe personnummer) givenName The given name of the user surname The surname of the user name The given name and surname of the user notBefore Start of validity of the users BankID notAfter End of validity of the Users BankID ipAddress The IP-address of the user agent as the BankID server discovers it 12.8.5 Error codes Collect Error code Reason Action by RP INVALID_PARAM ETERS Invalid parameter. Invalid use of method. RP must not try the same request again. This is an internal error within RP's system and must not be communicated to the user as a BankID-error. Using an orderRef that previously resulted in COMPLETE. The order cannot be collected twice. BankID Page 25(27) BankID Relying Party Guidelines Version: 2.7 Error code Reason Action by RP REQ_PRECOND Not used. REQ_ERROR Not used. REQ_BLOCKED Not used. INTERNAL_ERRO R Internal technical error in the BankID system. RP must not automatically try again. RP must inform the user. Message RFA5. RETRY Internal technical error in the BankID system. RP must not automatically try again. RP must inform the user. Message RFA5. ACCESS_DENIED _RP RP does not have access to the service or requested operation. RP must not try the same request again. This is an internal error within RP's system and must not be communicated to the user as a BankID-error. CLIENT_ERR Internal technical error. It was not possible to create or verify the transaction. RP must not automatically try again. RP must inform the user. Message RFA12. EXPIRED_TRANS ACTION The order has expired. The BankID security app/program did not start, the user did not finalize the signing or the RP called collect too late. RP must inform the user. Message RFA8. CERTIFICATE_ER R This error is returned if: RP must inform the user. Message RFA16. 1) The user has entered wrong security code too many times in her mobile device. The Mobile BankID cannot be used. 2) The users BankID is revoked. 3) The users BankID is invalid. USER_CANCEL The user decided to cancel the order. RP must inform the user. Message RFA6. CANCELLED The order was cancelled. The system received a new order for the user. RP must inform the user. Message RFA3. START_FAILED The user did not provide her ID, or the RP requires autostarttoken to be used, but the client did not start within a certain time limit. The reason may be:: 1) The RP must use autoStartToken when starting the client 1) RP did not use autoStartToken when starting BankID security program/app. 2) The client software was not installed or other problem with the user’s computer. ALREADY_COLL ECTED Not used. 2) The RP must inform the user. Message RFA17. BankID Page 26(27) BankID Relying Party Guidelines Version: 2.7 12.9 More information about requirement alternatives 12.9.1 Syntax It is possible to use several alternative requirements. Each requirement has one or more condition(s). Each condition in a requirement must be fulfilled. A condition can have one or more alternative values of which one must be fulfilled. requirement(s) (OR) condition(s) (AND) key value(s) (OR) 12.9.2 Examples 12.9.2.1 Mobile BankID <requirementAlternatives> <requirement> // The first requirement, all following <condition> <key>CertificatePolicies</key> // conditions must be fulfilled // The certificate policy must be <value>1.2.752.78.1.5</value> </condition> // 1.2.752.1.5 (Mobile BankID) </requirement> </requirementAlternatives> 12.9.2.2 Mobile BankID OR Nordea E-leg OR BankID on Card <requirementAlternatives> <requirement> <condition> <Key>CertificatePolicies</key> <value>1.2.752.78.1.5</value> // The certificate policy must be // Mobile BankID OR <value>1.2.752.71.1.3</value> // Nordea E-leg OR <value>1.2.752.78.1.2</value> // BankID on Card </condition> </requirement> </requirementAlternatives> 12.9.2.3 BankID on Card in a Class2 Reader or Nordea E-leg on Card in a Class2 Reader Different types of Nordea e-id cannot be separated using certificatePolicy only. Their smart card issuer needs to be included as a condition as well. <requirementAlternatives> <requirement> <condition> <key>CertificatePolicies</key> <value>1.2.752.78.1.2</value> </condition> <condition> <key>CardReader</key> // The first requirement // The certificate policy must be // BankID on Card // AND cardreader class2 must be used <value>class2</value> </condition> </requirement> <requirement> <condition> <key>CertificatePolicies</key> <value>1.2.752.71.1.3</value> </condition> <condition> <key>IssuerCn</key> // OR The second requirement // The certificate policy must be // Nordea e-leg // AND The issuer must be Nordea 12 <value>Nordea CA for Smartcard users 12</value> BankID Page 27(27) BankID Relying Party Guidelines Version: 2.7 <condition> <condition> <key>CardReader</key> <value>class2</value> </condition> </requirement> </requirementAlternatives> // AND cardreader class2 must be used
© Copyright 2024