BankID (NO)

​Used by around 4 million Norwegians, BankID has become a household brand and a highly trusted digital identification service for Norwegian citizens.​​ With access to BankID from Nets you can authenticate any person online, carry out secure transactions, establish and maintain good customer relations and enter into and sign legally binding agreements.

​Enable BankID in your services

 

To get you started with BankID signing through E-Signing, Nets will need a merchant certificate and some configuration ​​setting information from you. The configuration settings are supplied in the setup dialogue with support. 

More information about BankID:

 

Merchant certificate​​​

​​​​​Nets through the Signing and Identification Services are resellers of BankID merchant certificates, and this can be ordered either separately or together with E-Ident and/or E-Signing. When ordering a merchant certificate through Nets, you will receive an information letter asking you to complete a form with information needed to create a BankID “brukerstedsavtale” with BankID Norge. ​Note: In this form you need to ​specify if you are allowed to handle SSN. 

The form shall be returned to our support and based on the form Nets will register this order at BankID. After the registration you will be asked to confirm and sign the order. When the order is signed with BankID Norge, it will be sent to your bank for processing. Your bank may use up to 10 business days for processing the order. Nets will  then recei​ve activation information for your BankID merchant certificate from your bank. The merchant certificate will be activated and connected to your configuration.​

In cases where you use another reseller, the BankID activation link and code must be sent to Nets without activating it. Contact Nets support to get contact details of recei​​​ver of the link and code. 

Test merchant certificate

Nets will set you up with a common test merchant certificate if nothing else have been agreed. ​

​​

​​Test ​​users

​​Test us​​ers are available here​.​​​​​​

Handling ​of SSN

The social security number (SSN) is included in the signed document (SDO) only in the case where the SSN was defined as the SignerID in the sign order. The Sign​erID needs to be added when inserting the sign order or by using the ModifySigner call.

If this has been included in the sign order, a validation request (VA) with SSN lookup will be performed towards BankID to verify that the defined SignerID matches the person trying to sign. BankID will return the SSN as a part of the OCSP response and the OCSP will be added to the SDO. Read more about the SDO format.​

If the SignerID wasn't set in the sign order, a GetSDODetails call with the ReturnSSN element can be used to retrieve the signer's SSN. A VA request to BankID will be performed if the SSN is not part of SDO.

Note: If you are not allowed to handle SSN or you will limit the usage of SSN, each BankID user has a unique ID called PID (personal ID). This is included in the BankID user certificate.

How to find the SSN?

GetSignature

 

The SSN of a signer can be fetched from E-Signing using the GetSignature call. This requires that the SignerID was set in the sign order. The SSN is returned in the SignerID / IDValue element of the response.

GetSDODetails

Use the GetSDODetails function​ to deduct the content of the SDO and return the SSN. Set the ReturnSSN element in the request to true, and the SSN will be deducted from the SDO or if missing, do a request to BankID requesting the SSN. Note: This is a VA-request with SSN lookup and it has a cost. Refer to the "BankID uthenting av fødselsnummer" price element for your BankID certificate.​

​User ​experience

BankID client 

Step 1 (read document):

BankID - step 1.png

Step 2 (optional - see below): 

BankID - step 2.png

Step 3 (enter OTP): 

BankID - step 3.png

Step 4 (enter password):

BankID - step 4.png

Step ​2  - how to​​​ skip the User ID page

​​​The step to enter "User ID" (social security number/"fødselsnummer") will be dropped if the signer's ID has been set in the ​​SignerID element when defining the AcceptedPKIs / BankID​ element.​​​ This page will also be dropped if the presetid parameter is appended to the SignURL.

Note: There is one difference in the usage of SignerID element vs the presetid parameter. When setting the SSN in the SignerID element, the signature is after signing validated against the SSN in the SignerID, and the signing is dismissed if there is a mismatch. There is no such validation when using the presetid parameter.

IFRAME siz​​es

It is adviced to test all document types used for signing for responsiveness with different mobile devices. The recommended and minimum IFRAME ​sizes from BankID are:

    • Large screen (Desktop/tablet): 396px (w) by 280px (h) (recommended) / 370px (w) by 204px (h) (minimum)
    • Small screen (Smartphone) (only minimum sizes): 320px (w) by 350px (h) (portrait) / 480px (w) by 200px (h) (landscape)

Note: Customers using the signing deadline and/or signers table in E-Signing may need to use a slightly higher IFRAME size than the recommended sizes. ​

Usage of framemode and docdisplaymode

​When using the framemode and the docdisplaymode parameters for BankID, be aware of the following:

  • The combination framemode=window and docdisplay-mode=window is not recommended from BankID due to confusing user experience.
  • The combination framemode=redirect and docdisplaymode is also not recommended while being redirected may lead to confusing user experience. 
  • Framemode=window: Does not work with Internet Explorer or with WebViews (applies to iOS, Android and Win8) and it may be in conflict with pop-up blockers. Be aware that if the framemode=window is closed, the user may be on an empty window. This must be handled by the customer site.
  • Framemode=redirect: Internet Explorer does not work when IE’s Trusted sites security levels are set to High and when set to Low IE displays a question to the user whether he wants to accept the redirect before the redirect takes place. The web client is also not reloaded when the language are changed.
  • Docdisplaymode=window: Does not work from WebViews (applies to iOS, Android and Win8) and the parameter may be in conflict with pop-up blockers.

​Document types a​nd sizes​​

 

The following document formats are supported using BankID:

  • ​PDF
  • Text
  • XML
The general document size limit in E-Signing is currently 3MB base64 encoded document or approximately 2.2 MB document. BankID's recommendation is 1 MB. Read more in BankID's own documentation.​

 

PDF document

It is recommended from BankID to use PDF/A-2b format when creating the PDF documents. Also, to provide proper support for Universal Accessability, the document should conform to PDF/UA specification in addition to PDF/A-2b. See BankID recommendation for PDF documents.​ 

XML document​

BankID (NO) mandates that if an end user signs XML data then an XSL must be provided as well. The XSL is used to transform the XML to presentable HTML. So the customer must provide two documents when they want an XML-document to be signed.​

<BankIDXML>
	<XML>ANSGKFLSDSF==</XML>
	<XSL>ANSGKFLSDSF==</XSL>
</BankIDXML>
​​The BankIDXML structure is the document that the end user actually signs. When E-Signing sends this BankIDXML structure to the BankID client, it recognizes this structure and performs an XML transformation. The result of the XML transformation is a HTML which again is presented to the end user. The XML and XSL document bytes provided by the customer must be in ISO-8859-1. So when providing the XML and XSL bytes, get the ISO-8859-1 (ISO-LATIN-1) bytes. The ISO-8859-1 bytes must be Base64-encoded.

​​Multi-docume​​nt signing​

The multi-document signing functionality in the BankID 2.1 client will give signers the possibility to sign multiple documents in the same BankID session. The signer will have to enter the OTP code only once per session while the password must be submitted for each document as it is today. 

BankId multi-document.jpg

​​To utilize the BankID 2.1 multi-document signing functionality the customers need to be in line with the following:

  • ​All documents to be signed by one signer in one session must be in the same Step in the sign order. 
  • If the your E-Signing configuration is set to BankID 2.1 (and the clientversion is not 2.0) or if the clientversion parameter is set to 2.1, the default will be to show all active sign processes for a signer in the BankID 2.1 multi-document view. This functionality can be overwritten by appending the multisign parameter set to false to the sign URL. Read more about the different sign URL parameters. 
  • The document name shown in the list of documents in the client will be fetched from the Title element in the sign order. Note: This value will also be part of the SDO as the MerchantDescription. This is different from BankID 2.0 and BankID 2.1 with only one document where the Description element is used.
  • A new notification message has been added to handle notifications including sign URLs more gracefully. This is the OnStepReady notification for end users. This notification have been added so that customers using the BankID 2.1 multi-document signing functionality will only receive one notification with one sign URL. Example: If a step includes three documents ready for signing by one signer the usage of OnSignProcessReady will result in three notifications with three sign URLs, one for each documents. If the OnStepReady notification is used instead, only one notification is distributed with one sign url pointing to all documents. Read more about notification here. Note: The sign URL in any of the OnSignProcessReady notifications will also point to all documents. The customer can choose to use the sign url in one of the notifications and ignored the rest. 

Some recommendation when starting to use BankID 2.1 multi-document:

  • ​It is not recommended to set the TerminateOrderOnSignerRejection element in Steps / Step / SigningProcesses to false. BankID do not know the status of E-Signing signing processes and the user will be forced to sign all documents to complete a sign order.
  • If using identification before signing​ (RequiresAuthentication), this should either be enabled for all documents or disabled for all. As each of the sign URLs to all of the sign processes in one step can be used to access all documents in that step, the usages of identification before signing will vary dependent on the sign URL used, If a sign URL belonging to a document where identification before signing is enabled, the user will be prompted to identify himself. However, if accessing one without this setting enabled, the user will not be asked to identify himself. The user will in such cases be able to read all documents without user identification.​