Enable BankID in your services
To enable BankID to sign using E-Signing it is necessary with a merchant certificate ("förlitande certifikat") to be used in the communication between E-Signing (on your behalf) and with BankID. Nets is reseller of BankID and will help establish this certificate.
More information about BankID:
Merchant certificate ("Förlitande certifikat")
BankID agreement through Nets as reseller
To establish the "Förlitande certifikat". Nets need the following information:
Nets will handle the communication with a bank issuing the certificate.
BankID agreement directly with an issuing bank
It is also possible to have a BankID agreement directly with a bank issuing BankID. You will need to enter into an agreement with the bank. To establish the "Förlitande certificat", these steps must be done:
- Provide Nets with information about your organisation name, VAT number, certificate display name (visible during end user login) and the bank name.
- Nets will generate a certificate request based on this information and send it to you.
- You need to forward this certificate request to your bank. Do not make your own certificate request.
- The bank will issue the certificate based on the certificate request. Please forward this to Nets.
- Nets will install and setup you configuration with BankID.
Test certificate ("Förlitande certifikat")
Nets has a default test certificate that all customers can use. This will be set up during configuration, and you do not need to do anything.
Test users
See
here for more information on how to get a BankID test user.
SDO seal and customer signature
To seal signed documents (SDOs) and to enable merchant signing, all customers using BankID must order a merchant certificate from Nets. This certificate will be issued from a Nets CA. The ordering of this certificate will be done in dialogue with support.
To use the merchant signing feature with this certificate for some or all of your documents, add the below to your sign order:
<Signer>
<MerchantSigner>
<LocalSignerReference>Sample123</LocalSignerReference>
<SigningPKIType>EuridaConnect</SigningPKIType>
</MerchantSigner>
</Signer>
Handling of SSN
For BankID, the end user's SSN is a part of his/hers certificate that is used during signing. This certificate is a part of the signature in the signed document.
How to find the SSN?
GetSignature
The SSN of a signer can be fetched from E-Signing using the
GetSignature call. The SSN is returned in the SignerID / IDValue element of the response.
GetSDODetails
Use the GetSDODetails function to inspect the content of the SDO and return the SSN. For BankID this can be found in the UniqueId element in SDOSignature / SignerCertificateInfo.
See the SDOSignatures element.
User experience
BankID dialogue
Step 1 (optional) and step 2 for pop-up and standalone UI:
Step 1 (optional) and step 2 for embedded UI:
Step 3 (with BankID app on desktop):
Step 3 (with BankID on mobile phone):
Control the start of BankID app
The BankID signing dialogue can either be started by presenting the user with the screen in “Step 1” above or it can be skipped.
The BankID app is available using two different versions of the BankID app; one for computers and one for mobile. The BankID app does not necessarily have to be installed and started from the device where the document to be signed is presented.
How the start of the BankID app will be for the user depends on the usage of the
autostart parameter appended to the sign URL and the
SignerID element in the sign order. The table below explains the different scenarios.
| false
(default) | null
(default) | se_bankid (default)
| The user will be presented with the page in "Step 1" above where he/she can choose to use this device or another device. |
| false | xxxxxxx | se_bankid
| When setting the SignerID, the transaction is locked to a specific user. The user can sign on the device of his/her choice, and he/she is presented with the message “Launch your BankID Security App.")”. |
| true | null | se_bankid
| The client will be auto started on current device and the signing is not locked to a specific user. |
true
| xxxxxxx | se_bankid
| The client will be auto started on current device, and locked to the given SignerID. If the user doesn't have a certificate in the BankID security app connected to that user, an error will be shown.
|
Note: On an iPhone in combination with embedded UI or on an Android device (any UI option), the user needs to click on a link to open the app when autostart is set to true.
There is also a problem with the use of autostart in the Chrome browser. This is a security feature in Chrome. A user gesture (e.g. click on a button) is required to take over the whole window, like we do when opening the BankID app. A workaround is to add these attributes on the iframe:
sandbox="allow-top-navigation allow-scripts allow-same-origin allow-forms"
PDF document signing
For PDF document signing, the document will be presented to the end user prior to launching the BankID security application. The document can either be visible inline as shown in "Step 2" above or with a link to the PDF document that must be opened before the user can continue.
Note: All new customers will get the inline PDF view. If you do not have the inline view,
contact our support to request this view.
When using the inline PDF view, the height of the iframe shouldd be set to 660 px or higher.
Turn off inline PDF view
The inline PDF view can be turned off by using the inlinepdf parameter appended to the sign URL. If the inline view is turned off, a link to the PDF document is shown to the user. The PDF document will be opened in another browser window or PDF application. The user must open this before proceeding with the signing. Read more about the inlinepdf parameter.
Sign text in BankID app
In the BankID security application, a descriptive text will be shown to the user. This will be the user visible text that the user signs. The hash of the PDF document will be added as a non-visible sign text. The descriptive text will either be:
- a default Nets defined text: "You are now about to sign the PDF-document that was presented on the previous page." or
- a customer defined text. See below for description on how to add it.
How to add the customer defined sign text
-
Contact support to update your customer configuration setting to enable this functionality.
- Insert the customer defined signtext into the
Description element of a sign order.
Note: The text added to the Description element is also shown in the header if using Nets standalone GUI and it is added to the SDO (signed document).
BankID logo
If needed, the BankID logo can be downloaded from
https://www.bankid.com/om-oss/pressmaterial and
https://www.bankid.com/assets/bankid/logo/BankID-varumarkesguide-v10-SE-2019-06-11.pdf.
Document types and sizes
The following document formats are supported using BankID:
The size limit of a document is set to 10 MB base64 encoded document. An encoded document adds approximately 30 % extra to a non-encoded document.
Authentication-based signing
The E-Signing service offers the possibility to sign a document based on an authentication. To create a sign order with authentication-based signing, please have a look at the
authentication-based signing page.
The BankID specific values are listed in the table below:
| AuthenticationID | This element can be used to indicate that BankID is one of the eID's the signer can sign with. | se_bankid |
| SignerID | The SignerID element can specify which user that shall sign the document. | IDType: SSN IDValue: The signer's national identity number. |
| forcepkivendor | The forcepkivendor parameter can be used to point the user directly to this eID.
Read more about forcepkivendor.
The autostart must not be set to true. Desktop users- The user will be redirected to page which will show a QR code to scan. Mobile users- The user will be presented with a choice of using Mobile BankID on this device or Mobile BankID on another device.
| abs:se_bankid:mobile
|
