BankID on mobile (NO)

​Used by around 4 million Norwegians, BankID has become a household brand and a highly trusted digital identification service for Norwegian citizens.​​

​Enable BankID on mobile in your services

​​To get you started with BankID on mobile signing through E-signing, Nets will need a merchant certificate and some configuration setting information from you. The configuration settings are supplied in the setup dialogue with support. 

More information about BankID:

Merchant certificate​

​​​

​​​​​Nets through the Signing and Identification Services are resellers of BankID merchant certificates, and this can be ordered either separately or together with E-Ident and/or E-Signing. When ordering a merchant certificate through Nets, you will receive an information letter asking you to complete a form with information needed to create a BankID “brukerstedsavtale” with BankID Norge. ​Note: In this form you need to ​specify if you are allowed to handle SSN. 

The form shall be returned to our support and based on the form Nets will register this order at BankID. After the registration you will be asked to confirm and sign the order. When the order is signed with BankID Norge, it will be sent to your bank for processing. Your bank may use up to 10 business days for processing the order. Nets will  then recei​ve activation information for your BankID merchant certificate from your bank. The merchant certificate will be activated and connected to your configuration.​

In cases where you use another reseller, the BankID activation link and code must be sent to Nets without activating it. Contact Nets support to get contact details of recei​​​ver of the link and code. 

Test merchant certificate

Nets will set you up with a common test merchant certificate if nothing else have been agreed. ​


Test users

​​​Information about how to get a test user is available here​.

​Handling of SSN

The social security number (SSN) is included in the signed document (SDO) only in the case where the SSN was defined as the SignerID in the sign order​. The SignerID needs to be added when inserting the sign order or by using the ModifySigner call.

If this has been included in the sign order, a validation request (VA) with SSN lookup will be performed towards BankID to verify that the defined SignerID matches the person trying to sign. BankID will return the SSN as a part of the OCSP response and the OCSP will be added to the SDO. Read more about the SDO format.​

Note: If you are not allowed to handle SSN or you will limit the usage of SSN, each BankID user has a unique ID called PID (personal ID). This is included in the BankID user certificate.

How to find the SSN​​?

Get​Signature

The SSN of a signer can be fetched from E-Signing using the GetSignature call​. This requires that the SignerID was set in the sign order. The SSN is returned in the SignerID / IDValue element of the response. ​​

​User experience

​BankID on m​obile​​ dialogue​ (PDF document signing)

Step 1:

BankID on mobile - step 1.png

Step 2 (optional - see below): 

BankID on mobile - step 2.png

Step 3+4 (on mobile):

BankID on mobile - step 3.png BankID on mobile - step 4.png

Step 5 (on mobile):

BankID on mobile - step 5.png

​​​Predefine​ mobile phonenumber and birthdate​​​

The end user’s mobile phone number and birthdate may be predefined at the customer's own site prior to calling the E-Signing service. This is done by appending the mobile phone number and birthdate as parameters to the signing URL. If these parameters are used, step 2 page will not be shown. 

Read more about the different sign URL parameters. ​​

Document types and sizes​

The following document formats are supported using BankID on mobile:

  • PDF
  • Text

PDF signi​ng

​Signing with BankID on mobile phone is limited to text signing of 116 characters from BankID. However, the E-Signing service is extended to support PDF signing. The size limit of a PDF document is set to 3MB base64 encoded document or approximately 2,2 MB non-encoded.​

In the E-Signing service, the signer will be presented with a page showing the PDF document and the actual text to be signed during the BankID on mobile session. See step 1 in the BankID on mobile dialogue above. The actual text that is signed by the user is a customer defined sign text + a unique representation of the document (document hash). It is recommended to set a text that the signer will remember and can relate to. The sign text is defined together with the document in the SignTextPrefix element in the sign order. 

If the customer doesn’t define a text, a predefined text will be shown. The predefined text is (in Norwegian only): “Jeg signerer det presenterte PDF-dokumentet.” ​

SDO structure

​SDO element​​Contains
CMSSignature​​BankID on mobile PKCS#7 signature over HashedData
​HashedData​HashedData: hash(signtext)
signtext: Merchant-specified text message + hex encoded document hash (64 characters)
document hash: SHA-256 hash (32 bytes) of SignersDocument​
​SignersDocument​PDF document (base64 encoded)

Validation of SDO

PDF signing with BankID on mobile uses a SDO format with a custom validation method and will not validate with BankID server. It can however be validated with the E-Signing validator or by using the ValidateSDO call. 

To validate the SDO:

  1. ​Generate the SHA-256 hash of the decoded document
  2. Concatenate the sign text prefix found in the SDO metadata with the document hash to form the sign text
  3. Generate the SHA-256 hash of the resulting sign text

The final SHA-256 hash generated should match the hash in the BankID on mobile signature.

​Text document signing

The text document signing with BankID on mobile phones is very useful if you have a short document to sign like a transaction signing. When signing a text document, the document size is limited to 116 characters. There are some limitations that must be considered when signing text documents with BankID on mobile:

  • T​he document sent to E-Signing will be changed to support signing in a phone. Two bytes are added and the document is GSM encoded. 

  • If the document shall be signed by more than one person and the user has another eID than BankID on mobile, the user signing with the other eID might have trouble reading the document as it is GSM encoded. If there are only users with BankID on mobile phones, this is not an issue.

  • When validating the signed document (SDO), the document may look awkward as it is GSM encoded.