The web service protocol
ID-Rights exposes an interface that understands the TrustB2BMessage XML protocol. This protocol consists of several XML-based request/response messages where each message performs a ID-Rights query. Each message is built up in three parts:
- Request header
- The message
- XML signature
The communication between the customer and Nets is based on two-way SSL using client certificates issued by Nets. Download the ID-Rights XML schema.
The request header is common for all ID-Rights messages. Note: The service has a time window and expects all customers to have synchronized clocks using the Network Time Protocol (NTP). If a message is received outside the time window, the customer will get an ErrorResponse. The time window is +/- 5 minutes.
The reason for using time windows is to prevent replay-attacks. The time cannot be changed by a MITM (Man In The Middle) as all requests to ID-Rights are digitally signed.
|MerchantID||This value represents the calling customer. The customer gets this value upon configuration in ID-Rights.||Mandatory|
|Time ||This value is the current date and time in UTC.||Mandatory|
Time in UTC ie “2017-12-31T14:21:04Z”
The value must be within the current time window – ie +/- 5 minutes.
|MessageID ||The MessageID is defined by the calling merchant application and is returned in the response. The customer may use the MessageID to see which request the response-message belongs to.||Mandatory|
Each messageID must be unique for the given customer.
|CountryCode ||This value describes which country the request is concerning.|
If this element is not used, NO is used as default.
Allowed values are DK, FI, NO, SE
|AdditionalInfo||The AdditionalInfo element can be used by customers to add information like cost center etc.||Optional|
MinLength = 1
MaxLength = 50
|TraceID ||The TraceID element is generated by the ID-Rights service. The customer is not supposed to provide a TraceID and it will be ignored if provided. The response however will contain a unique TraceID which the customer should provide if there are any questions the given response.||Optional|
The ID-Rights service gives a set of messages for querying for data as well as messages for maintenance and audit logs.
The messages can be categorized as:
All messages to the ID-Rights service must be signed with XMLDSIG to be able to reach the service. The XMLDSIG must be of the enveloping kind. The entire message must be signed using a Nets issued signing certificate the customer is given upon configuration in the customer test and production environment respectively. ID-Rights validates the signature, authenticates the calling party and performs authorization checks based on the request at hand. If the calling party is authenticated and authorized then the request is handled by ID-Rights.
Some external links about XMLDSIG: