Enable BankID on mobile in your services
To get you started with BankID on mobile signing through E-signing, Nets will need a merchant certificate and some configuration setting information from you. The configuration settings are supplied in the setup dialogue with support.
More information about BankID:
Merchant certificate
Nets through the Signing and Identification Services are resellers of BankID merchant certificates, and this can be ordered either separately or together with E-Ident and/or E-Signing. When ordering a merchant certificate through Nets, you will receive an information letter asking you to complete a form with information needed to create a BankID “brukerstedsavtale” with BankID Norge. Note: In this form you need to specify if you are allowed to handle SSN.
The form shall be returned to our support and based on the form Nets will register this order at BankID. After the registration you will be asked to confirm and sign the order. When the order is signed with BankID Norge, it will be sent to your bank for processing. Your bank may use up to 10 business days for processing the order. Nets will then receive activation information for your BankID merchant certificate from your bank. The merchant certificate will be activated and connected to your configuration.
In cases where you use another reseller, the BankID activation link and code must be sent to Nets without activating it. Contact Nets support to get contact details of receiver of the link and code.
Test merchant certificate
Nets will set you up with a common test merchant certificate if nothing else have been agreed.
Test users
Information about how to get a test user is available
here.
Handling of SSN
The social security number (SSN) is included in the signed document (SDO) or native PAdES if the SSN was defined in the
SignerID element in the sign order. The
SignerID needs to be added when inserting the sign order or by using the
ModifySigner call. If this has been included in the sign order, a validation request (VA) with SSN lookup will be performed towards BankID to verify that the defined SignerID matches the person trying to sign.
The SSN will also be included if the
IncludeSSN element has been set to true in the sign order. The validation request towards BankID will this time also include a SSN lookup.
Read more about SignerID and IncludeSSN.
BankID will return the SSN as a part of the OCSP response and the OCSP will be added to the
SDO or PAdES.
Note: If you are not allowed to handle SSN or you will limit the usage of SSN, each BankID user has a unique ID called PID (personal ID). This is included in the BankID user certificate.
How to find the SSN?
GetSignature
The SSN of a signer can be fetched from E-Signing using the
GetSignature call. This requires that the SignerID was set in the sign order. The SSN is returned in the SignerID / IDValue element of the response.
User experience
BankID on mobile dialogue (PDF document signing)
Step 1 (using pop-up and standalone UI):
Step 1 (using embedde UI):
Step 2 (optional - see below):
Step 3+4 (on mobile):
Step 5 (on mobile):
Predefine mobile phonenumber and birthdate
The end user’s mobile phone number and birthdate may be predefined at the customer's own site prior to calling the E-Signing service. This is done by appending the mobile phone number and birthdate as parameters to the signing URL. If these parameters are used, step 2 page will not be shown.
Read more about the different sign URL parameters.
Document types and sizes
The following document formats are supported using BankID on mobile:
PDF signing
Signing with BankID on mobile phone is limited to text signing of 116 characters from BankID. However, the E-Signing service is extended to support PDF signing. The size limit of a document is set to 10 MB base64 encoded document. An encoded document adds approximately 30 % extra to a non-encoded document.
In the E-Signing service, the signer will be presented with a page showing the PDF document and the actual text to be signed during the BankID on mobile session. See step 1 in the BankID on mobile dialogue above. The actual text that is signed by the user is a customer defined sign text + a unique representation of the document (document hash). It is recommended to set a text that the signer will remember and can relate to. The sign text is defined together with the
document in the
SignTextPrefix element in the sign order.
If the customer doesn’t define a text, a predefined text will be shown. The predefined text is (in Norwegian only): “Jeg signerer det presenterte PDF-dokumentet.”
SDO structure
CMSSignature | BankID on mobile PKCS#7 signature over HashedData |
HashedData | HashedData: hash(signtext)
signtext: Merchant-specified text message + hex encoded document hash (64 characters) document hash: SHA-256 hash (32 bytes) of SignersDocument |
SignersDocument | PDF document (base64 encoded) |
Validation of SDO
PDF signing with BankID on mobile uses a SDO format with a custom validation method and will not validate with BankID server. It can however be validated with the
E-Signing validator or by using the
ValidateSDO call.
To validate the SDO:
- Generate the SHA-256 hash of the decoded document
- Concatenate the sign text prefix found in the SDO metadata with the document hash to form the sign text
- Generate the SHA-256 hash of the resulting sign text
The final SHA-256 hash generated should match the hash in the BankID on mobile signature.
Text document signing
The text document signing with BankID on mobile phones is very useful if you have a short document to sign like a transaction signing. When signing a text document, the document size is limited to 116 characters. There are some limitations that must be considered when signing text documents with BankID on mobile:
The document sent to E-Signing will be changed to support signing in a phone. Two bytes are added and the document is GSM encoded.
If the document shall be signed by more than one person and the user has another eID than BankID on mobile, the user signing with the other eID might have trouble reading the document as it is GSM encoded. If there are only users with BankID on mobile phones, this is not an issue.
When validating the signed document (SDO), the document may look awkward as it is GSM encoded.
Authentication-based signing
The E-Signing service offers the possibility to sign a document based on an authentication. To create a sign order with authentication-based signing, please have a look at the
authentication-based signing page.
The BankID on mobile specific values are listed in the table below:
AuthenticationID | This element can be used to indicate that BankID on mobile is one of the eID's the signer can sign with. | no_bidmob |
SignerID | The SignerID element can specify which user that shall sign the document. The PID value is the personal identifier from a user's BankID on mobile certificate. This is also returned as the pid claim from a BankID on mobile authentication through E-Ident. The SSN is the signer's national identity number. | IDType: PID | SSN IDValue: See description. |
forcepkivendor | The forcepkivendor parameter can be used to point the user directly to this eID.
Read more about forcepkivendor. | abs:no_bidmob |