Integrationsguide

Requirement

RP may use the requirement parameter to describe how the signature must be created and verified. A typical use case is to require Mobile BankID or a special card reader. A requirement can be set for both auth and sign orders.

The following table describes requirements, their possible values and defaults.

Name
cardReader
Value "class1" - (default). The transaction must be performed using a card reader where the PIN code is entered on the computers keyboard, or a card reader of higher class. "class2" - The transaction must be performed using a card reader where the PIN code is entered on the reader, or a reader of higher class. - defaults to "class1". This condition should be combined with a certificatePolicies for a smart card to avoid undefined behavior. Default No special type of card reader required.
certificatePolicies
Value The oid in certificate policies in the user certificate. List of String. One wildcard is allowed from position 5 and forward. The wildcard is: * Example: 1.2.752.78.* The values for production BankIDs are: "1.2.752.78.1.1" - BankID on file "1.2.752.78.1.2" - BankID on smart card "1.2.752.78.1.5" - Mobile BankID "1.2.752.71.1.3" - Nordea e-id on file and on smart card. The values for test BankIDs are: "1.2.3.4.5" - BankID on file "1.2.3.4.10" - BankID on smart card "1.2.3.4.25" - Mobile BankID "1.2.752.71.1.3" - Nordea e-id on file and on smart card “1.2.752.60.1.6” - Test BankID for some BankID Banks Default If no certificate policies are set, the following are default in the production system: 1.2.752.78.1.1 1.2.752.78.1.2 1.2.752.78.1.5 1.2.752.71.1.3 The following are default in the test system: 1.2.3.4.5 1.2.3.4.10 1.2.3.4.25 1.2.752.60.1.6 1.2.752.71.1.3 If one certificate policy is set, all the default policies are dismissed.
issuerCn
Value The cn (common name) of the issuer. List of String. Wildcards are not allowed. Nordea values for production: "Nordea CA for Smartcard users 12" - E-id on smart card issued by Nordea CA. "Nordea CA for Softcert users 13" - E-id on file issued by Nordea CA. Example Nordea values for test: "Nordea Test CA for Smartcard users 12" - E-id on smart card issued by Nordea CA. "Nordea Test CA for Softcert users 13" - E-id on file issued by Nordea CA. Default If issuer isn't defined, all relevant BankID and Nordea issuers are allowed.
autoStartTokenRequired
Value Deprecated. Will not be possible to use in future versions of the RP API. Use tokenStartRequired. If present, and set to true, one of the following methods must be used to start the client: autoStartToken in an URL autoStartToken in a static QR Boolean. To be used if it is important that the BankID App is on the same device as the RP service. If this requirement is omitted or set to false, the client does not need to be started using autoStartToken. Default The client doesn't need to be started using autoStartToken.
allowFingerprint
Value Users of iOS and Android devices may use fingerprint for authentication and signing if the device supports it and the user configured the device to use it. Boolean. No other devices are supported at this point. If set to true, the users are allowed to use fingerprint. If set to false, the users are not allowed to use fingerprint. Default true for authentication. false for signing.
tokenStartRequired
Value The tokenStartRequired replaces the autostartTokenRequired. Boolean. If present, and set to true, one of the following methods must be used to start the client: Animated QR AutoStartToken in an URL AutoStartToken in a static QR Default The client doesn't need to be started using a token.

Name

Value

"class1" - (default).
The transaction must be performed using a card reader where the PIN code is entered on the computers keyboard, or a card reader of higher class.
"class2" -
The transaction must be performed using a card reader where the PIN code is entered on the reader, or a reader of higher class.
- defaults to "class1".
This condition should be combined with a certificatePolicies for a smart card to avoid undefined behavior.

Default
No special type of card reader required.

Value
The oid in certificate policies in the user certificate. List of String. One wildcard is allowed from position 5 and forward.
The wildcard is: *
Example: 1.2.752.78.*

The values for production BankIDs are:

"1.2.752.78.1.1" - BankID on file
"1.2.752.78.1.2" - BankID on smart card
"1.2.752.78.1.5" - Mobile BankID
"1.2.752.71.1.3" - Nordea e-id on file and on smart card.

The values for test BankIDs are:

"1.2.3.4.5" - BankID on file
"1.2.3.4.10" - BankID on smart card
"1.2.3.4.25" - Mobile BankID
"1.2.752.71.1.3" - Nordea e-id on file and on smart card
“1.2.752.60.1.6” - Test BankID for some BankID Banks

Default
If no certificate policies are set, the following are default in the production system:

1.2.752.78.1.1
1.2.752.78.1.2
1.2.752.78.1.5
1.2.752.71.1.3

The following are default in the test system:

1.2.3.4.5
1.2.3.4.10
1.2.3.4.25
1.2.752.60.1.6
1.2.752.71.1.3

If one certificate policy is set, all the default policies are dismissed.

Value
The cn (common name) of the issuer. List of String. Wildcards are not allowed. Nordea values for production:

"Nordea CA for Smartcard users 12" - E-id on smart card issued by Nordea CA.
"Nordea CA for Softcert users 13" - E-id on file issued by Nordea CA.

Example Nordea values for test:

"Nordea Test CA for Smartcard users 12" - E-id on smart card issued by Nordea CA.
"Nordea Test CA for Softcert users 13" - E-id on file issued by Nordea CA.

Default
If issuer isn't defined, all relevant BankID and Nordea issuers are allowed.

Value
Deprecated. Will not be possible to use in future versions of the RP API. Use tokenStartRequired. If present, and set to true, one of the following methods must be used to start the client:

Boolean. To be used if it is important that the BankID App is on the same device as the RP service.
If this requirement is omitted or set to false, the client does not need to be started using autoStartToken.

Default
The client doesn't need to be started using autoStartToken.

Value
Users of iOS and Android devices may use fingerprint for authentication and signing if the device supports it and the user configured the device to use it. Boolean. No other devices are supported at this point.

If set to true, the users are allowed to use fingerprint.
If set to false, the users are not allowed to use fingerprint.

Default
true for authentication.
false for signing.

Example – allowFingerprint for sign

POST /rp/v5.1/sign HTTP/1.1
Content-Type: application/json
Host: appapi2.bankid.com
{
  "personalNumber": "190000000000", 
  "endUserIp": "192.168.0.1",
  "requirement": {
    "allowFingerprint": true
  }
}

Example – certificatePolicies for auth with Mobile BankID

POST /rp/v5.1/auth HTTP/1.1
Content-Type: application/json
Host: appapi2.bankid.com
{
  "personalNumber": "190000000000",
  "endUserIp": "192.168.0.1",
  "requirement": {
    "certificatePolicies": ["1.2.752.78.1.5"]
  }
}

Example – Combined Requirements

Multiple parameters can be set for a requirement (AND). Multiple values can be set for parameter certificatePolicies and issuerCn (OR).

POST /rp/v5.1/auth HTTP/1.1
Content-Type: application/json
Host: appapi2.bankid.com
{
  "personalNumber": "190000000000",
  "endUserIp": "192.168.0.1",
  "requirement": {
    "certificatePolicies": [
      "1.2.752.78.1.5", 
      "1.2.752.71.1.3", 
      "1.2.752.78.1.2"
    ], 
    "tokenStartRequired": true
  } 
}

Errors

Requirement

Name

Företag

Privatpersoner

Utvecklare

Om oss