Other

Get started with Swedish BankID through an agreement with a BankID bank

215 views July 30, 2019 July 31, 2019 1

This is a process description for setting up a new solution with Swedish BankID if you wish to establish your own, separate agreement with a BankID bank. For information on how to set up a typical solution with Swedish BankID through Signicat instead, see How to get started with Swedish BankID.

This process describes the interaction between the customer, the customer’s Bank, and Signicat Operations when developing and establishing a web application, using Swedish BankID. The process contains descriptions of tasks relevant to all parties.

The process is described using steps, where each step has a natural end state. The descriptions are mainly high-level overviews without technical details.

Signicat may, on request, carry out some of the steps on behalf of the customer.

Process overview

  1. Customer signs agreement with Signicat AS
  2. Customer selects bank and signs an agreement with the bank
  3. Customer performs technical integration with id.signicat
  4. Customer orders ‘Köparcertifikat’ for production from the bank
  5. Customer performs ‘Köpargenomgång’
  6. Customer receives and installs the Köparcertifikat for production
  7. Customer performs the Köparcertifikat production test

End condition

At least one of the following functions must be available and successful in the customer’s web application, using the Signicat services:

  • secure identification of Internet users, using Swedish BankID
  • digital signing of documents, using Swedish BankID

Process

1. Customer signs agreement with Signicat AS

Signicat AS is an official BankID broker, approved by Finansiell ID-Teknik in Sweden.

The customer signs an agreement with Signicat AS. This agreement specifies, among other things:

  • the SLA between the customer and Signicat AS
  • the number of ID methods (such as authentication, signing, and verification)
  • the number of ID solutions (such as Swedish BankID)
  • the number of graphical profiles the customer needs
2. Customer signs an agreement with the bank or with Signicat regarding the use of BankID

This step takes place between the customer and the bank, or between the customer and Signicat.

If the customer wishes to sign with a bank, the following authorizations must be specified in the agreement:

  • who is authorized to order, manage, and close the Köparcertifikat. The Köparcertifikat represents the customer and is used to authenticate Internet users and enable signing of documents in real time.
  • who is authorized to obtain and install the Köparcertifikat in a production environment.

If the customer signs the agreement directly with Signicat, no paperwork regarding this step is required. This may speed up the establishment process by a number of days or weeks. Signicat’s Köparcertifikat will be used instead.

3. Customer performs technical integration with id.signicat

After the agreements are signed, the customer performs technical integration with id.signicat. This includes:

  • installation and programming of the Signicat client kit
  • testing the integration
4. Customer orders Köparcertifikat for production from the bank

This step is not required if the customer has signed an agreement with Signicat regarding the use of BankID.

The customer creates a Certificate Request File (CSR-file) using the ‘Keyman’ software for the customer’s bank, and sends an order containing the CSR-file via e-mail, to the bank.

Signicat has installed Keyman for different banks, and may, if the Customer wishes, perform this task on behalf of the customer.

5. Customer performs ‘köpargenomgång’

The customer performs a so-called ‘Köpargenomgång’ of the technical and administrative solution with the bank.

A Köpargenomgång is a review of the customer’s business, which looks at, among other things:

  • how BankID will be used, and for which service
  • which BankID software will be used (id.signicat)
  • how security is implemented
  • which logging routines exist
  • how the requirements of the Privacy Act (Personuppgiftslagen – PUL) are handled

Signicat may assist the customer in describing the technical parts of the Köpargenomgång document.

6. Customer receives and installs the Köparcertifikat for production

This step is not required if the customer has signed an agreement with Signicat regarding the use of BankID.

The bank produces the Köparcertifikat and sends it to the person who is authorized to receive it.

When Signicat Operations receives the Köparcertifikat, it will be installed in the certificate archive according to Signicat’s own safety routines for certificate management.

The certificate will be available in the customer’s configuration on id.signicat.com. It will be used to authorize incoming transactions only from the customer’s web application, or a predefined whitelist of accepted sites, as specified by the customer.

7. Customer performs the Köparcertifikat production test

The customer must notify the bank three days before the production test will be conducted. The the date and time for the production test, as well as the number of identifications and signatures which will be made, must be specified.

The test is performed using the customer’s application. From the application, the identifications and/or signatures are sent to id.signicat. For each call, id.signicat creates a request, signs it with the Köparcertifikat, and sends it to the BankID server. The BankID server receives the request, verifies it, and sends a response containing the result back to id.signicat.

After finishing the test, the bank analyzes the test results, and if successful it sends an approval to the customer. After approval is received, the customer may launch the new web application.

 

For more information on how to utilize Swedish BankID services through Signicat, see our documentation on Swedish BankID.

Was this helpful?