Swedish BankID

About Swedish BankID

Swedish BankID is a personal and easy method of secure electronic identification and signing on the Internet.

All individuals who have a Swedish personal identity and are registered in Sweden can obtain Swedish BankID through their bank. A BankID has the same value and is used the same way, regardless of the bank that issued it. BankID may be issued to persons over 18 years, but several banks also give BankID to persons under 18 years.

Swedish BankID clients exist for desktop (Windows or macOS) and mobile devices (Mobile BankID on Android or iOS).

The banks issuing Swedish BankID

The banks issuing BankID to private individuals are Handelsbanken, SEB, Swedbank, SkandiaBanken, Länsförsäkringar Bank, Danske Bank, Sparbanken Finn, Sparbanken Gripen and Ikano Bank. Together, these banks have more than 5.6 million Internet customers who have the option of using their BankID in more than 300 different service applications.

Integrating with Swedish BankID through Signicat

Signicat has an integration with Swedish BankID and delivers this, as well as a vast amount of other integrated methods, through a single point of integration. For our customers, this means shorter time to production and time saved integrating and maintaining the integrations with one or several identity providers. Through the single point of integration, one will get access to Signicat’s wide portfolio of integrated ID methods; not only Swedish BankID, but also other services like identity paper verificationlookups, and video assurance.

Digital onboarding

Swedish BankID can be used for digital onboarding of a user, through user identification. The ID method can be used as a stand-alone method or in combination with other services provided by Signicat to assure an identity, such as identity paper verificationlookups, and video assurance.

Use case

In order to become a customer, you first have to register. During this digital onboarding process, you can choose to use Swedish BankID, among others, as an ID method to register as a user for the first time.

NOTE: If Swedish BankID is used for user onboarding, it is not allowed to issue alternative credentials (also known as ID switch). So if Swedish BankID is used for the initial user onboarding then Swedish BankID should also be used for all subsequent authentications.

Screenshots

Authentication

When the user has completed the digital onboarding process, Swedish BankID can be used for authentication by verifying an existing user’s identity. Getting started guides for authentication with the different Signicat Connect authentication protocols can be found here.

An authentication will result in a type of response that will depend on the type of authentication protocol used. See the Result section for an example.

Use case

As a registered customer with a bank, you will be able to apply for a loan. To be able to log in to your bank, you have to authenticate to prove your identity. Swedish BankID can be used for authentication, the same way it can be used for registering as a new customer.

Screenshots for desktop

Screenshots for mobile

The user provides his/her personnummer and security code using the BankID säkerhetsapp on his/her mobile phone or tablet.

Alternatively, Signicat offers the ability to use the Mobilt BankID app to scan a QR code that is displayed on a different device (such as a desktop PC). This replaces the need for providing a personnummer and enhances the security of the authentication process, as both the user and the web browser that the code is scanned from need to be in the same place.

Result

An example of an OpenID Connect response when Swedish BankID is used for authentication can be found here. The OIDC result will be the same regardless of whether it is Swedish BankID or Swedish Mobile BankID optimized for in-app that is used during authentication. See more about the in-app solution here.

Electronic signing

For electronic signing of documents, Swedish BankID can be used in two ways; Authentication-based signing or third-party signing.

The first alternative, authentication-based signing, is Signicat’s own signing solution and supports the use of any type of authentication method provided by Signicat. Swedish BankID as an authentication method is used for this alternative, where the authentication result is reused for signing. It will ensure a unified output format in accordance with EU specifications as well as a scalable, responsive Signflow supporting virtually all modern device standards and window sizes.

The second alternative, performing native signing with Swedish BankID as a third-party method, is Swedish BankID’s native signing support. It will not follow the same output formats and cannot be guaranteed to support responsive Signflows nor necessarily support all of the same signing functionalities as the authentication-based alternative. Swedish BankID natively supports signing of text documents in the BankID säkerhetsprogram (BankID Security Application). The technical requirements are that your text document is UTF-8 encoded and doesn’t exceed 100 KB. Control characters such as TAB and CR LF are allowed. This file is a text document which is within the 100 KB limit: Example text document

The signing result will, regardless of the alternative chosen for signing, result in a PAdES (PDF Advanced Electronic Signature) consisting of one or more signed documents (XAdES, implemented as LTV-SDO). See the Result section for signing result examples.

For more information about getting started with electronic signing, the different signing methods and more, please see this page for the signing documentation.

Use case

With Signicat Signature you can use Swedish BankID to sign (as well as view or upload) one or more documents, such as loan applications or contracts. Signing with authentication-based signing will allow you to sign all documents at once, while third-party signing will require you to sign the documents one at a time.

Screenshots for desktop

The screenshot illustrates authentication-based signing and third-party signing when using Swedish BankID. In both flows, there are two documents for signing, ‘Letter of intent’ and ‘Contract details’, as well as one document for viewing only, ‘Information about Signicat’.

Authentication-based signing
Third-party signing
 

Screenshots for mobile

The screenshot below illustrates the signature process for Mobile BankID.

Signing with Swedish BankID also supports the scanning of a QR code in order to perform the signature process. Please contact support@signicat.com in order to have this functionality configured.

Result

The signing result will produce a PAdES (PDF Advanced Electronic Signature) consisting of one or more signed documents (XAdES as LTV-SDOs).

Authentication-based signing

An example of an LTV-SDO as a signing result, with authentication-based signing and Swedish BankID as the authentication method, can be found here.

An example of a PAdES as a signing result, with authentication-based signing and Swedish BankID as the authentication method, can be found here.

Third-party signing

An example of an LTV-SDO as a signing result, with third-party signing and Swedish BankID as the authentication method, can be found here.

An example of a PAdES as a signing result, with third-party signing and Swedish BankID as the authentication method, can be found here.

How to get started with Swedish BankID

This is a process description for establishing a new solution with Swedish BankID.

The process describes the interaction between the customer, the customer’s Bank, and Signicat Operations when developing and establishing a web application, using Swedish BankID. The process contains descriptions of tasks relevant to all parties.

The process is described using steps, where each step has a natural end state. The descriptions are mainly high-level overviews without technical details.

Signicat may, if the customer expresses the desire for it, carry out some of the steps on behalf of the customer.

Process overview

  1. Customer signs agreement with Signicat AS
  2. Customer selects bank and signs an agreement with the bank
  3. Customer performs technical integration with id.signicat
  4. Customer orders ‘Köparcertifikat’ for production from the bank
  5. Customer performs ‘Köpargenomgång’
  6. Customer receives and installs the Köparcertifikat for production
  7. Customer performs the Köparcertifikat production test

End condition

At least one of the following functions must be available and successful in the customer’s web application, using the Signicat services:

  • secure identification of Internet users, using Swedish BankID
  • digital signing of documents, using Swedish BankID

Process

1. Customer signs agreement with Signicat AS

Signicat AS is a BICS supplier, approved by Finansiell ID-Teknik in Sweden.

The customer signs an agreement with Signicat AS. This agreement specifies, among other things:

  • the SLA between the customer and Signicat AS
  • the number of ID methods (such as authentication, signing, and verification)
  • the number of ID solutions (such as Swedish BankID)
  • the number of graphical profiles the customer needs
2. Customer signs an agreement with the bank or with Signicat regarding the use of BankID

This step takes place between the customer and the bank, or between the customer and Signicat.

If the customer wishes to sign with a bank, the following authorizations must be specified in the agreement:

  • who is authorized to order, manage, and close the Köparcertifikat. The Köparcertifikat represents the customer and is used to authenticate Internet users and enable signing of documents in real time.
  • who is authorized to obtain and install the Köparcertifikat in a production environment.

If the customer signs the agreement directly with Signicat, no paperwork regarding this step is required. This may speed up the establishment process by a number of days or weeks. Signicat’s Köparcertifikat will be used instead.

3. Customer performs technical integration with id.signicat

After the agreements are signed, the customer performs technical integration with id.signicat. This includes:

  • installation and programming of the Signicat client kit
  • testing the integration
4. Customer orders Köparcertifikat for production from the bank

This step is not required if the customer has signed an agreement with Signicat regarding the use of BankID.

The customer creates a Certificate Request File (CSR-file) using the ‘Keyman’ software for the customer’s bank, and sends an order containing the CSR-file via e-mail, to the bank.

Signicat has installed Keyman for different banks, and may, if the Customer wishes, perform this task on behalf of the customer.

5. Customer performs ‘köpargenomgång’

The customer performs a so-called ‘Köpargenomgång’ of the technical and administrative solution with the bank.

A Köpargenomgång is a review of the customer’s business, which looks at, among other things:

  • how BankID will be used, and for which service
  • which BankID software will be used (id.signicat)
  • how security is implemented
  • which logging routines exist
  • how the requirements of the Privacy Act (Personuppgiftslagen – PUL) are handled

Signicat may assist the customer in describing the technical parts of the Köpargenomgång document.

6. Customer receives and installs the Köparcertifikat for production

This step is not required if the customer has signed an agreement with Signicat regarding the use of BankID.

The bank produces the Köparcertifikat and sends it to the person who is authorized to receive it.

When Signicat Operations receives the Köparcertifikat, it will be installed in the certificate archive according to Signicat’s own safety routines for certificate management.

The certificate will be available in the customer’s configuration on id.signicat.com. It will be used to authorize incoming transactions only from the customer’s web application, or a predefined whitelist of accepted sites, as specified by the customer.

7. Customer performs the Köparcertifikat production test

The customer must notify the bank three days before the production test will be conducted. The the date and time for the production test, as well as the number of identifications and signatures which will be made, must be specified.

The test is performed using the customer’s application. From the application, the identifications and/or signatures are sent to id.signicat. For each call, id.signicat creates a request, signs it with the Köparcertifikat, and sends it to the BankID server. The BankID server receives the request, verifies it, and sends a response containing the result back to id.signicat.

After finishing the test, the bank analyzes the test results, and if successful it sends an approval to the customer. After approval is received, the customer may launch the new web application.

Certificate information

Köparcertifikat

Köparcertifikat is a business certificate that can represent a company or an organization. A business certificate is intended to ensure communication to and from companies and organizations. It does not store any personally identifiable information.

The Köparcertifikat certificate will be stored in your system, or in the system of a service provider like Signicat AS.

BankID e-legitimation for private persons

BankID certificates are stored on a smartcard or on a file on the end-user’s computer.

Several Swedish banks are issuing BankID e-legitimation for private persons.

Test information

Signicat offers 24/7/365 free access to the test environment at preprod.signicat.com.

Certificates for test users

If you already have a certificate for production BankID, you can log in to https://demo.bankid.com and issue test certificates as explained below. This is also possible using an existing valid test certificate.

Prepare a name and personnummer (Swedish national identification number) for the test users you would like to create. The personnummer should be a valid combination of 12 digits. You can use www.personnummer.nu to create a valid personnummer for Sweden. Please see the next paragraph of how to obtain a Swedish personnummer . You will get a number in this format: YYMMDD-XXXX. You will have to change this to YYYYMMDDXXXX. If you do not have a Swedish BankID, you may order a code from https://demo.bankid.com/CreateCode.aspx and issue new test-users according to the ‘How to obtain the test user’ section.

If you do not have a personnummer, you may construct one for testing. This must be a properly formatted national ID including a control digit. For details, see www.personnummer.nu.

How to obtain a Swedish National ID number

To get a Swedish National ID number you can go to www.personnummer.nu to generate one.

For those who do not understand Swedish:

Födelsedatum = Birth date (ÅÅ-MM-DD) = (YY-MM-DD) as in year-month-day.

Kön = Sex

Kvinne = Woman

Man = Man

Generera = Generate

 

The highlighted field is the generated National ID number. To use it for the purpose of authenticating/signing you need to remove the hyphen and add a prefix. The prefix should be the two first numbers of the year the person was born. So if the person was born between 1900-1999 the prefix is 19, and if the person was born between 2000-2099 the prefix is 20.

The generated National ID number 800618-4629 would appear as 198006184629 without the hyphen and with the prefix.

How to install the application

How to install the application (Android)
  1. To install the Swedish Mobile BankID application for testing you first have to download it from this page: http://www.bankid.com/rp/info/
  2. Under the header “Test av BankID” choose the  “Testversion BankID säkerhetsapp för Android” link and save the .apk file you get
  3. Send the .apk file to your smartphone by e-mail
  4. You have to allow the phone to install from unknown sources
  5. Click the .apk file in your e-mail and install the app
  6. When you open the app you need a Swedish National ID number (test) and an activation code

The installation file can be found here:

How to install the application (iOS)
  1. Install BankID säkerhetsapp from the App Store.
  2. Go into Settings -> BankID -> Utvecklare (Developer) -> Server. Change this to businternal.test.bankid.com.

This setting makes the security app communicate with the test environment instead of production, and it cannot be changed back. If you later need the production version, uninstall the app and install it again via the App Store.

How to install the application (Windows Phone 8)
  1. Install the BankID säkerhetsapp from the Windows Phone Store
  2. Start the BankID Security App, select Settings / Developer / Server and enter “businternal.test.bankid.com
  3. Save, exit the BankID Security App and launch again
  4. The BankID Security App will now connect to the test server
How to install the application (Windows)
  1. Uninstall all previous versions of the BankID säkerhetsprogram. Reboot PC
  2. Download and install the latest version, available at https://install.bankid.com/
  3. Find the config folder at this location: %APPDATA%\Roaming\BankID\

(Find appdata by writing %appdata% in the adressbar)

You will end up in the ‘Roaming’ folder. From there, continue to the BankID folder. Your adress path should look like the following now: C:\Users\Steffen(Your username)\AppData\Roaming\BankID

Here, you will find a folder named ‘Config’.

Rename this to ‘Config.prod’ and create a new folder named ‘Config’.

Open the ‘Config’ folder you created. Create a new .txt file and name it CavaServerSelector.txt.

Open it in Notepad, write “kundtest” and save.

Restart PC.

How to obtain the test user

Go to https://demo.bankid.com/ and log in using your preferred option.

https://www.bankid.com/rp/info also contains links and information about Swedish BankID and how to obtain test users.

There are four options:

  1. “Logga in med test-BankID” = Log in with a test BankID.
    You can either log in with a test user on the computer or with a test user using the mobile application you installed (that is, if you already have a test user in the app/ computer).
  2.  “Logga in med produktions-BankID” = Log in with a production BankID.
    If you have a Swedish BankID you can log in with your production BankID on the computer or in the production app (if you have set up the app for your BankID).
  3. “Logga in med personligkod” = Log in with a personal code.
    If you do not have a personal code, you can choose to generate a new code.
  4. “Logga in med BankID på fil eller kort – Plugin” = Log in with a BankID on file or card – Plugin
    Here you would have been able to use the old solution with plug-ins in the browser that were phased out during 2014. This is the option you would have chosen if you had BankID Security 5.0.2 or older.

After logging in you will be presented with this page. Choose “Hämta BankID för test”:

On this page, you can choose to download Mobile BankID (left) or desktop BankID (right). Fill in the form with the personnummer as well as first and last name and click “Hämta”.

Mobile client

If you choose Mobile BankID, you will get an activation code such as the following (you must disable any popup blockers). This code is valid for 10 minutes.

Open the BankID app on your phone, enter the personnummer and activation code. In the next window, you create a PIN code with at least 6 digits.

Now activation is done and the client is ready to use:

Desktop client

If you choose BankID on file, you will be presented with a new window (you must disable any popup blockers). Press “Open BankID issuing” to get started.

Then you can download, install, and choose your password.

After you have downloaded and installed the app you will be asked to choose a password for your BankID. You have to remember this PIN code for use later when you test authentication/ signing. The app will not allow you to choose a simple code like 111111 or 123456, so it is recommended to use date of birth, e.g. 180680.

Your BankID is now ready.

If you have an ordinary or test BankID you may follow these steps:

  1. Access https://demo.bankid.com/nyademobanken.
  2. Log in with your BankID and select “Hämta BankID för test”.
  3. You will receive an activation code which you may use in the BankID säkerhetsapp.
  4. Select your security code for Mobile BankID, minimum 6 digits.

If you don’t have a Swedish BankID, you may follow this manual procedure:

  1. Send an email to teknikinfo@bankid.com (Financiell ID-Teknik) and describe where you work, the purpose of your development, and phone numbers
  2. They will contact you and initiate creation of a test BankID. During this process you have to specify some data into the BankID säkerhetsapp. They will verify that the newly issued BankID working.
  3. If you do not have a personnummer, you may construct one for test. This must be a properly formatted national ID including control digit. See: www.personnummer.nu.

Mobilt BankID

Mobilt BankID is a personal electronic identification for cell phones and tablets. It may be used from a mobile device in the same way as BankID on card or file can be used from a PC.
Mobilt BankID supports authentication and digital signature with Swedish BankID. It depends neither on a special SIM card, nor on a specific telecom company. It is even possible to have Mobilt BankID without a subscription in a Swedish telecom company, but it can only be ordered by persons with a personnummer. Mobilt BankID may be used from Android and iOS based phones and tablets (provided they have Internet access).

Today three Swedish banks are issuers of Mobilt BankID:

  • Swedbank
  • Skandiabanken
  • Länsförsäkringar Bank
  • Several other banks plan to follow these three banks

Getting started

For merchants

Existing customers of Signicat may contact support@signicat.com to find out what needs to be done to get up and running with Mobilt BankID.

For other customers the establishment process is identical with ordinary Swedish BankID. See a detailed description under certificates.

  1. You will need a merchant agreement with your bank.
  2. The bank performs a “Köpargenomgång” of your company

After the agreements are signed and “Köpargenomgång” is performed, the bank will issue a merchant certificate for the test and production environment.

For end users

End users must install the BankID säkerhetsapp on their mobile device.

  • For Android users, the BankID säkerhetsapp may be installed from Google Play.
  • For iOS users, the BankID säkerhetsapp may be installed from AppStore.

How to integrate authentication with Swedish BankID from a native app

In May 2014, Signicat released a version of Swedish Mobile BankID optimized for in-app usage. If you are building your own browserless native app and want to utilize Swedish Mobile BankID authentication via Signicat, we recommend using our OpenID Connect (OIDC) API as a mediator. The required steps are as follows:

  1. Inform Signicat Operations that you would like to have a Swedish Mobile BankID method for in-app usage set up for OIDC. Signicat will request some information about this setup. For more information about the setup itself, please refer to the OIDC documentation on the subject here.
    • If you wish to test your solution using our demo service, please use Client ID demo-inapp, Redirect URI https://example.com/redirect and method name sbid-inapp.
  2. Since in-app usage does not require a web browser, you will have to do all the calls towards the Signicat OIDC API using an HTTP client. This client has two major requirements:
    • The HTTP client should support HTTP Cookies, which should persist throughout the entire authentication session.
    • The HTTP client should support and follow any HTTP redirects.
  3. Begin crafting the OIDC Authorization Request. The parameters are mostly standard OIDC parameters (you may use this guide, under ‘Crafting the Authorization URI’ as a reference). Exceptions are as follows:
    • Since this is an in-app custom HTTP client, we recommend POSTing the authorization parameters using the “application/x-www-form-urlencoded” content-type towards the /oidc/authorize endpoint instead of encoding the parameters in the URI and doing an HTTP GET. This is not mandatory, however.
    • The authorization request can contain the user’s personnummer as a parameter. The parameter to add looks like this: &login_hint=subject-8512308316 . If this is done, the user will be able to log in by manually starting the app.
    • The authorization request must contain the HTTP header “Accept: application/json”.
  4. Once the OIDC Authorization Request is sent from the HTTP Client to the Signicat OIDC API, you will receive a JSON response. It will look as follows:
    •  {"collectUri": "https://id.signicat.com....", "orderRef": "123abc", "autoStartToken": "124abc"}
    • If the user’s personnummer was not provided in the previous step, you will need to use the autoStartToken to start the BankID app manually. Exactly how the app is launched depends on the operating system, so please refer to chapter 3.3 in the BankID Guidelines for detailed information.
    • If the JSON instead contains “error” and “error_description” attributes, something went wrong, and the error_description attribute should contain valuable debugging information.
  5. At this point, your app is pushed to the background in the end-user’s phone. It is time to start polling for a result:
    • Build the polling URI by concatenating the collectURI and the orderRef, for instance: https://id.signicat.com/…/?orderRef=123abc
    • The response will look like this:
      {"progressStatus": "COMPLETE", "completeUrl": "https://id.signicat.com/oidc/...."}
    • Naturally, progressStatus won’t be “COMPLETE” before the user has finished, but once the user has finished, the completeUrl attribute will also be present in the object.
  6. Make the HTTP client do an HTTP GET towards the completeURI provided. After a series of redirects, the HTTP client is going to arrive at the OIDC redirectURI requested in step 3 with “code” and “state” query parameters.
    • The web service hosted at this redirect URI should extract the “code” and “state” query parameters from the request made by the app HTTP client, and the rest of the flow is according to the OIDC standard (see “Receiving the Authorization Response” here. The “basic authorization” to use for demo-inapp OIDC client will be ZGVtby1pbmFwcDptcVotXzc1LWYyd05zaVFUT05iN09uNGFBWjd6YzIxOG1yUlZrMW91ZmE4.

A functional example of this flow can be found at https://github.com/signicat/py-sbid-inapp.

The following flowchart illustrates the authentication sequence:

Important to note

  • The first response from Signicat will contain a session cookie. This cookie must be used in consecutive requests. Signicat expects the HTTP client you run on the user device to conform to the RFC 6265 standard on cookie handling. Depending on the HTTP client library you use, you might need to first enable cookies. Please refer to your HTTP client’s documentation regarding how to do this.

Description of the Android App

The Signicat Swedish Mobile BankID Android App (referred to as the app or android app for the rest of this document) is a native Android app that demonstrates using Swedish Mobile BankID for authentication from a native app. It uses Signicat services and demonstrates a simple authentication scenario where the user enters his/her personal identity number, continues the process in the BankID app and finally returns to the app for completion.

Detecting if the end user has the BankID app installed

From a native app

If you are writing a native app where you utilize Signicat services for your authentication or signature needs, then you will be able to detect if the end user has installed the BankID app necessary to complete the transaction.

Detecting on iOS
BOOL installed = [[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"bankid://"]];

Please refer to Apple Developer Center for more information on canOpenUrl.

Detecting on Android
private boolean isSwedishMobiltBankIdInstalled(Context context) {
    PackageManager pm = context.getPackageManager();
    try {
        pm.getPackageInfo("com.bankid.bus", GET_ACTIVITIES);
        return true;
    } catch (NameNotFoundException e) {
        return false;
    }
}

Please refer to Android Developer Center for more information about the PackageManager.

From a web page on a mobile device

It is not possible to detect if the end user has the BankID app installed from a web page on a mobile device. Otherwise, it would be possible for any web page to scan users’ phones and tablets for which apps are installed, perhaps to target an attack against the user.

The good news is that you do not have to do anything about this because Signicat already does its best depending on the platform.

  • For iOS, an attempt is made to launch the app from javascript. If nothing seems to happen, a message is displayed saying that it appears that the app could not be launched, along with a link to the app store.
  • For Android, a message is immediately presented to the user saying that the app is required to complete the process (along with a link to the app store). Two buttons are presented, one to launch the app and one to cancel. If the user chooses to launch the app even though it is not installed, nothing happens. Presumably, the end user realizes the mistake and either proceeds to download the app, or simply cancels.

 

Customizing the graphics and the flow for the end-user

iframe usage

If you intend to run the process in an iframe, you may choose to have graphical profile support disabled so you don’t have to worry about it at all.

Important note for iOS9+

Please note that iOS 9 and later prevents apps from being automatically launched from an iframe. If you choose to iframe the process, then the module must be configured to ask the end user for his/her national id-number, after which the user must manually open the BankID app and then go back to Safari to complete the process. Full frame processes can automatically launch the app on iOS 9.

Custom styling

You may choose to switch off the standard UI, which will produce the same content – unstyled. It will then be up to you to write your own CSS in order to make it look the way you want. Here’s how it will look without any CSS applied:

Behavior customization

The device question

By default, the module will ask the end user if he/she would like to use a BankID on this device/computer or a (mobile) BankID on another device. You may choose to have this question turned off, which implies that the user will always use a BankID on the local device or computer.

The ID number

If the end user chooses to use a BankID on another device (see the previous section), then he/she must input his/her personal identity number (12 digits). The module accepts “prefilling” of the ID number information, so if you already know the ID number of the person then you may append the login_hint=subject-YYYYMMDDXXXX parameter to the request (or add it to the DocumentService request when creating a document order), in which case this dialog will be skipped.

Auto-launching the app

In theory, the BankID app can be automatically launched on some platforms. The auto-launch feature is implemented using an invisible iframe which tries to load a certain kind of URL which will trigger the BankID app to start. Not all browsers support it – Chrome, for example, will disallow it from happening. If it seems that nothing has happened within five seconds after trying to auto-launch, then the interface will display a “Start the BankID app” button.

The auto-launching feature may speed up the process for users on platforms that support it, but it can also be a bit confusing and it will actually slow down the process for users on unsupporting platforms. Auto-launch is disabled by default. You may choose to have it enabled, but there are no guarantees that it will succeed.

Client flow

Given the customization points mentioned, the general client flow up until the BankID app is launched is something like:

The UX on mobile devices

In a browser on a mobile device

The BankID app is available for Android, iOS and Windows Phone.

On Android, the module can be initiated from any browser, and it will simply launch the BankID app and then return to the previous application.

On iOS, the BankID app must be told which URL to open once it’s finished. The way iOS handles URL’s is that it associates a certain “URI scheme” with a certain application, so for example URI’s that start with “http(s)://” will be handled by Safari, “mailto://” by Mail, “bankid://” by the Swedish BankID app and so on.

There is no way to “close” an app programatically on iOS – you can only switch between applications by launching a URI. This goes for BankID too, so it must know which URI to launch once it’s complete (referred to as the “redirect URI”). Now, by default, the Signicat BankID integration will try to switch back to the previously opened tab in Safari. The operating system does not guarantee that this will happen; it may launch a new tab and if it’s running low on memory it may decide to reload the tab.

Signicat will handle try to handle this a graceful as possible, but there is one thing that can’t be controlled: If the user starts the process in a non-default browser (such as Chrome for iOS or from within another app), then BankID will switch to Safari when the process is complete. Signicat will verify the transaction and redirect the user with a response to the given target, but the end user will most likely notice that the “app context” was switched. Functionally, however, it will still be the same.

On Windows Phone, the behavior is similar to iOS, with the distinction that Internet Explorer will always be launched and it will always reload the page when returning from the BankID app (as of Windows Phone 8.0).

None of the mobile platforms allow a webpage to detect if a certain app is installed, for obvious security reasons.

In a native app on a mobile device

If you are building your own native app and you want to integrate with Swedish BankID from that app, you may choose to have the module set up optimized for “in-app usage”. This will eliminate all UI, allowing you to communicate with Signicat with JSON request/responses and give you full control over the flow and user experience.

It’s also possible to do the integration with an integrated browser control in a native app. On iOS and Windows Phone, you may choose to force a certain redirect URI either by having support@signicat.com configure it for you, or you may pass the prefilled.redirect parameter with the (URL encoded) URI you want BankID to switch to. This can come in handy if you need the BankID app to switch back to your own app once it’s done. The User-Agent header needs to indicate iOS (iPhone|iPad) or Windows Phone in order for this approach to succeed.

Browser support

Please refer to the Swedish BankID Q&A for more information on supported platforms. Please refer to the Relying Party Guidelines if you’re looking for detailed technical information on Swedish BankID.

More information about graphical adjustments and customization can be found here.

Swedish BankID support

Support email Website homepage
teknikinfo@bankid.com www.bankid.com

Other sources