Set up Bank iD

This page describes how to set up Czech Bank iD in the Signicat Dashboard.

About this documentation

The instructions apply to you if you want to integrate:

• In a sandbox environment.
• In a production environment with a direct contract with Czech Bank iD (see Bring your own contract in the How it works section).

To go live in production with Signicat as a mediator instead, you need to contact us by creating a support ticket in the Signicat Dashboard.

Prerequisites

If you do not have an account already, then you need to sign up to the Signicat Dashboard for free and complete the initial preparations. To do this:

1. Sign up to the Signicat Dashboard and register your profile.
2. Ensure that you have created an organisation.
3. Create an account. To do this:
   1. Go to Signicat Dashboard > Organisation, then select + Add account.
   2. Enter an account name, choose the type of account that you want to create, then select Create.
4. Create a domain. To do this:
   1. Go to Signicat Dashboard > Settings > Domain management, then select + Add domain.
   2. To create a standard domain, enter a domain name. Then, select Add domain.
   3. To create a custom domain, follow the instructions in the Custom domains documentation.

Account types

We recommend that you create a sandbox account to test our services before going live. Sandbox and production accounts must be set up separately.

Get connection URIs

To set up a connection between Signicat and Czech Bank iD, you first need to generate connection URIs that you later use to configure an app in the Czech Bank iD Dashboard. To generate connection URIs in the Signicat Dashboard, do the following:

1. Go to Signicat Dashboard > Products > eID and Wallet Hub > eIDs
2. Select + Add new.
3. From the list of eIDs, select Czech Bank iD.
4. In the configuration screen, select Get URIs to generate URIs based on your Signicat account. These are:
   • Redirect URIs: The address, pointing to your domain(s), where Czech Bank iD directs its response after authentication. Multiple URIs are generated when you have multiple domains in your account. Learn more about domains in the documentation.
   • Sector Identifier URI: Applies when using multiple Redirect URIs. Points to a list of all your Redirect URIs.
   • JWKS URI: Hosts the JSON web key set (JWKS) to communicate with Bank iD.
5. Copy the URIs. You will need them later in the process when configuring your app settings in the Czech Bank iD Dashboard.

You may leave the Signicat Dashboard and continue with next step below.

Create an app in the Czech Bank iD Dashboard

After obtaining the connection URIs, you need to register on the Czech Bank iD Dashboard where you receive credentials that you later use in your Signicat account. To do this:

1. Go to https://developer.bankid.cz/dashboard.
2. If you don't have an account yet, select Register and follow the on-screen steps.
3. Once registered, log in to the Czech Bank iD Dashboard.
4. In the Dashboard, select Create app.
5. In the New app dialog, enter the name for your app. Optionally, you can upload a logo.
6. Select Create app to create the new app.

After creating the app, you are redirected to the overview screen where you can manage your app configuration.

To connect the Czech Bank iD app to your Signicat account, you must configure the app settings and obtain credentials that you later add in your Signicat account, as explained in the next sections.

Environments

In the Czech Bank iD Dashboard, you can configure two types of environments:

• Sandbox: Allows you to test your connection.
• Production: Requires that you sign a contract and create an organisation.

Create an organisation with Bank iD

Production only

This section applies if you want to integrate with Czech Bank iD in a production account. To test in sandbox, you may skip this section.

To go live in a production environment, you need to connect your app to an organisation. To do this you need to first sign a contract with Czech Bank iD by doing the following:

1. Log in to https://developer.bankid.cz/dashboard.
2. Select the app you want to configure.
3. In the left menu, navigate to App management > App Settings.
4. Under Organization, select Create an organization.
5. Fill in the Request to sign a contract form with you company details. Then, select Send request to apply for a contract.

Czech Bank iD will contact you with information about your application. When ready, configure the production app and link it to your Signicat production account.

Configure your app settings

To set up a connection between Signicat and Czech Bank iD, you need to obtain credentials by configuring your app in the Czech Bank iD Dashboard. To do this for the app that you have previously created:

1. In the app overview, choose your environment (Sandbox or Production) under Environments.
2. Go to Settings to configure your environment.
3. Apply the following configuration settings:
   1. General application config

   Fill in the required fields with your company details.

   2. Open ID Connect and OAuth2 settings

   • Redirect URIs: Enter the Redirect URI(s) that you previously generated in the Signicat Dashboard. These are:
     • Sandbox: https://<YOUR_SIGNICAT_DOMAIN>/idps/sandbox/bankid-cz/response. For example, https://example.sandbox.signicat.com/idps/sandbox/bankid-cz/response.
     • Production: https://<YOUR_SIGNICAT_DOMAIN>/idps/bankid-cz/response. For example, https://example.signicat.com/idps/bankid-cz/response.
       
       To add multiple Redirect URIs, enter all the Redirect URIs on separate rows and provide the Sector Identifier URI.
   • Sector Identifier URI: Optional. Only required when configuring multiple Redirect URIs. Enter the Sector Identifier URI that you previously generated in the Signicat Dashboard. These are:
     • Sandbox: https://<YOUR_SIGNICAT_DOMAIN>/idps/sandbox/bankid-cz/sector-identifier. For example, https://example.sandbox.signicat.com/idps/sandbox/bankid-cz/sector-identifier.
     • Production: https://<YOUR_SIGNICAT_DOMAIN>/idps/bankid-cz/sector-identifier. For example, https://example.signicat.com/idps/bankid-cz/sector-identifier.
   • Notification URI: Any valid URL works since notifications are not processed. For example, you may enter the URL of your Signicat domain.
   3. Scopes

   Set the following scopes to:

   • openid: Required
   • profile.verification: Unused. Set to Required, if you need to comply with AML regulations.
     AML verification

     Set profile.verification as Required if you want to perform AML verification. Note that you must always request the AML attributes in your authentication request. Learn more in the Attributes reference.

   We recommend you set the other scopes to Optional. Any scope set to Required must also be configured in the Signicat Dashboard and specified in the authentication request.

   4. Advanced Settings

   • Authorization code flow: ON
   • Refresh token: Optional
   • Implicit flow: OFF
   • Token endpoint auth method: Client Secret POST
   • JWKS URI: Enter the JWKS URI that you previously generated in the Signicat Dashboard. These are:
     • Sandbox: https://<YOUR_SIGNICAT_DOMAIN>/idps/sandbox/bankid-cz/jwks
     • Production: https://<YOUR_SIGNICAT_DOMAIN>/idps/bankid-cz/jwks
   • Encrypt tokens: ON
   • Elliptic curve token encryption: OFF
   • Request URIs: Empty
4. Scroll to the bottom of the page, then select Apply changes and generate credentials.
5. Now, the Dashboard redirects you to the Credentials tab. Under Credentials > Keys, note the Client ID and Client Secret generated for your app. You need to copy and paste these credentials in the Signicat Dashboard configuration, as explained in the section below.

Add Czech Bank iD in the Signicat Dashboard

After obtaining the client credentials, you need to add Czech Bank iD as an eID in your Signicat account and configure it with the Client ID and Secret obtained in the previous step. To do this:

1. Go to Signicat Dashboard > Products > eID and Wallet Hub > eIDs
2. Select + Add new.
3. From the list of eIDs, select Czech Bank iD.
4. In the configuration screen, configure the following settings:
   • Client ID: Enter Client ID generated by Czech Bank iD.
   • Client Secret: Enter Client Secret generated by Czech Bank iD.
   • Reference SLA Guarantee: Optional. Only applies to production accounts and depends on the contract you signed with Czech Bank iD.
5. Select Add to save the changes.
6. Verify that Czech Bank iD is present in your eIDs list, with status set to Active.

Test Czech Bank iD

Once you have added Czech Bank iD to the list of available eIDs, you can test how it works for the end-user in the Signicat Dashboard. To do this:

1. Go to Signicat Dashboard > Products > eID and Wallet Hub > eIDs.
2. At the top right, select Test eIDs.
   Note

   If more than one eID is configured for the account, then a dialog with a list of configured methods is shown. You must select Czech Bank iD from this list.

3. In the Czech Bank iD provider page, select the Bank IdP — this is a test bank.
4. In the Sandbox Inc. authentication site, select the demo account JanN. You can find a list of demo accounts in the bottom-right corner. Alternatively, enter the following credentials:
   • Name: JanN
   • Password: password
5. Select Log in.
6. Review the personal data requested for authentication. To confirm, scroll to the bottom and select Potvrdit přístup (Confirm access).

Upon completion, you can review the list of attributes retrieved during authentication.

Next steps: Implement

You are now ready to implement your integration with an authentication protocol. The eID and Wallet Hub supports the following authentication protocols:

• OpenID Connect (OIDC)
• SAML 2.0
• Signicat's Authentication REST API

You can build your integration with one of the protocols, by following the respective guide for Czech Bank iD:

Implement with OIDC

Integrate using OpenID Connect

Implement with REST API

Integrate using Signicat Authentication REST API

Implement with SAML 2.0

Integrate using SAML 2.0