Skip to content

Commit 52728dd

Browse files
author
Michael Troxler
committed
update reference-guide
1 parent 368498f commit 52728dd

7 files changed

Lines changed: 42 additions & 36 deletions

File tree

docs/reference-guide/app-provider-client-integration.md

Lines changed: 13 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ Before using the **Swisscom Mobile ID** web service, some initial provisioning s
99
1. **The Mobile ID customer (your company) has an agreement with Swisscom:**
1010
- **Connectivity** (Internet or LAN‑I) between the **AP** and **Mobile ID** has been established.
1111
- The AP’s public source IP address (or range) must be whitelisted in the **Swisscom Firewall**.
12-
- The customer has delivered the **X.509 client certificate** to Swisscom (see Create X509 Client Certificates).
12+
- The customer has delivered the **X.509 client certificate** to Swisscom (see [Create X509 Client Certificates](/reference-guide/create-client-certs.md)).
1313

1414
2. **The Mobile ID customer receives from Swisscom:**
1515
- An **AP_ID** (Application Provider Identifier) value.
@@ -35,30 +35,30 @@ The Swisscom Mobile ID web service is accessible through LAN-I or Internet. If
3535
For accessing the service endpoints the Mobile ID customer can choose between SOAP or RESTful endpoints.
3636
:::
3737

38-
### **SOAPEndpoint**
38+
### **SOAP Endpoint**
3939

4040
A description of this interface is available as a **WSDL** file on GitHub: [mobileid.yaml](https://github.com/MobileID-Strong-Authentication/mobileid-api/blob/main/soap/mobileid.wsdl)
4141

4242
#### Endpoints
4343

4444
| Endpoint URL | Description | Reference Section |
4545
|---------------|--------------|-------------------|
46-
| `<Base‑URL>/soap/services/MSS_SignaturePort` | **MSS Signature** | Section 3.2 |
47-
| `<Base‑URL>/soap/services/MSS_StatusQueryPort` | **MSS Status Query** | Section 0 |
48-
| `<Base‑URL>/soap/services/MSS_ReceiptPort` | **MSS Receipt** | Section 3.4 |
49-
| `<Base‑URL>/soap/services/MSS_ProfilePort` | **MSS Profile Query** | Section 3.5 |
46+
| `<Base‑URL>/soap/services/MSS_SignaturePort` | **MSS Signature** | [Section MSS Signature](/reference-guide/mobile-id-api.html#mss-signature)|
47+
| `<Base‑URL>/soap/services/MSS_StatusQueryPort` | **MSS Status Query** | [Section MSS Status Query](/reference-guide/mobile-id-api.html#mss-status-query)|
48+
| `<Base‑URL>/soap/services/MSS_ReceiptPort` | **MSS Receipt** | [Section MSS Receipt](/reference-guide/mobile-id-api.html#mss-receipt) |
49+
| `<Base‑URL>/soap/services/MSS_ProfilePort` | **MSS Profile Query** | [Section MSS Profile Query](/reference-guide/mobile-id-api.html#mss-profile-query) |
5050

51-
### **RESTEndpoint**
52-
A description of this interface is available as a **YAML** file on GitHub: [mobileid.yaml](https://github.com/MobileID-Strong-Authentication/mobileid-api/blob/main/rest/mobileid.yaml)
51+
### **REST Endpoint**
52+
A description of this interface is available here: [API Specification](/api-reference/api) or you can downlad the corresponding **YAML** file on GitHub: [mobileid.yaml](https://github.com/MobileID-Strong-Authentication/mobileid-api/blob/main/rest/mobileid.yaml)
5353

5454
#### Endpoints
5555

5656
| Endpoint URL | Description | Reference Section |
5757
|---------------|--------------|-------------------|
58-
| `<Base‑URL>/rest/service/sign` | **MSS Signature** | Section 3.2 |
59-
| `<Base‑URL>/rest/service/status` | **MSS Status Query** | Section 0 |
60-
| `<Base‑URL>/rest/service/receipt` | **MSS Receipt** | Section 3.4 |
61-
| `<Base‑URL>/rest/service/profile` | **MSS Profile Query** | Section 3.5 |
58+
| `<Base‑URL>/rest/service/sign` | **MSS Signature** | [Section MSS Signature](/reference-guide/mobile-id-api.html#mss-signature) |
59+
| `<Base‑URL>/rest/service/status` | **MSS Status Query** |[Section MSS Status Query](/reference-guide/mobile-id-api.html#mss-status-query) |
60+
| `<Base‑URL>/rest/service/receipt` | **MSS Receipt** | [Section MSS Receipt](/reference-guide/mobile-id-api.html#mss-receipt) |
61+
| `<Base‑URL>/rest/service/profile` | **MSS Profile Query** | [Section MSS Profile Query](/reference-guide/mobile-id-api.html#mss-profile-query) |
6262

6363

6464
## Mutual Authentication
@@ -83,15 +83,14 @@ A certificate-based mutual authentication when accessing the Mobile ID web servi
8383
- Authentication is **denied** if the client sends a bag with the full certificate chain.
8484

8585
- The **Enhanced Key Usage** value of client certificates must include **Client Authentication** (`1.3.6.1.5.5.7.3.2`).
86-
- See **X509 Client Certificates** for examples of creating self‑signed certificates.
86+
- See **[Create X509 Client Certificates](/reference-guide/create-client-certs.md)** for examples of creating self‑signed certificates.
8787

8888
- All requests to the **Mobile ID service** must originate **only** from servers that you control.
8989
- Never send requests directly from client‑side code such as **mobile apps** or **JavaScript**, as this may compromise your credentials.
9090

9191
- To validate the **chain of trust** for the Mobile ID server certificate:
9292
- Add the **SwissSign Gold CA – G2** root certificate to your client **TrustStore**.
9393
- The intermediate CAs are returned dynamically by the MID server and may change.
94-
- Refer to **Section tbd** for more details.
9594

9695
::: info
9796
Get the root certificate from https://www.swisssign.com/en/support/faq.html

docs/reference-guide/auto-activation.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ Auto Activation feature can successfully prevent a fault sub-code 404 (this faul
1515
## How to implement this feature
1616
To enable the Auto Activation feature for an Application Provider (AP), the AP must ensure that the user has accepted the Mobile ID specific terms & conditions prior to proceed with the auto activation steps.
1717

18-
An AP may use the Profile Query Extensions (see section MSS Profile Query) to know if a signature request to a user will invoke auto activation or not. However, an AP does not necessarily need to know that.
18+
An AP may use the Profile Query Extensions (see [Section MSS Profile Query](/reference-guide/mobile-id-api.html#mss-profile-query)) to know if a signature request to a user will invoke auto activation or not. However, an AP does not necessarily need to know that.
1919

2020
Please speak to your Swisscom contact if you wish to get this feature enabled for your AP account. Op-tionally we can also setup specific test SIM cards, which allows an AP to test this feature (because those test SIM cards will be configured to always trigger the auto activation).
2121

docs/reference-guide/best-practices.md

Lines changed: 14 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,17 @@
11
# Best Practices
22

3-
The **SwisscomMobile ID** GitHub repository provides various examples of Mobile ID client implementations.
3+
The **Swisscom Mobile ID Strong Authentication** GitHub repository provides various examples of Mobile ID client implementations.
44

55
The repository **[`mobileid-client-java`](https://github.com/SwisscomTrustServices/mobileid-client-java)** serves as the *main* Java‑based reference implementation for building **Mobile ID REST** and **SOAP** API clients.
66

77
This library is ideal for Java 8+ projects that require **secure authentication and authorization** using a mobile phone.
8-
It can be added as a dependency to your project and used in any scenario requiring access to the **SwisscomMobileID** service.
8+
It can be added as a dependency to your project and used in any scenario requiring access to the **Swisscom Mobile ID** service.
99

10-
## MSSSignature
10+
## MSS Signature
1111

1212
### Signature Request
1313

14-
When constructing an **MSSSignature** request, the following best‑practice guidelines should be followed:
14+
When constructing an **MSS Signature** request, the following best‑practice guidelines should be followed:
1515

1616
1. **Define a unique `AP_TransID` (Transaction ID)**
1717
Each signature request must have a unique transaction identifier.
@@ -61,7 +61,7 @@ When constructing an **MSS Signature** request, the following best‑practice
6161

6262
### Signature Response
6363

64-
After receiving the **MSSSignatureResponse**, the client (Application Provider – AP) must perform proper response validation to ensure authenticity, integrity, and consistency with the original request.
64+
After receiving the **MSS Signature Response**, the client (Application Provider – AP) must perform proper response validation to ensure authenticity, integrity, and consistency with the original request.
6565

6666
The key validation aspects are as follows:
6767

@@ -72,7 +72,7 @@ The key validation aspects are as follows:
7272
2. **Validate the Mobile User’s X.509 Certificate**
7373
- Ensure the user certificate chains up to a **trusted root CA** contained in your local **TrustStore**.
7474
- The client should only trust certificates that link to a **trust anchor** matching the expected Swisscom Mobile ID CA.
75-
- Your **TrustStore** should only contain the **relevant root CA certificate** (see **Section Root CA Certificates**).
75+
- Your **TrustStore** should only contain the **relevant root CA certificate** (see **[Root CA Certificates](/reference-guide/root-ca-certs.md)**).
7676

7777
3. **Verify the Digital Signature**
7878
- Confirm that the received digital signature is **cryptographically valid**.
@@ -94,13 +94,13 @@ Mobile ID user certificates are **never revoked** individually — the **Mobil
9494

9595
### Signature Concurrency Control
9696

97-
This section describes the behavior of the **Mobile ID Service** when an **ApplicationProvider (AP)** submits a new **MSSSignature** request while another signature transaction is already in progress for the **same MSISDN** and the **same authentication method**.
97+
This section describes the behavior of the **Mobile ID Service** when an **Application Provider (AP)** submits a new **MSS Signature** request while another signature transaction is already in progress for the **same MSISDN** and the **same authentication method**.
9898

9999
Concurrency handling depends on whether the request targets the **SIM** method or the **Mobile ID App** method.
100100

101101
---
102102

103-
##### SIMMethod Concurrency
103+
##### SIM Method Concurrency
104104
If both signature requests target the **SIM‑based authentication method**, and the first signature transaction is still **in progress**, the **second request** is **rejected** immediately.
105105

106106
- **Fault Code:** `406 / PB_SIGNATURE_PROCESS`
@@ -109,7 +109,7 @@ If both signature requests target the **SIM‑based authentication method**, and
109109

110110
---
111111

112-
##### AppMethod Concurrency
112+
##### App Method Concurrency
113113
If both requests target the **Mobile ID App‑based authentication method**, the behavior is different:
114114

115115
- The **existing first signature transaction** is **canceled** automatically by the backend.
@@ -124,9 +124,12 @@ With an MSS Signature response, you will get signature data and the mobile user'
124124

125125
That X.509 certificate's Subject Name (Distinguished Name) contains a unique Mobile ID serial number.
126126

127-
Example subject name with the serial number highlighted in pink:
127+
Example subject name with the serial number:
128+
129+
```bash
128130

129131
cn=midcheptod58qe59:pn,serialnumber=midcheptod58qe59,pseudonym=midcheptod58qe59
132+
```
130133

131134

132135
For highest level of assurance and a truly strong two-factor-authentication process, an AP should store this value at the first signature and then verify every subsequent signature response if that serial number value still matches.
@@ -206,7 +209,7 @@ The Mobile ID service health check is successful if a fault code 101/WRONG_PARAM
206209

207210
The GitHub Repository at [https://github.com/MobileID-Strong-Authentication](https://github.com/MobileID-Strong-Authentication) contains different examples for a Mobile ID client.
208211

209-
The repo 'mobileid-client-java' is the main Java-based reference implementation for the Mobile ID REST and SOAP API client.
212+
The repo **[`mobileid-client-java`](https://github.com/SwisscomTrustServices/mobileid-client-java)** is the main Java-based reference implementation for the Mobile ID REST and SOAP API client.
210213

211214
The library provided by this repository is for all clients that are developing Java-based projects that need secure authentication and authorization services using the mobile phone.
212215

docs/reference-guide/introduction.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
The purpose of this document is to provide technical documentation and guidelines on how to use the **Swisscom Mobile ID Authentication API**.
44

55
The Swisscom Mobile ID authentication solution protects access to your company data and applications with a comprehensive end‑to‑end solution for **two‑factor authentication (2FA)**.
6-
Mobile ID can be used in multiple processes from simple two‑factor login to **password‑free authentication**, **online signatures**, and **geofencing**.
6+
Mobile ID can be used in multiple processes, from simple two‑factor login to **password‑free authentication**, **online signatures**, and **geofencing**.
77
It is suitable for various system landscapes and meets strict regulatory requirements.
88

99
➡️ For more information, visit [https://mobileid.ch](https://mobileid.ch).
@@ -34,11 +34,11 @@ It is suitable for various system landscapes and meets strict regulatory require
3434
## Mobile ID Signature Service (MSS)
3535

3636
**Mobile ID** is a cost‑efficient, managed authentication service operated by **Swisscom**.
37-
The customer‑facing API follows the open standard **ETSI 102 204 V1.1.4 (2003‑08)**.
37+
The customer‑facing API follows the open standard **ETSI 102 204 V1.1 (2003‑08)**.
3838

3939
Authentication in Mobile ID is based on a secure hardware token which can be either:
4040

41-
- a **Mobile ID‑compliantSIM oreSIM**, or
41+
- a **Mobile ID‑compliant SIM or eSIM**, or
4242
- a **Mobile ID App** running on a smartphone.
4343

4444
Therefore, a user account could have either the (e)SIM method, the App method or even both methods activated at the same time. However, the **Application Provider (AP)** may select the preferred method and allow both methods or just either one.
@@ -69,7 +69,7 @@ An Application Provider (AP) can request SIM Toolkit (STK) based authentication,
6969

7070
---
7171

72-
### **Mobile IDApp - Method**
72+
### **Mobile ID App - Method**
7373

7474
An Application Provider (AP) can request mobile app based authentication, hereinafter referred as "App method". To utilize the App method, the user must have the Mobile ID App installed on a compliant Android or iOS-based smartphone. The app can be downloaded from Google Play Store and Apple App Store.
7575

@@ -82,7 +82,7 @@ The Mobile ID App activation can be done within the mobile app (in-app enrolment
8282

8383
2. **Self‑Care Portal Activation**
8484
Activation via [https://www.mobileid.ch](https://www.mobileid.ch),
85-
where the app scans aQR code displayed on the site.
85+
where the app scans a QR code displayed on the site.
8686

8787
#### **Display Options**
8888

docs/reference-guide/mobile-id-api.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,10 @@
33
The **Mobile ID** service exposes a web API available via both **SOAP** and **RESTful (JSON)** interfaces.
44
Refer to **Application Provider Client Integration** for a detailed description of these interfaces, including links to the corresponding **WSDL** and **YAML** files on GitHub that describe the service definitions.
55

6+
For your convenience, the RESTful API swagger documentation is also available here:
7+
[API Specification](/api-reference/api)
8+
9+
610
## HTTP/1.1 Header
711

812
### HTTP Request

docs/reference-guide/root-ca-certs.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ There are two different scenarios (described in the two chapters below) to consi
55

66
## Mobile ID X509 Server Certificate
77

8-
As described in section Mutual Authentication, the Mobile ID server's x.509 certificate that is used in the mutual SSL/TLS authentication process is a SwissSign certificate.
8+
As described in [Section Mutal Authentication](/reference-guide/app-provider-client-integration.html#mutual-authentication), the Mobile ID server's x.509 certificate that is used in the mutual SSL/TLS authentication process is a SwissSign certificate.
99

1010
You can download the "SwissSign Gold CA - G2" certificate from the SwissSign site:
1111
[https://www.swisssign.com/en/support/faq.html](https://www.swisssign.com/en/support/faq.html)
@@ -17,7 +17,7 @@ You can download the "SwissSign Gold CA - G2" certificate from the SwissSign sit
1717

1818
## Mobile ID User X509 Certificate
1919

20-
As described in section Mobile ID Signature Service, the main scenario is a strong authentication, where the AP receives a signature response, which includes the signature object and the mobile user's x.509 certificate (public key). The AP should validate the signature as well as the x.509 certificate's trust chain.
20+
As described in [Section MSS Signature](/reference-guide/mobile-id-api.html#mss-signature), the main scenario is a strong authentication, where the AP receives a signature response, which includes the signature object and the mobile user's x.509 certificate (public key). The AP should validate the signature as well as the x.509 certificate's trust chain.
2121

2222
The figure below depicts the Mobile ID Certificate Chain. The User Certificate (End Entity Certificate) is issued by the Intermediate Certificate. The Intermediate Certificate is issued by the Root Certificate.
2323

docs/release-notes/release-notes.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,16 +3,16 @@
33
## MobileID API Reference Guide
44

55
<details>
6-
<summary>v1.0.0</summary>
6+
<summary>v3.12.0</summary>
77

88
### Version tbd
99

10-
Release Notes – Version v1.0.0
10+
Release Notes – Version v3.12.0
1111

1212
**Release Date:** 19.01.2026
1313

1414
#### 🚀 Overview
15-
Initial version - MobileID API Reference Guide
15+
Initial version - MobileID API Reference Guide available on docs.mobileid.ch
1616

1717
</details>
1818

0 commit comments

Comments
 (0)