You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/reference-guide/app-provider-client-integration.md
+13-14Lines changed: 13 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ Before using the **Swisscom Mobile ID** web service, some initial provisioning s
9
9
1.**The Mobile ID customer (your company) has an agreement with Swisscom:**
10
10
-**Connectivity** (Internet or LAN‑I) between the **AP** and **Mobile ID** has been established.
11
11
- The AP’s public source IP address (or range) must be whitelisted in the **Swisscom Firewall**.
12
-
- The customer has delivered the **X.509 client certificate** to Swisscom (see Create X509 Client Certificates).
12
+
- The customer has delivered the **X.509 client certificate** to Swisscom (see [Create X509 Client Certificates](/reference-guide/create-client-certs.md)).
13
13
14
14
2.**The Mobile ID customer receives from Swisscom:**
15
15
- An **AP_ID** (Application Provider Identifier) value.
@@ -35,30 +35,30 @@ The Swisscom Mobile ID web service is accessible through LAN-I or Internet. If
35
35
For accessing the service endpoints the Mobile ID customer can choose between SOAP or RESTful endpoints.
36
36
:::
37
37
38
-
### **SOAPEndpoint**
38
+
### **SOAPEndpoint**
39
39
40
40
A description of this interface is available as a **WSDL** file on GitHub: [mobileid.yaml](https://github.com/MobileID-Strong-Authentication/mobileid-api/blob/main/soap/mobileid.wsdl)
A description of this interface is available as a**YAML** file on GitHub: [mobileid.yaml](https://github.com/MobileID-Strong-Authentication/mobileid-api/blob/main/rest/mobileid.yaml)
51
+
### **RESTEndpoint**
52
+
A description of this interface is available here: [API Specification](/api-reference/api) or you can downlad the corresponding**YAML** file on GitHub: [mobileid.yaml](https://github.com/MobileID-Strong-Authentication/mobileid-api/blob/main/rest/mobileid.yaml)
Copy file name to clipboardExpand all lines: docs/reference-guide/auto-activation.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ Auto Activation feature can successfully prevent a fault sub-code 404 (this faul
15
15
## How to implement this feature
16
16
To enable the Auto Activation feature for an Application Provider (AP), the AP must ensure that the user has accepted the Mobile ID specific terms & conditions prior to proceed with the auto activation steps.
17
17
18
-
An AP may use the Profile Query Extensions (see section MSS Profile Query) to know if a signature request to a user will invoke auto activation or not. However, an AP does not necessarily need to know that.
18
+
An AP may use the Profile Query Extensions (see [Section MSS Profile Query](/reference-guide/mobile-id-api.html#mss-profile-query)) to know if a signature request to a user will invoke auto activation or not. However, an AP does not necessarily need to know that.
19
19
20
20
Please speak to your Swisscom contact if you wish to get this feature enabled for your AP account. Op-tionally we can also setup specific test SIM cards, which allows an AP to test this feature (because those test SIM cards will be configured to always trigger the auto activation).
Copy file name to clipboardExpand all lines: docs/reference-guide/best-practices.md
+14-11Lines changed: 14 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,17 +1,17 @@
1
1
# Best Practices
2
2
3
-
The **SwisscomMobile ID** GitHub repository provides various examples of Mobile ID client implementations.
3
+
The **SwisscomMobile ID Strong Authentication** GitHub repository provides various examples of Mobile ID client implementations.
4
4
5
5
The repository **[`mobileid-client-java`](https://github.com/SwisscomTrustServices/mobileid-client-java)** serves as the *main* Java‑based reference implementation for building **Mobile ID REST** and **SOAP** API clients.
6
6
7
7
This library is ideal for Java 8+ projects that require **secure authentication and authorization** using a mobile phone.
8
-
It can be added as a dependency to your project and used in any scenario requiring access to the **SwisscomMobileID** service.
8
+
It can be added as a dependency to your project and used in any scenario requiring access to the **SwisscomMobileID** service.
9
9
10
-
## MSSSignature
10
+
## MSSSignature
11
11
12
12
### Signature Request
13
13
14
-
When constructing an **MSSSignature** request, the following best‑practice guidelines should be followed:
14
+
When constructing an **MSSSignature** request, the following best‑practice guidelines should be followed:
15
15
16
16
1.**Define a unique `AP_TransID` (Transaction ID)**
17
17
Each signature request must have a unique transaction identifier.
@@ -61,7 +61,7 @@ When constructing an **MSS Signature** request, the following best‑practice
61
61
62
62
### Signature Response
63
63
64
-
After receiving the **MSSSignatureResponse**, the client (Application Provider – AP) must perform proper response validation to ensure authenticity, integrity, and consistency with the original request.
64
+
After receiving the **MSSSignatureResponse**, the client (Application Provider – AP) must perform proper response validation to ensure authenticity, integrity, and consistency with the original request.
65
65
66
66
The key validation aspects are as follows:
67
67
@@ -72,7 +72,7 @@ The key validation aspects are as follows:
72
72
2.**Validate the Mobile User’s X.509 Certificate**
73
73
- Ensure the user certificate chains up to a **trusted root CA** contained in your local **TrustStore**.
74
74
- The client should only trust certificates that link to a **trust anchor** matching the expected Swisscom Mobile ID CA.
75
-
- Your **TrustStore** should only contain the **relevant root CA certificate** (see **Section Root CA Certificates**).
75
+
- Your **TrustStore** should only contain the **relevant root CA certificate** (see **[Root CA Certificates](/reference-guide/root-ca-certs.md)**).
76
76
77
77
3.**Verify the Digital Signature**
78
78
- Confirm that the received digital signature is **cryptographically valid**.
@@ -94,13 +94,13 @@ Mobile ID user certificates are **never revoked** individually — the **Mobil
94
94
95
95
### Signature Concurrency Control
96
96
97
-
This section describes the behavior of the **Mobile ID Service** when an **ApplicationProvider (AP)** submits a new **MSSSignature** request while another signature transaction is already in progress for the **same MSISDN** and the **same authentication method**.
97
+
This section describes the behavior of the **Mobile ID Service** when an **ApplicationProvider (AP)** submits a new **MSSSignature** request while another signature transaction is already in progress for the **same MSISDN** and the **same authentication method**.
98
98
99
99
Concurrency handling depends on whether the request targets the **SIM** method or the **Mobile ID App** method.
100
100
101
101
---
102
102
103
-
##### SIMMethod Concurrency
103
+
##### SIMMethod Concurrency
104
104
If both signature requests target the **SIM‑based authentication method**, and the first signature transaction is still **in progress**, the **second request** is **rejected** immediately.
105
105
106
106
-**Fault Code:**`406 / PB_SIGNATURE_PROCESS`
@@ -109,7 +109,7 @@ If both signature requests target the **SIM‑based authentication method**, and
109
109
110
110
---
111
111
112
-
##### AppMethod Concurrency
112
+
##### AppMethod Concurrency
113
113
If both requests target the **Mobile ID App‑based authentication method**, the behavior is different:
114
114
115
115
- The **existing first signature transaction** is **canceled** automatically by the backend.
@@ -124,9 +124,12 @@ With an MSS Signature response, you will get signature data and the mobile user'
124
124
125
125
That X.509 certificate's Subject Name (Distinguished Name) contains a unique Mobile ID serial number.
126
126
127
-
Example subject name with the serial number highlighted in pink:
For highest level of assurance and a truly strong two-factor-authentication process, an AP should store this value at the first signature and then verify every subsequent signature response if that serial number value still matches.
@@ -206,7 +209,7 @@ The Mobile ID service health check is successful if a fault code 101/WRONG_PARAM
206
209
207
210
The GitHub Repository at [https://github.com/MobileID-Strong-Authentication](https://github.com/MobileID-Strong-Authentication) contains different examples for a Mobile ID client.
208
211
209
-
The repo 'mobileid-client-java' is the main Java-based reference implementation for the Mobile ID REST and SOAP API client.
212
+
The repo **[`mobileid-client-java`](https://github.com/SwisscomTrustServices/mobileid-client-java)** is the main Java-based reference implementation for the Mobile ID REST and SOAP API client.
210
213
211
214
The library provided by this repository is for all clients that are developing Java-based projects that need secure authentication and authorization services using the mobile phone.
Copy file name to clipboardExpand all lines: docs/reference-guide/introduction.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@
3
3
The purpose of this document is to provide technical documentation and guidelines on how to use the **Swisscom Mobile ID Authentication API**.
4
4
5
5
The Swisscom Mobile ID authentication solution protects access to your company data and applications with a comprehensive end‑to‑end solution for **two‑factor authentication (2FA)**.
6
-
Mobile ID can be used in multiple processes — from simple two‑factor login to **password‑free authentication**, **online signatures**, and **geofencing**.
6
+
Mobile ID can be used in multiple processes, from simple two‑factor login to **password‑free authentication**, **online signatures**, and **geofencing**.
7
7
It is suitable for various system landscapes and meets strict regulatory requirements.
8
8
9
9
➡️ For more information, visit [https://mobileid.ch](https://mobileid.ch).
@@ -34,11 +34,11 @@ It is suitable for various system landscapes and meets strict regulatory require
34
34
## Mobile ID Signature Service (MSS)
35
35
36
36
**Mobile ID** is a cost‑efficient, managed authentication service operated by **Swisscom**.
37
-
The customer‑facing API follows the open standard **ETSI 102 204 V1.1.4 (2003‑08)**.
37
+
The customer‑facing API follows the open standard **ETSI 102 204 V1.1(2003‑08)**.
38
38
39
39
Authentication in Mobile ID is based on a secure hardware token which can be either:
40
40
41
-
- a **Mobile ID‑compliantSIM oreSIM**, or
41
+
- a **Mobile ID‑compliantSIM oreSIM**, or
42
42
- a **Mobile ID App** running on a smartphone.
43
43
44
44
Therefore, a user account could have either the (e)SIM method, the App method or even both methods activated at the same time. However, the **Application Provider (AP)** may select the preferred method and allow both methods or just either one.
@@ -69,7 +69,7 @@ An Application Provider (AP) can request SIM Toolkit (STK) based authentication,
69
69
70
70
---
71
71
72
-
### **Mobile IDApp - Method**
72
+
### **Mobile IDApp - Method**
73
73
74
74
An Application Provider (AP) can request mobile app based authentication, hereinafter referred as "App method". To utilize the App method, the user must have the Mobile ID App installed on a compliant Android or iOS-based smartphone. The app can be downloaded from Google Play Store and Apple App Store.
75
75
@@ -82,7 +82,7 @@ The Mobile ID App activation can be done within the mobile app (in-app enrolment
82
82
83
83
2.**Self‑Care Portal Activation**
84
84
Activation via [https://www.mobileid.ch](https://www.mobileid.ch),
85
-
where the app scans aQR code displayed on the site.
85
+
where the app scans aQR code displayed on the site.
Copy file name to clipboardExpand all lines: docs/reference-guide/mobile-id-api.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,6 +3,10 @@
3
3
The **Mobile ID** service exposes a web API available via both **SOAP** and **RESTful (JSON)** interfaces.
4
4
Refer to **Application Provider Client Integration** for a detailed description of these interfaces, including links to the corresponding **WSDL** and **YAML** files on GitHub that describe the service definitions.
5
5
6
+
For your convenience, the RESTful API swagger documentation is also available here:
Copy file name to clipboardExpand all lines: docs/reference-guide/root-ca-certs.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ There are two different scenarios (described in the two chapters below) to consi
5
5
6
6
## Mobile ID X509 Server Certificate
7
7
8
-
As described in section Mutual Authentication, the Mobile ID server's x.509 certificate that is used in the mutual SSL/TLS authentication process is a SwissSign certificate.
8
+
As described in [Section Mutal Authentication](/reference-guide/app-provider-client-integration.html#mutual-authentication), the Mobile ID server's x.509 certificate that is used in the mutual SSL/TLS authentication process is a SwissSign certificate.
9
9
10
10
You can download the "SwissSign Gold CA - G2" certificate from the SwissSign site:
@@ -17,7 +17,7 @@ You can download the "SwissSign Gold CA - G2" certificate from the SwissSign sit
17
17
18
18
## Mobile ID User X509 Certificate
19
19
20
-
As described in section Mobile ID Signature Service, the main scenario is a strong authentication, where the AP receives a signature response, which includes the signature object and the mobile user's x.509 certificate (public key). The AP should validate the signature as well as the x.509 certificate's trust chain.
20
+
As described in [Section MSS Signature](/reference-guide/mobile-id-api.html#mss-signature), the main scenario is a strong authentication, where the AP receives a signature response, which includes the signature object and the mobile user's x.509 certificate (public key). The AP should validate the signature as well as the x.509 certificate's trust chain.
21
21
22
22
The figure below depicts the Mobile ID Certificate Chain. The User Certificate (End Entity Certificate) is issued by the Intermediate Certificate. The Intermediate Certificate is issued by the Root Certificate.
0 commit comments