You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/reference-guide/app-provider-client-integration.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
-
# ApplicationProviderClientIntegration
1
+
# ApplicationProviderClientIntegration
2
2
3
-
This chapter describes how an **ApplicationProvider(AP)** integrates its backend with the **SwisscomMobile ID signatureservice**. It covers the necessary preconditions, endpoint configuration, and use of **mutualTLSauthentication**.
3
+
This chapter describes how an **ApplicationProvider(AP)** integrates its backend with the **SwisscomMobile ID signatureservice**. It covers the necessary preconditions, endpoint configuration, and use of **mutualTLSauthentication**.
4
4
5
5
## Preconditions
6
6
@@ -14,10 +14,10 @@ Before using the **Swisscom Mobile ID** web service, some initial provisioning s
14
14
2.**The Mobile ID customer receives from Swisscom:**
15
15
- An **AP_ID** (Application Provider Identifier) value.
16
16
- A **DataToBeDisplayed (DTBD) Prefix** value:
17
-
- The DTBD Prefix is an AP‑specific keyword that must be included as a prefix in every MobileID request text message sent to a MobileID user (the message displayed on the user’s mobile phone).
17
+
- The DTBD Prefix is an AP‑specific keyword that must be included as a prefix in every MobileID request text message sent to a MobileID user (the message displayed on the user’s mobile phone).
18
18
-**Example:**`"Bank ACME: "`
19
19
20
-
## EndpointAddress
20
+
## EndpointAddress
21
21
22
22
The Swisscom Mobile ID web service is accessible through LAN-I or Internet. If not otherwise specified use the following default access details.
23
23
@@ -85,11 +85,11 @@ A certificate-based mutual authentication when accessing the Mobile ID web servi
85
85
- The **Enhanced Key Usage** value of client certificates must include **Client Authentication** (`1.3.6.1.5.5.7.3.2`).
86
86
- See **[Create X509 Client Certificates](/reference-guide/create-client-certs.md)** for examples of creating self‑signed certificates.
87
87
88
-
- All requests to the **MobileID service** must originate **only** from servers that you control.
88
+
- All requests to the **MobileID service** must originate **only** from servers that you control.
89
89
- Never send requests directly from client‑side code such as **mobile apps** or **JavaScript**, as this may compromise your credentials.
90
90
91
-
- To validate the **chain of trust** for the MobileID server certificate:
92
-
- Add the **SwissSignGold CA – G2** root certificate to your client **TrustStore**.
91
+
- To validate the **chain of trust** for the MobileID server certificate:
92
+
- Add the **SwissSignGold CA – G2** root certificate to your client **TrustStore**.
93
93
- The intermediate CAs are returned dynamically by the MID server and may change.
Copy file name to clipboardExpand all lines: docs/reference-guide/best-practices.md
+25-25Lines changed: 25 additions & 25 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,10 +1,10 @@
1
1
# Best Practices
2
2
3
-
The **Swisscom Mobile ID Strong Authentication** GitHub repository provides various examples of MobileID client implementations.
3
+
The **Swisscom Mobile ID Strong Authentication** GitHub repository provides various examples of MobileID client implementations.
4
4
5
-
The repository **[`mobileid-client-java`](https://github.com/SwisscomTrustServices/mobileid-client-java)** serves as the *main* Java‑based reference implementation for building **MobileID REST** and **SOAP** API clients.
5
+
The repository **[`mobileid-client-java`](https://github.com/SwisscomTrustServices/mobileid-client-java)** serves as the *main* Java‑based reference implementation for building **MobileID REST** and **SOAP** API clients.
6
6
7
-
This library is ideal for Java8+ projects that require **secure authentication and authorization** using a mobile phone.
7
+
This library is ideal for Java8+ projects that require **secure authentication and authorization** using a mobile phone.
8
8
It can be added as a dependency to your project and used in any scenario requiring access to the **Swisscom Mobile ID** service.
9
9
10
10
## MSS Signature
@@ -13,13 +13,13 @@ It can be added as a dependency to your project and used in any scenario requiri
13
13
14
14
When constructing an **MSS Signature** request, the following best‑practice guidelines should be followed:
15
15
16
-
1.**Define a unique `AP_TransID` (TransactionID)**
16
+
1.**Define a unique `AP_TransID` (TransactionID)**
17
17
Each signature request must have a unique transaction identifier.
18
18
19
19
2.**Set the current time for `Instant` (with time zone)**
20
-
The `Instant` parameter must include time zone information and must not deviate excessively from the Mobile ID Service’s current time; otherwise, a fault response with sub‑code**101** will be returned.
20
+
The `Instant` parameter must include time zone information and must not deviate excessively from the Mobile ID Service’s current time; otherwise, a fault response with sub‑code**101** will be returned.
21
21
-**Example:**`2020-01-01T12:00:00.000+01:00`
22
-
- Must conform to the [W3C`xs:dateTime`](https://www.w3.org/TR/xmlschema-2/#dateTime) format.
22
+
- Must conform to the [W3C`xs:dateTime`](https://www.w3.org/TR/xmlschema-2/#dateTime) format.
23
23
24
24
3.**Ensure uniqueness across the triplet `(AP_ID, AP_TransID, Instant)`**
25
25
The combination of these three fields must be unique for every transaction.
@@ -31,19 +31,19 @@ When constructing an **MSS Signature** request, the following best‑practice gu
31
31
-**Example:**`+41791234567`
32
32
33
33
5.**Set a valid `UserLang` value**
34
-
The value must be one of the supported languages —**EN**,**DE**,**FR**, or **IT** —and must match the language used in the **DataToBeDisplayed** (`DTBD`) message.
34
+
The value must be one of the supported languages —**EN**,**DE**,**FR**, or **IT** —and must match the language used in the **DataToBeDisplayed** (`DTBD`) message.
35
35
36
36
6.**Define the `DataToBeDisplayed` (DTBD) message**
37
37
The text shown on the user’s mobile device must comply with the following guidelines:
38
38
- Encoded in **UTF‑8**[<supid="a17">17</sup>](#17).
39
-
- Should include a **unique transaction reference** (e.g., timestamp, customerID, contractID).
39
+
- Should include a **unique transaction reference** (e.g., timestamp, customerID, contractID).
40
40
-**Length limits:**
41
-
- Maximum **239characters** if all characters are in the standardGSM DA characterset.
42
-
- If any character falls outside this set (e.g., the lowercasecedilla “ç”), the maximum length reduces to **119characters**.
41
+
- Maximum **239characters** if all characters are in the standardGSM DA characterset.
42
+
- If any character falls outside this set (e.g., the lowercasecedilla “ç”), the maximum length reduces to **119characters**.
43
43
- Keep the message as **short and user‑friendly** as possible.
44
44
45
45
**Example DTBD:**
46
-
> `BankACME:Proceedwiththelogin?(TXN‑3D5K)`
46
+
> `BankACME:Proceedwiththelogin?(TXN‑3D5K)`
47
47
48
48
---
49
49
@@ -61,26 +61,26 @@ When constructing an **MSS Signature** request, the following best‑practice gu
61
61
62
62
### Signature Response
63
63
64
-
After receiving the **MSS Signature Response**, the client (ApplicationProvider –AP) must perform proper response validation to ensure authenticity, integrity, and consistency with the original request.
64
+
After receiving the **MSS Signature Response**, the client (ApplicationProvider –AP) must perform proper response validation to ensure authenticity, integrity, and consistency with the original request.
65
65
66
66
The key validation aspects are as follows:
67
67
68
68
1.**Match Request and Response Identifiers**
69
69
- Verify that the **`AP_TransID`** and **`MSISDN`** values in the response are identical to those sent in the original request.
70
70
- Any mismatch should be treated as an invalid response and rejected.
71
71
72
-
2.**Validate the MobileUser’s X.509Certificate**
72
+
2.**Validate the MobileUser’s X.509Certificate**
73
73
- Ensure the user certificate chains up to a **trusted root CA** contained in your local **TrustStore**.
74
-
- The client should only trust certificates that link to a **trust anchor** matching the expected SwisscomMobileID CA.
75
-
- Your **TrustStore** should only contain the **relevant root CAcertificate** (see **[Root CA Certificates](/reference-guide/root-ca-certs.md)**).
74
+
- The client should only trust certificates that link to a **trust anchor** matching the expected SwisscomMobileID CA.
75
+
- Your **TrustStore** should only contain the **relevant root CAcertificate** (see **[Root CA Certificates](/reference-guide/root-ca-certs.md)**).
76
76
77
-
3.**Verify the DigitalSignature**
77
+
3.**Verify the DigitalSignature**
78
78
- Confirm that the received digital signature is **cryptographically valid**.
79
79
- The **signed content** must correspond exactly to the **`DataToBeDisplayed (DTBD)`** text from the earlier signature request.
80
80
- The client must be capable of validating both **RSA** and **ECDSA** signatures.
81
81
82
-
4.**(Optional) Validate the Mobile ID SerialNumber**
83
-
- For the **highest level of assurance** and a fully **strong two‑factor authentication** process, validate the **MobileID serial number** as described in **SectionMobile ID Serial Number Validation**.
82
+
4.**(Optional) Validate the Mobile ID SerialNumber**
83
+
- For the **highest level of assurance** and a fully **strong two‑factor authentication** process, validate the **MobileID serial number** as described in **SectionMobile ID Serial Number Validation**.
84
84
85
85
5.**Implement Proper Fault and Status Handling**
86
86
- Handle all **status** and **fault codes** using structured exception handling logic to ensure stable, predictable behavior of the client application.
@@ -89,14 +89,14 @@ The key validation aspects are as follows:
89
89
90
90
**Important Note:**
91
91
Certificate revocation checks are **not recommended**.
92
-
MobileID user certificates are **never revoked** individually — the **MobileID service backend** manages account validity and state directly.
92
+
MobileID user certificates are **never revoked** individually — the **MobileID service backend** manages account validity and state directly.
93
93
94
94
95
95
### Signature Concurrency Control
96
96
97
-
This section describes the behavior of the **MobileID Service** when an **Application Provider (AP)** submits a new **MSS Signature** request while another signature transaction is already in progress for the **same MSISDN** and the **same authentication method**.
97
+
This section describes the behavior of the **MobileID Service** when an **Application Provider (AP)** submits a new **MSS Signature** request while another signature transaction is already in progress for the **same MSISDN** and the **same authentication method**.
98
98
99
-
Concurrency handling depends on whether the request targets the **SIM** method or the **Mobile ID App** method.
99
+
Concurrency handling depends on whether the request targets the **SIM** method or the **Mobile ID App** method.
100
100
101
101
---
102
102
@@ -105,18 +105,18 @@ If both signature requests target the **SIM‑based authentication method**, and
105
105
106
106
-**Fault Code:**`406 / PB_SIGNATURE_PROCESS`
107
107
-**Description:** The subscriber already has an active signature operation in process.
108
-
- See **Section6** for detailed fault code definitions.
108
+
- See **Section6** for detailed fault code definitions.
109
109
110
110
---
111
111
112
112
##### App Method Concurrency
113
-
If both requests target the **Mobile ID App‑based authentication method**, the behavior is different:
113
+
If both requests target the **Mobile ID App‑based authentication method**, the behavior is different:
114
114
115
115
- The **existing first signature transaction** is **canceled** automatically by the backend.
116
-
- The **second signature request** is then displayed on the mobile device via the Mobile ID App.
116
+
- The **second signature request** is then displayed on the mobile device via the Mobile ID App.
117
117
118
118
-**Fault Code (cancellation of first transaction):**`401 / USER_CANCEL`
0 commit comments