Please note that the API:s referred in this article are legacy. For a more modern code sample check this code at GitHub, https://github.com/EricHerlitz/Swedish-BankID-.NET-Core.
I had an assignment to write an integration with the Swedish BankID authentication system (www.bankid.com). It is a pretty straight forward process and with some guidance from the documentation it was fairly easy.
This introduction will help you to understand the basic concepts of working with the BankID web service api’s and how to work with the BankID test environment.
Resources
- The latest guidelines from BankID https://www.bankid.com/bankid-i-dina-tjanster/rp-info
- Certificates and guidelines, https://www.bankid.com/bankid-i-dina-tjanster/rp-info
- Github project with all code from this post https://github.com/EricHerlitz/Mobile-BankId-.NET-Example
Securing the communication
Working with the BankID service requires two certificates
- Client, https://www.bankid.com/assets/bankid/rp/FPTestcert2_20150818_102329.pfx
- Server, check the ‘Test Environment’-section in https://www.bankid.com/bankid-i-dina-tjanster/rp-info
Below you will find both the GUI way and the PowerShell way to install the certificates.
Prepare the certificates
Server certificate
The server certificate is the BankID SSL Root Certification Authority, this certificate will allow you to securely talk to the BankID Web Service API and will ensure the traffic is encrypted. When working in a production environment you’ll need the ‘Production Environment’ version of this certificate that is available on the same page.
Navigate to https://www.bankid.com/bankid-i-dina-tjanster/rp-info/guidelines and copy the certificate, it shoud look something like this
-----BEGIN CERTIFICATE----- MIID8zCCAtugAwIBAgIRAODr4WfulmxifqSx8UEMbyIwDQYJKoZIhvcNAQEFBQAw eTEkMCIGA1UECgwbRmluYW5zaWVsbCBJRC1UZWtuaWsgQklEIEFCMRowGAYDVQQL … -----END CERTIFICATE-----
Put the contents in a text file and rename it to BankID.cer and save it
Client certificate
This is the “Fake” Bank certificate, it identifies as “Testbank A RP CA v1 for BankID Test” and will allow your client to talk to the Web Service API.
Download the FPTestcert2_20150818_102329.pfx (this may change over time) file from https://www.bankid.com/bankid-i-dina-tjanster/rp-info and install it, this certificate must be installed to allow our clients to communicate with the Web Service API.
Implementing the certificates using PowerShell
There are multiple ways to implement certificates. I'll post the PowerShell snippets below, in case you need detailed explanations of what they do check the GUI version which describe the process step by step
Implementing the server certificate (bankid.cer)
Import-Certificate -FilePath C:\Cert\bankid.cer -CertStoreLocation Cert:\LocalMachine\Root
Implementing the client certificate (pfx) to the Current User
$pwd = ConvertTo-SecureString -String "qwerty123" -Force -AsPlainText Import-PfxCertificate -FilePath C:\Cert\FPTestcert2_20150818_102329.pfx -CertStoreLocation Cert:\CurrentUser\My -Exportable -Password $pwd
Implementing the client certificate (pfx) to Local Computer (optional)
$pwd = ConvertTo-SecureString -String "qwerty123" -Force -AsPlainText Import-PfxCertificate -FilePath C:\Cert\FPTestcert2_20150818_102329.pfx -CertStoreLocation Cert:\LocalMachine\My -Exportable -Password $pwd
Implementing certificates using a GUI
Implementing the client certificate (pfx) to the Current User
Microsoft ships a management console for managing certificates as a part of MMC.
Start mmc.exe and add the certificate snap-in, you’ll need to add it twice. Once for the “My user” account and once for the “Computer account”.
Implementing the server certificate (bankid.cer)
Right click the file and select Install Certificate, follow the guide below.
Implementing the client certificate (pfx)
Implement to Current User
Verify the certificate
If you are able to view the following screen everything is in order.
https://appapi.test.bankid.com/rp/v4?wsdl
Implement to Local Computer (maybe)
If you plan on running the code as an IIS AppPool or similar, you’ll need to put the certificate in the LocalComputer\My store. In a production environment this is normally the only place you want to implement the client certificate.
Configure a mobile phone BankID for test
Documentation: https://www.bankid.com/assets/bankid/rp/how-to-get-bankid-for-test-v1.5.pdf (urls may change over time)
Navigate to https://demo.bankid.com/
Click the “How to configure your client for BankID TEST” and follow the instructions
Begin the development
Fire up Visual Studio and create a project of your preference. I will create a console application since it is fast and easy to understand.
Connecting to the Web Service API
Add the Web Service WSDL API as a service reference, enter the address https://appapi.test.bankid.com/rp/v4?wsdl and give it a Namespace.
This will add a new section to the web.config/app.config file of your project called <system.serviceModel>, the default version of this won’t be any good so we’ll need to modify that to fit our purposes
The original
<system.serviceModel> <bindings> <customBinding> <binding name="RpServiceSoapBinding"> <textMessageEncoding messageVersion="Soap11" /> <httpsTransport /> </binding> </customBinding> </bindings> <client> <endpoint address="https://appapi.test.bankid.com/rp/v4" binding="customBinding" bindingConfiguration="RpServiceSoapBinding" contract="BankIDService.RpServicePortType" name="RpServiceSoapPort" /> </client> </system.serviceModel>
Begin by modifying the httpsTransport element, we need to tell it that a client certificate is required.
<httpsTransport requireClientCertificate="true" />
Next is to add a behaviorConfiguration reference to the endpoint element, I’ll call mine “bankid”
<endpoint address="https://appapi.test.bankid.com/rp/v4" binding="customBinding" bindingConfiguration="RpServiceSoapBinding" contract="BankIDService.RpServicePortType" name="RpServiceSoapPort" behaviorConfiguration="bankid" />
Then we must also add the behavior in the system.serviceModel section, this will look like this
<behaviors> <endpointBehaviors> <behavior name="bankid"> <clientCredentials> <clientCertificate findValue="FP Testcert 2" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="My" /> <serviceCertificate> <defaultCertificate findValue="BankID SSL Root Certification Authority TEST" storeLocation="LocalMachine" storeName="Root" x509FindType="FindBySubjectName"/> <authentication certificateValidationMode="None" revocationMode="NoCheck" trustedStoreLocation="LocalMachine"/> </serviceCertificate> </clientCredentials> </behavior> </endpointBehaviors> </behaviors>
There you will see both certificates that we’ve added and their storeLocations. If you imported them to any other store this is where you tell your application where they are.
Testing some code
Create a client
var client = new RpServicePortTypeClient();
Set the parameters for the authentication
AuthenticateRequestType authenticateRequestType = new AuthenticateRequestType() { personalNumber = "YYYYMMDDNNNN", //requirementAlternatives = new[] { conditions } };
Authenticate
OrderResponseType response = client.Authenticate(authenticateRequestType);
...Wait for the client to sign in
Collect the response
CollectResponseType result = client.Collect(response.orderRef);
All code is available at https://github.com/EricHerlitz/Mobile-BankId-.NET-Example