eIDAS
The eIDAS (electronic IDentification, Authentication and trust Services) certificates are SSL certificates used in PSD2 context for accessing the APIs and signing the HTTP messages. It is an EU regulation on a set of standards for electronic identification and trust services for electronic transactions. To achieve the PSD2 security requirements, banks and PSD2 service providers use Qualified Certificates for Websites and Qualified Certificates for Electronic Seals. Those certificates will be issued by Qualified Trust Service Providers (QTSPs) based on the new technical standard — ETSI TS 119 495, which was published in May 2018. Qualified Certificates enable the identification and verification of the payment institution by a third party. Identification will be based on the legal name of an organization, registration number and its main role(s) in the payments space.
There are two types of eIDAS certificates:
- QWAC (Qualified Website Authentication Certificate): QWAC is used as Client Certificates in MA-TLSAll.
- QSeal (Qualified Certificate for Seals): QSeal is used to sign requests using HTTP-signature.
PSD2 APIs require both types of certificates - QWAC to access the API and QSeal for HTTP-signature, i.e. message signing.
Fiorano implementation of eIDAS certificates
As required by the PSD2 European Directive, Fiorano PSD2 APIs can be protected by Mutual TLS protocols based on eIDAS Certificates. This means that if you want to access one of our PSD2 APIs, you need to use an eIDAS TLS Client Certificate for your requests.
In the Fiorano APIGateway server, where the actual PSD2 APIs are exposed, the eIDAS certificate will be parsed and all the parameter required to validate the request will be pushed to the content variables. Use the prebuilt API policies to perform necessary actions based on these values in the context variables.
Checking API Documentation
Click the API Products tab to go to the API Products page.
Click the API Product name (see the figure above) to see the API Categories in the product; click the environment name of the respective API category to work with the APIs associated with the project.
Consent Mechanism
To access the PSD2 APIs, the TPP has to first get the consent from the PSU. A 3-legged OAuth is used to achieve this. When the PSU logs into the TPP app, select the bank; the TPP redirects the user to the Bank's login page. The PSU provides valid credentials. Once the PSU is authenticated, a consent page with all the scopes will be shown. PSU selects the list of scopes that are requested to take up and provides consent for the same. An Oauth access token gets generated which will be used by TPP to access the PSD2 APIs.
Authorization
Detailed documentation of the API with complete information about the parameters involved, sample requests and responses, and authentication mechanisms used can be viewed in the API Documentation section.
Click an Environment name (see the figure above) for API Documentation. If the REST APIs are protected, click the Authorize button to unlock the APIs.
Provide the Client ID which is the Consumer Key mentioned in the Fetching Consumer Key and Customer Secret section of the respective product and click Authorize.
Testing the APIs
Expand a tag to see the APIs available under it.
Expand the API to see the parameters under it and click the Try it out button to test the API.
Forums
Forum section helps to start a discussion or take part in a discussion. For any questions or suggestions to the administrator, post them in the Forums section as a new Topic.
To post content in the forum,
- Click the Forum name (see the figure above) and click the New topic button to create a topic.
- Provide the following and click Save.
topic heading in the Subject text box.
content in the Body text area.
