ID-Rights web service functions
ID-Rights are handled through a web service interface. This web service interface is described in detail below and on the underlying pages.
The web service protocol
ID-Rights exposes an interface that understands the TrustB2BMessage XML protocol. This protocol consists of several XML-based request/response messages where each message performs a ID-Rights query. Each message is built up in three parts:
Request header
The message
XML signature
The communication between the customer and IN Groupe is based on two-way SSL using client certificates issued by IN Groupe. Download the ID-Rights XML schema. B2BSchema.xsd
Request header
The request header is common for all ID-Rights messages.
The service has a time window and expects all customers to have synchronized clocks using the Network Time Protocol (NTP). If a message is received outside the time window, the customer will get an ErrorResponse. The time window is +/- 5 minutes.
The reason for using time windows is to prevent replay-attacks. The time cannot be changed by a MITM (Man In The Middle) as all requests to ID-Rights are digitally signed.
Name | Description | Constraints |
|---|---|---|
MerchantID | This value represents the calling customer. The customer gets this value upon configuration in ID-Rights. | Mandatory |
Time | This value is the current date and time in UTC. | Mandatory |
MessageID | The MessageID is defined by the calling merchant application and is returned in the response. The customer may use the MessageID to see which request the response-message belongs to. | Mandatory |
CountryCode | This value describes which country the request is concerning. If this element is not used, NO is used as default. | Mandatory |
AdditionalInfo | The AdditionalInfo element can be used by customers to add information like cost center etc. | Optional |
TraceID | The TraceID element is generated by the ID-Rights service. The customer is not supposed to provide a TraceID and it will be ignored if provided. The response however will contain a unique TraceID which the customer should provide if there are any questions the given response. | Optional |
The message
The ID-Rights service gives a set of messages for querying for data as well as messages for maintenance and audit logs.
The messages can be categorized as:
XML Signature
All messages to the ID-Rights service must be signed with XMLDSIG to be able to reach the service. The XMLDSIG must be of the enveloping kind. The entire message must be signed using a IN Groupe issued signing certificate the customer is given upon configuration in the customer test and production environment respectively. ID-Rights validates the signature, authenticates the calling party and performs authorization checks based on the request at hand. If the calling party is authenticated and authorized then the request is handled by ID-Rights.
Some external links about XMLDSIG:
Specification: https://www.w3.org/TR/xmldsig-core/
Wikipedia: https://en.wikipedia.org/wiki/XML_Signature