This page:
Related pages:
The Freja eID Organisation ID service allows Relying Parties to set a specific, organisation-related identifier to any user. The end user will have previously downloaded the Freja eID mobile application on one or more iOS or Android devices they possess, and registered an account in Freja eID, allowing Relying Parties to refer to them through the use of one or more usernames.
The Organisation ID service is available to end users that have Freja eID Extended (users whose identity has been validated with an ID document) or Plus (users who, in addition to Extended, have had a physical meeting as a further measure of security; this level is only available in Sweden.)
Before you begin
Disclaimer
We retain the right to extend the API with new optional parameters, new response fields and error codes. Within the same API version, these additions shall be made strictly without altering existing response fields and error codes so as not to compromise your system's stability. Your application therefore MUST be able to handle unknown response fields and error codes. In the case of unknown response fields, the application SHOULD ignore them and process only those it understands. In the case of unknown error codes, the application MUST present a generic error message to the end-user.
There are several technical requirements that must be in place before the implementation can start. Please complete the checklist below before proceeding:
- Obtain an SSL client certificate providing you access to the Freja eID test environment.
- Import Freja eID Test root certificate as trusted into the trust store of your application.
- Using Freja eID mobile application, register one or more users with the Freja eID Test infrastructure.
Production checklist
In order to use Freja eID in a production environment, you must fulfil the following:
- Sign a contract allowing your organisation to access the production Freja eID Organisation ID service.
- Provide Freja eID with a logo suitable to represent your organisation in the mobile application, as well as a display name and a short description. Please note that:
- The logo must be delivered in one of the vector file formats: AI (Adobe Illustrator Artwork), EPS (Encapsulated PostScript) or editable PDF (Portable Document Format). The preferable format is AI (filename extension is .ai).
- The display name is restricted to maximum length of 20 characters and the description should not exceed 75 characters. The URL can be up to 100 characters long.
- Obtain an SSL client certificate providing you access to the Freja eID production environment.
- Import Freja eID Production root certificate as trusted into the trust store of your application.
Initiate Add Organisation ID method
This method is used by a Relying Party to initiate a transaction for setting an Organisation ID title, identifier name and the identifier itself to a user. The identifier must be unique within the Relying Party's system. If the Organisation ID is set for a user multiple times, the title, identifier name and the identifier will be overridden and the last ones will be active.
The method is called using HTTP POST through the URLs below:
System | Method endpoints |
---|---|
Test | https://services.test.frejaeid.com/organisation/management/orgId/1.0/initAdd |
Production | https://services.prod.frejaeid.com/organisation/management/orgId/1.0/initAdd |
The parameter of the method is a Base64 UTF8-encoded JSON payload according to the following:
Parameter name | Value | |
---|---|---|
initAddOrganisationIdRequest | { "userInfoType":"User info type", "userInfo":"User information corresponding to user info type", "minRegistrationLevel":"Minimum required registration level of a user", "expiry":"Expiry time for the request", "organisationId": { "title":"Title of the Organisation ID to be displayed to the end user", "identifierName":"Name of specific organisation identifier", "identifier":"Value of specific organisation identifier" } } userInfoType: string, mandatory. Describes the type of user information supplied to identify the end user. Currently one of:
userInfo: string, mandatory, 256 characters maximum. If userInfoType is EMAIL or PHONE, interpreted as a string value of the email or telephone number of the end user, respectively. If userInfoType is SSN, then it must be a Base64 encoding of the ssnuserinfo JSON structure described below. Note: If userInfoType is PHONE, the userInfo value MUST be in the form of: "+4673*******"; the leading plus '+' is present whereas the leading zero from the mobile phone operator code '0' is not. (See example below) Note: The combination of userInfoType INFERRED and userInfo N/A is used when the user is being authenticated by scanning a QR code. For more details please see Implementation - Troubleshooting and Best Practices. | |
ssnuserinfo | { "country":"Country of SSN", "ssn":"Social security number of the end user" } country: string, mandatory. Contains the ISO-3166 two-alphanumeric country code of the country where the SSN is issued. In the current version of Freja eID, one of: ''SE'' (Sweden), ''NO'' (Norway), ''FI'' (Finland), ''DK'' (Danmark).
| |
minRegistrationLevel: string, optional. Minimum required registration level of a user in order to approve/decline transaction for adding Organisation eID. Can be EXTENDED or PLUS. If not present, default level will be EXTENDED. expiry: long, optional. Describes the time until which the Relying Party is ready to wait for the user to confirm the initAddOrganisationId request. Expressed in milliseconds since January 1, 1970, 00:00 UTC. Minimum value is current time +2 minutes, maximum value is current time +30 days. If not present, defaults to current time +7 days. | ||
organisationId | { "title":"Title of the Organisation ID to be displayed to the end user", "identifierName":"Name of specific organisation identifier", "identifier":"Value of specific organisation identifier" } title: string, mandatory, 20 characters maximum. The title of the Organisation ID which will be displayed to the end user in the app, on the Organisation ID card and the Organisation ID screen itself. identifierName: string, mandatory, 25 characters maximum. The name of the specific organisation identifier to be set for the end user. identifier: string, mandatory, 128 characters maximum. The value of the specific organisation identifier to be set for the end user. Must be unique within the requesting relying party system inside the Freja eID service. |
Example request with userInfoType set to EMAIL: |
---|
If you wish to initiate an 'Add Organisation ID' request for a user with an email address joe.black@verisec.com, follow these steps:
The HTTP body should be the following (compact format, line broken for clarity only): initAddOrganisationIdRequest=eyJ1c2VySW5mb1R5cGUiOiJFTUFJTCIsInVzZXJJbmZvIjoiam9lLmJsYWNrQHZlcmlzZWMuY29tIiwibWl uUmVnaXN0cmF0aW9uTGV2ZWwiOiJFWFRFTkRFRCIsImV4cGlyeSI6MTUxNzUyNjAwMDAwMCwib3JnYW5pc2F0aW9uSWQiOiB7ICJ0aXRsZSI6IlZ lcmlzZWMgSUQiLCAiaWRlbnRpZmllck5hbWUiOiJEb21haW4gbmFtZSIsICJpZGVudGlmaWVyIjoidmVqb2RvZSIgfX0= |
Example request with userIntoType set to PHONE: |
---|
If you wish to initiate an 'Add Organisation ID' request for a user with a phone number '+46731234567':
The HTTP body should be the following: initAddOrganisationIdRequest=eyJ1c2VySW5mb1R5cGUiOiJQSE9ORSIsInVzZXJJbmZvIjoiKzQ2NzMxMjM0NTY3IiwibWluUmVnaXN0cmF 0aW9uTGV2ZWwiOiJFWFRFTkRFRCIsImV4cGlyeSI6MTUxNzUyNjAwMDAwMCwib3JnYW5pc2F0aW9uSWQiOiB7ICJ0aXRsZSI6IlZlcmlzZWMgSUQ iLCAiaWRlbnRpZmllck5hbWUiOiJEb21haW4gbmFtZSIsICJpZGVudGlmaWVyIjoidmVqb2RvZSIgfX0= |
Example request with userIntoType set to SSN: |
---|
If you wish to initiate an 'Add Organisation ID' request for a user with an SSN '198905218072' and country 'SE':
The HTTP body should be the following: initAddOrganisationIdRequest=eyJ1c2VySW5mb1R5cGUiOiJTU04iLCJ1c2VySW5mbyI6ImV5SmpiM1Z1ZEhKNUlqb2lVMFVpTENKemMyNGl PaUl4T1RnNU1EVXlNVGd3TnpJaWZRPT0iLCJtaW5SZWdpc3RyYXRpb25MZXZlbCI6IkVYVEVOREVEIiwiZXhwaXJ5IjoxNTE3NTI2MDAwMDAwLCJ vcmdhbmlzYXRpb25JZCI6IHsgInRpdGxlIjoiVmVyaXNlYyBJRCIsICJpZGVudGlmaWVyTmFtZSI6IkRvbWFpbiBuYW1lIiwgImlkZW50aWZpZXI iOiJ2ZWpvZG9lIiB9fQ== |
Example request with userIntoType set to INFERRED: |
---|
If you wish to initiate an 'Add Organisation ID' request for a user via a QR code:
The HTTP body should be the following: initAddOrganisationIdRequest=eyJ1c2VySW5mb1R5cGUiOiJJTkZFUlJFRCIsInVzZXJJbmZvIjoiTi9BIiwibWluUmVnaXN0cmF0aW9uTGV 2ZWwiOiJFWFRFTkRFRCIsImV4cGlyeSI6MTUxNzUyNjAwMDAwMCwib3JnYW5pc2F0aW9uSWQiOiB7ICJ0aXRsZSI6IlZlcmlzZWMgSUQiLCAiaWR lbnRpZmllck5hbWUiOiJEb21haW4gbmFtZSIsICJpZGVudGlmaWVyIjoidmVqb2RvZSIgfX0= |
Possible errors returned by the method are the following:
Return code | Explanation |
---|---|
1001 | Invalid or missing userInfoType. |
1002 | Invalid or missing userInfo. |
1004 | You are not allowed to call this method. |
1005 | The user has not enabled your service. |
1007 | Invalid min registration level. |
1008 | Unknown Relying Party. |
1009 | You are not allowed to request integratorSpecificUserId parameter. |
1010 | JSON request cannot be parsed. |
4000 | Invalid or missing Organisation ID identifier. |
4002 | This Organisation ID identifier is already used. |
4003 | Invalid expiry. |
4004 | Invalid or missing Organisation ID title. |
4005 | Invalid or missing Organisation ID identifier name. |
4006 | Invalid or missing Organisation ID. |
If HTTP 200 is returned from the method, the following return value will be present in the body of the response:
JSON Response Value in body |
---|
{ "orgIdRef":"Reference to be submitted in getOneResult method" } orgIdRef: string, mandatory. A reference unique to the transaction, that can be used to query the result of a specific transaction for adding Organisation ID(see Get One Organisation ID Result method below). |
Get One Organisation ID Result method
The method is called using HTTP POST through the URLs below:
System | Method endpoint |
---|---|
Test | https://services.test.frejaeid.com/organisation/management/orgId/1.0/getOneResult |
Production | https://services.prod.frejaeid.com/organisation/management/orgId/1.0/getOneResult |
The parameter of the method is a Base64 UTF8-encoded JSON payload according to the following:
Parameter name | Value | |
---|---|---|
getOneOrganisationIdResultRequest | { "orgIdRef":"Organisation ID reference" } orgIdRef: string, mandatory. The value must be equal to a reference previously returned from a call to the Initiate Add Organisation ID method. The time period during which a specific reference is available for checking will depend on the longevity of the operation (see the expiry parameter in the Initiate Add Organisation ID method) and is calculated as the expiry time plus 3 days. |
Example request: |
---|
If you wish to fetch an Organisation ID result with the reference previously returned from a call to initAddOrganisationIdRequest (for a user with an email address: joe.black@verisec.com), follow these steps:
The HTTP body should be the following (compact format, line broken for clarity only): getOneOrganisationIdResultRequest=eyJvcmdJZFJlZiI6IlRyTEE5emR4Q0JsTk9RTnZrZGhBTTE0bUptbEwyMGRpZ0M3K1FnRVZSd21FN1NIOFFtMHN3V0 ljNndoZkttNFkifQ== |
Possible errors returned by the method are the following:
Return code | Explanation |
---|---|
1004 | You are not allowed to call this method. |
1008 | Unknown Relying Party. |
1100 | Invalid reference (for example, nonexistent or expired). |
If HTTP 200 is returned from the method, the following return value will be present in the body of the response:
JSON Response Value in body | |
---|---|
Response body | { "orgIdRef":"Organisation ID reference", "status":"Status of Organisation ID transaction", "details":"Signed data, see below" } orgIdRef: string, mandatory. The reference of the Add Organisation ID request. status: string, mandatory. One of:
details: A signed object (see below), optional. Provides details and evidence of the signing if status was equal to APPROVED. |
details | The content of this response element will contain a JWS in compact serialised form as following: BASE64URL(UTF8(JWS Protected Header)) || ’.’ || BASE64URL(JWS Payload) || ’.’ || BASE64URL(JWS Signature) JWS Protected Header { "x5t": "SHA-1 digest of the signing certificate", "alg": "Algorithm used to secure the JWS" } x5t: mandatory, Base64URL encoding of the certificate's SHA-1 digest. JWS Payload { "orgIdRef":"Organisation ID reference", "status":"Status of Organisation ID transaction", "userInfoType":"User info type", "userInfo":"User information corresponding to user info type", "minRegistrationLevel":"Minimum required registration level of a user", "timestamp":"Time when transaction was approved by end user", "signatureType":"Signature type", "signatureData":{ "userSignature":"The signature produced by the end user", "certificateStatus":"Evidence of end-users certificate status" } } orgIdRef: See orgIdRef above. status: See status above. userInfoType: See userInfoType as described in Initiate Add Organisation ID method. userInfo: See userInfo as described in Initiate Add Organisation ID method. minRegistrationLevel: See registrationLevel as described in Initiate Add Organisation ID method. timestamp: long, mandatory. Describes the time when the confirmation by the end user was validated on Freja eID server side. Expressed in milliseconds, since January 1, 1970, 00:00 UTC. signatureType: string, mandatory. For the Organisation ID service, this field has value SIMPLE. See signatureType as described in Signature Services. signatureData: see fields below, mandatory. userSignature: the produced signature, string, mandatory. Contains the user's signature in the requested format. The user's signature will implicitly contain the signed text which will contain Organisation ID identifier set to the user. certificateStatus: Base64 string, mandatory. Contains the OCSP response regarding the state of the user certificate at the time of validating the signature. |
Cancel Add Organisation ID method
This method is used by a Relying Party to cancel an 'Add Organisation ID' request.
The method is called using HTTP POST through the URLs below:
System | Method endpoints |
---|---|
Test | https://services.test.frejaeid.com/organisation/management/orgId/1.0/cancelAdd |
Production | https://services.prod.frejaeid.com/organisation/management/orgId/1.0/cancelAdd |
The parameter of the method is a Base64 UTF8-encoded JSON payload according to the following:
Parameter name | Value | |
---|---|---|
cancelAddOrganisationIdRequest | { "orgIdRef":"Organisation ID reference" } orgIdRef: string, mandatory. The value must be equal to an Organisation ID reference previously returned from a call to the Initiate Add Organisation ID method. |
Example request: |
---|
If you wish to cancel an Add Organisation ID request, follow these steps:
The HTTP body should be the following (line broken for clarity only): cancelAddOrganisationIdRequest=eyJvcmdJZFJlZiI6IlRyTEE5emR4Q0JsTk9RTnZrZGhBTTE0bUptbEwyMGRpZ0M3K1FnRVZSd21FN1NIOFFtMHN3V0ljNndoZkttNFkifQ== |
Possible errors returned by the method are the following:
Return code | Explanation |
---|---|
1004 | You are not allowed to call this method. |
1008 | Unknown Relying Party. |
1100 | Invalid reference (for example, nonexistent or expired). |
If HTTP 200 is returned from the method, the request was successfully fulfilled.
Delete Organisation ID method
This method is used by a Relying Party to delete an Organisation ID identifier from a user. Note that this method is not to be used if you wish to change the Organisation ID title or identifier name. This is done by calling again Initiate Add Organisation ID method.
The method is called using HTTP POST through the URLs below:
System | Method endpoints |
---|---|
Test | https://services.test.frejaeid.com/organisation/management/orgId/1.0/delete |
Production | https://services.prod.frejaeid.com/organisation/management/orgId/1.0/delete |
The parameter of the method is a Base64 UTF8-encoded JSON payload according to the following:
Parameter name | Value |
---|---|
deleteOrganisationIdRequest | { "identifier":"Value of specific organisation identifier" } identifier: string, mandatory, 128 characters maximum. The specific organisation identifier to be deleted. |
Example request |
---|
If you wish to delete an Organisation ID identifier from a user, follow these steps:
The HTTP body should be the following (line broken for clarity only): deleteOrganisationIdRequest=eyJpZGVudGlmaWVyIjoidmVqb2RvZSJ9 |
Possible errors returned by the method are the following:
Return code | Explanation |
---|---|
1004 | You are not allowed to call this method. |
1008 | Unknown Relying Party. |
4000 | Invalid or missing Organisation ID identifier. |
4001 | There is no user for given Organisation ID identifier. |