As the SPS Signature Solution is hosted on WL secured servers, the integration only required for the creditor is to initialize a signature session using a web service, and retrieve the result on the server side.
Setup
To integrate the SPS Signature Solution, an account for the Creditor will be created, allowing him to configure its workflow.
A specific documentation describes the process to create a new creditor account.
An X509 digital certificate will be delivered to the creditor when subscribing to the service. The creditor has to use it to access platform and to digitally sign its web service calls, using industry standards formats (SOAP and WS-Security).
Creditor Account Configuration
It is important to note that the creditor’s global configuration has to be provided before the creditor initializes the signature session. This means that when a new creditor subscribes to SPS Signature Platform, he has to configure his account on the service by filling some parameters. These parameters will then be used as default values during the initialization of the signature session.
These parameters can be modified afterwards. Some of these parameters can be overwritten at the initialization of a new signature session, allowing the creditor to choose a simple OTP over SMS agreement scheme for an already known client.
| Parameter | Description | Over-writable |
|---|---|---|
| Creditor Id | Generated by the SPS Signature Platform | |
| Creditor Name | Creditor’s Name | |
| Creditor Address | Creditor’s Complete Address | |
| Creditor Email | Creditor’s email address. This email will be used as the sender address in case of SMS agreement scheme. | |
| Creditor Bank Account | SCI BIC + IBAN |
|
| Creditor SPS Account | SPS Account Id of the Creditor. (External Id) | |
| UMR Generation | UMR should be generated by SPS (yes/no) yes: The UMR of the mandate will be generated using SPS. If the creditor has several UMR models, only the default one is used. no: The UMR must be given by the creditor during the initialization of the session |
Y |
| SDD Schedule Generation | The SDD Schedule should be generated using the SPS signature platform with the information provided in the session initialization (yes/no) yes: The creditor has to provide the data required to generate the schedule of the SDD when initializing the session (dates, amounts, according to a given format) no: the schedule will be generated |
Y |
| Agreement Schemes Authorized | Multiple Choices between: Card Payment OTP over SMS OTP over EMAIL |
|
| Agreement Scheme | Represents one of the Agreement Schemes Authorized on the previous parameter (Card Payment, OTP over SMS) | Y |
| Type of signature | Represent the process allowed: Signature (with OUT certificate) or Validation (with organization certificate). Both are allowed in the same time, the default type is set by the next parameter | Y |
| Default signature type | If signature and validation process are allowed for a creditor, if nothing is passed in InitSession webservice parameter, the default is read for defining the process. | Y |
| Certificate information | In case of signature or validation, the certificate to use for authentication and for contacting the OUT servers has to be defined | Y |
| Callback URLs | URL OK + URL KO + URL Cancel | Y |
| Personalization | Title, Name, CSS and Logo of the Creditor | |
| Language | Language to be displayed in the session | Y |
| Wallet Usage | The Signature will look for active existing mandate in SPS |
Interactions between the Creditor and SPS Signature
Server-Side interactions:
The SPS Signature Platform offers several web services allowing the creditor to control the signature session as well as recovering its status and result.
The mandatory call is the initialization. In the other hand, the others calls are used to allow the creditor to fine-tune the user experience.
To facilitate the integration on its existing application, the Creditor does not need to store any identifier defined by the SPS Signature Platform. He is only required to ensure uniqueness on his side.
A specific documentation describes web services implementation.
| Signature Session initialization (Mandatory use) | |
| Actors | Creditor -> SPS Signature |
| Technology | SOAP request signed with the X509 Certificate given using WS-Security |
| Signature Get Session State (optional use) | |
| Actors | Creditor -> SPS Signature |
| Technology | SOAP request signed with the X509 Certificate given using WS-Security |
| Signature Cancel Session (optional use) | |
| Actors | Creditor -> SPS Signature |
| Technology | SOAP request signed with the X509 Certificate given using WS-Security |
Focus on InitSession():
Once the creditor’s global configuration is provided and stored in the SPS Signature Platform, the web service processes all the parameters (Sign Session Initialization table) that the creditor is sending to the SPS Signature Platform. These parameters will be stored it in the session configuration. During this step, SPS Signature Platform receives the debtor personal information and the transaction Id given by the creditor. This information will be then used to allow the SPS Signature Platform to create a new mandate or to verify it if a mandate already exists for the debtor. A session is therefore identified using the Creditor Id and unique Id given by
the creditor, avoiding the creditor to store another identifier if he uses its own transaction Id.
There are some parameters in the session configuration that will be gathered from two locations; from the web service initialization call and from the creditor’s global configuration. As it is possible to see in the Sign Session Initialization table, these parameters are: Creditor Id, Creditor Bank Account, Agreement Scheme, SIPS Configuration, and the Callbacks URLs. Each one of the parameters can override the one before, allowing a different configuration for each session.
Client-Side Interactions:
| Redirection of the Debtor to the SPS Signature | |
| Actors | Debtor (on Creditor Platform) -> Debtor (on SPS Signature Platform) |
| Technology | Standard HTTPS redirection to the URL provided by SPS Signature on the Init call. |
| Redirection of the Debtor to the Creditor after a successful signature | |
| Actors | Debtor (on SPS Signature Platform) -> Debtor (on Creditor Platform) |
| Technology | Standard HTTPS redirection to the URL given by the Creditor on the Init call. (A ticket is sent to the creditor if the creditor wishes (cf. End Ticket). The Creditor additionally has to verify the signature session’s state before considering that the signature succeed due to security concerns). |
| Redirection of the Debtor to the Creditor after a failed signature | |
| Actors | Debtor (on SPS Signature Platform) -> Debtor (on Creditor Platform) |
| Technology | Standard HTTPS Redirection to the URL given by the Creditor on the Init call. (A ticket is sent to the creditor if the creditor wishes (cf. End Ticket). The Creditor additionally has to verify the signature session’s state before considering that the signature failed due to security concerns) |
End ticket (post):
As explained previously, if the creditor wishes, SPS Signature could send the creditor the details about the transaction.
A specific documentation describes web services implementation.
Security Consideration
In order to ensure the security of the global process the solution uses various technologies.
Between the SPS Platform and the Creditor
As previously explained, the exchange between the Creditor and the SPS Platform is done using mutual certificate authentication.
After subscribing to the service, the Creditor will be able to withdraw its server certificate on the Mediacert platform, a public-key infrastructure service of Atos Worldline.
Between the SPS Platform and the End User
The generated URL that allows the Creditor to redirect the user to the SPS Platform uses tokens that are generated and encrypted using strong algorithms. It ensures that a token cannot be reused afterwards or intercepted.
Evidence Collection and Archiving
The components of the SPS Signature platform are designed to generate different pieces of evidence and send them to the tracer module. The objective of this process is to get the smallest time span between the generation and the registration of the evidence. These pieces are centrally collected in the Tracer module to ensure that they are not lost during the signature process. A signature session will not be flagged as successful until the evidence is completed.
Once the Signature process is successful, the pieces of evidence are sent to the Worldline Archiving platform. This solution ensures the preservation of its legal value.
Statistics
The SPS Signature platform generates statistics on a monthly basis containing information on the different sessions created by the Creditor.
This statistics will contain the number of sessions, the number of successfully signed mandates, and the number of failures. That data will be available for every agreement method chosen.