- PSD2
- Sandbox
Excellent question! So you are looking for the inside story right? There are possible topics to be aware of. Here are useful pointers and hints for enlightenment – and feel free to drop us a line at fintech@landsbankinn.is if further info is needed:
- If you are not a registered TPP with SaltEdge (our TPP vendor), you need to do so, if you are already a registered TPP, please continue to step 2.
- To register as a TPP, the first thing you must do is get a valid EIDAS certificate
- We used this solution here: https://github.com/payoneer/Psd2CertificateGenerator, but there are others available
- When creating your certificate, you must select a name and an organization ID, as they will be used when registering as a TPP with SaltEdge
- Lets say for demo purposes that I have selected the TPP name „DEMO TPP USER“ for the cert and the organisation id „PSDIS-FME-TPP001“
- This information is important as we will use it later
- Once you have created your cert you need to use that as a part of the registration
- Please note, for our ease of use, we created a .pfx cert to use in our communication
- To register, you need to make an api post call to: https://priora.saltedge.com/api/berlingroup/v1/tpp/register
- The headers required for this call are:
-
(Note that the TPP-Signature-Certificate refers to the Public Certificate) - X-request-id is a unique id for your call, e.g. a GUID
- Digest is a hashed and encoded value of the body of the API call
- The way to do this is to hash the (serialized) body of the message using the RSA SHA-256 method, en base64 encode the result of the hash
- Date is just the date of the call, in the following format: „Fri, 04 Feb 2022 17:16:59 GMT“
- TPP-Signature-Certificate is the cert used to sign the message, i.e. the cert created in 1.b-d
- Signature is the signed value of the message, and is constructed in the following way
- Signature keyId="SN=serialNumberOfYourCert,DN=/organizationIdentifier=identifierOfYourOrganisation/CN=CommonNameAndTypeOfYourCert CA/O=TheTPPNameYouSeleced/C=YourCountryCode",algorithm="rsa-sha256",headers="digest date x-request-id",signature=""
- Based on our examples from above, your string would then look like this
- Signature keyId="SN=serialNumberOfYourCert,DN=/organizationIdentifier= PSDIS-FME-TPP001/CN=CommonName QWAC CA/O=DEMO TPP USER/C=YourCountryCode",algorithm="rsa-sha256",headers="digest date x-request-id",signature=""
- Please note that the serial number of your certificate is possibly in a HEX format and needs to be converted to decimal to be usable as the SN value here
- The signature property at the end of the string is then populated with the digest, date and x-request-id and encrypted
- So you will construct a string in this format:
- Please note that the string needs to be seperated by a „endofline“ symbol, i.e. \n
- The string in d above then needs to be:
- Signed using your certificate
- Converted to Base64 value
- Set as the value in b here above
- Signature keyId="SN=serialNumberOfYourCert,DN=/organizationIdentifier=identifierOfYourOrganisation/CN=CommonNameAndTypeOfYourCert CA/O=TheTPPNameYouSeleced/C=YourCountryCode",algorithm="rsa-sha256",headers="digest date x-request-id",signature=""
-
- The body you need to send in is the following:
- If you are already registered as a TPP with SaltEdge, you can start using our PSD2 sandbox.
The paths to our PSD2 solutions are:
- Glossary
- PSD2
Status of TPP defines permissions and restrictions. The definement happens automatically, based on the uploaded and verified certificate via API. Note that a TPP can upload several certificates and choose the default one, and the status is defined by the certificate marked as default.
There are four statuses:
- Test: Applicable to the TPPs which are using test certificate as default. In test status, TPP is able to instantly use the sandbox.
- Production: Production certificates are also uploaded or added via API. In case of being successfully verified with a production certificate, TPP is able to access production by setting production certificate as default in the dashboard.
- Suspended: TPP can be suspended manually by Salt Edge or Landsbankinn in case of abuse reports, PSU or in case certificate revocation by national competent authority. In this case the TPP will lose access to any ASPSP environment.
- Blocked: TPP with Production status can be blocked to use the production/sandbox environment in case certificate is revoked or expired. TPP with test status can be blocked to use the sandbox environment in case the certificate is revoked or expired. Salt Edge can completely block a TPP in case of abuse.
- Dashboard
- PSD2
After sign in, TPP is brought to the main page of the TPP Dashboard. The Dashboard is quite intuitive. Here’s a short review of its functionalities:
- Dashboard page – TPP status overview
- Providers Management – All available providers within Salt Edge PSD2 Compliance platform with option to request access to certain ASPSP (only with Live certificate, Sandboxes are accessible by default)
- Payments – initiated by TPP users payments
- Monitoring – latest activity
- Support Center – issue reporting system
- Team – add your teammates
- Settings – TPP details
- Software – app id, app secret, status, etc.
- Certificates – all added certificates (TPP can add new certificate using the API endpoint `POST /api/berlingroup/v1/tpp/certificates`)
- Consent management – created by TPP users' consents to the relevant banks
- PSD2
- Authentication
- Sandbox
In case you (TPP) don't have a Production eIDAS certificate, you can simply generate a test certificate and access the Landsbankinn Sandbox.
Test certificates can be generated by execution of some commands/scripts. TPP shall generate self-signed certificate using OpenSSL. Here are links to
several instructions, but you can always search for others:
- Instruction 1: https://enablebanking.com/blog/2020/01/13/how-to-generate-eidas-certificate
- Instruction 2: https://www.baeldung.com/openssl-self-signed-cert
- Generator (check): https://github.com/payoneer/Psd2CertificateGenerator
Further information:
- Informative description about eIDAS and TPP Identification in terms of PSD2 regulation.
- PSD2
- Glossary
An open banking system and PSD2 are not the same thing at all. But this is closely related. The term open banking refers to the API services that banks offer to customers and third parties. Banks have the choice of offering some of the services, while others are mandatory or regulatory. The PSD2 services are mandatory.
- PSD2
- Glossary
Strict requirements must be met to provide the service. Only licensed entities within the European Economic Area (EU and EFTA) can provide the new banking services. It can be, for example, financial technology companies. The parties need a special operating license from the financial supervision of their country and meet the detailed requirements set out in the new law and on the Financial Supervision's website.
Further information:
- PSD2
- Authentication
- Glossary
These are the three main flows in the implementation of identifications and are best described with examples:
- De-coupled flow
- The user is located at the fintech-solution's website and confirms the relevant action in Landsbankinn's app
- The user is located in Landsbankinn's online bank and confirms the relevant action in Landsbankinn's app
- Redirect flow
- The user is located at fintech-solution's website and is directed to Landbankinn's website to confirm the action and is then redirected back.
- The user is located in fintech-solution's app and confirms the relevant action in the Landbankinn's apps or website (also called app-to-app redirect)
- Embedded flow (this is the least used flow, partly due to lack of sufficient security)
- The user is located at fintech-solution's website and confirms the relevant action within the website that forwards the information to Landsbankinn for identification.
- The user is located in fintech-solution's app and confirms the relevant action within the app, that forwards the information to Landsbankinn for identification.
Landsbankinn only supports De-coupled and Redirect flows.
- Glossary
- PSD2
eIDAS are special electronic certificates used only by third parties (or banks acting as TPPs themselves), for authentication to banks in PSD2-related communications and to other electronic banking communications in the European internal market.
- Glossary
- PSD2
RTS is the technical standard used in PSD2 communications. RTS stands for Regulatory Technical Standards.
- Glossary
- PSD2
ASPSP is the bank's role in the PSD2 world. ASPSP stands for Account Servicing Payment Service Provider.
- Glossary
- PSD2
AISP is a common denominator of the financial technology companies that offer account statements in their apps and websites. AISP stands for Account Initiation Service Provider.
- Glossary
- PSD2
PISP is a common denominator of the financial technology companies that offer payment solutions in their apps and websites. PISP stands for Payment Initiation Service Provider.
- Glossary
- PSD2
TPP is a synonym for the financial technology companies and stands for Third Party Provider.
- Glossary
- PSD2
PSU is the consumer himself, i.e. a joint customer of the bank and the financial technology company. PSU stands for Payment Service User and can be an individual, an employee of a company, institution and any form of association.
- Glossary
- PSD2
Because the PSD2 regulatory framework is a bit burdensome for user experience, banks are allowed to waive SCA in certain actions under strict conditions. An example of an exemption is payments between own accounts, where the bank can choose to always omit SCA.
In general, banks do not apply exemptions for various security-, monitoring- and reporting ralated reasons.
- Glossary
- PSD2
With PSD2 came SCA, and with SCA came Dynamic Linking, abbreviated DL. The phenomenon is a unique number that is automatically generated by the customer's payment confirmation. The number links the payment to the verification and plays a key role so that the customer can trace afterwards, for example in the online bank, how and when exactly he verified which payment.
- PSD2
The purpose is to increase competition and consumer protection in the financial market, as well as to promote product development and innovation in the payment market.
PSD2 is the European Parliament's respondi to consumers' calls for cheaper and smarter payment services, as earlier done with the opening up of both the energy- and telecommunications sectors respectively. PSD2 came into Icelandic law as a European directive.
- Glossary
- PSD2
From 1 May 2022, more than just banks will be able to offer individuals and companies the main payment methods and bank account statements. This is a service that in Iceland has so far only been provided in online banks and banking apps. The innovation is the result of a regulation called PSD2.
- PSD2
- Sandbox
The sandbox does not contain any real data on customers. It only brings virtual access to certain of the bank's systems. Fintechs and other companies or entities in this sector can use the sandbox to learn how the bank's various actions work.
- PSD2
- Sandbox
In the sandbox, interested service providers can set up access to familiarize themselves with PSD2-related features using artificial data, such as consent handling, retrieve account information and transaction statements, test initiation of domestic and foreign payment, and more.
- PSD2
- Sandbox
- Follow the link from our front page, it will direct you to https://psd2.landsbanki.is
- Click TPP Registration and follow the instructions. Note that you register via API, using Postman or equivalents. The registration path is https://psd2.landsbanki.is/docs/berlingroup/landsbankinn_sandbox/certificates.
- Then you will receive a confirmation e-mail from Landsbankinn's PSD2 partner, Salt Edge.
- As a result you're granted with access to your own dashboard at https://priora.saltedge.com.
- Now you create test eIDAS certificate in order to connect to the sandbox and start conquering the world.
In case of troubleshooting or any assitance at all, create a tickets at the dashboard (https://priora.saltedge.com/clients/sign_in).
If needed, feel free to contact us at fintech@landsbankinn.is.
- Authentication
- Native APIs
- Sandbox
If you dont have your codeflow server up and running, this method can be used to generate access token for calling authenticated API.
1. Gather information
You will need the following information for your app .
client_id - This is your app "Consumer key" client_secret - This is your app "Secret key" redirect_uri - This is your app "OAuth redirect URL"
Since we are emulating the codeflow server - edit your app and set the OAuth redirect URL to: http://localhost/
2. Get authorization code
Generate authorization code open the following URL in your browser. Be sure to replace {consumer_key} with your app Consumer key.
https://authsandbox.landsbankinn.is/as/authorization.oauth2?client_id={consumer_key}&response_type=code&redirect_uri=http://localhost/&state=verifyMe&scope=profile+openid+customer+accounts+payments
Log in using one of our predefined sandbox users and grant the requested scopes. For this example your can use the following user.
User: jongunnars Password: pVvfBnvZ8X0rjOtC70
You will then be redirector to an URL on localhost. From the URL you will need to copy the authorization code found in the ?code= section.
http://localhost/?code=oZkLC20X1C9VYvt....TxuDWqrbepUNbF&state=verifyMe
3. Exchange oauth code for access token
Now exchange your authorization code for an access token.
curl -X POST https://authsandbox.landsbankinn.is/as/token.oauth2 \ -d 'grant_type=authorization_code' \ -d 'code={authorization code copied from URL}' \ -d 'redirect_uri=http://localhost/' \ -d 'client_id={consumer_key}' \ -d 'client_secret={consumer_secret}'
This will return your tokens.
{ "access_token": "eyJhbGciOiJSUz...UhVobA", "refresh_token": "Eui8cZiBuC44C...BSh6iR", "id_token": "eyJhbGciOiJSUzI1Nr...2luGMA", "token_type": "Bearer", "expires_in": 7199 }
4. Use your token
Now you can call authenticated API using the access token like this.
curl -X GET https://apisandbox.landsbankinn.is/Some/Authenticated/Service \ -H 'Accept: application/json' \ -H 'apikey: CxOAVlDYSyw1bIyYbbvCAKVG1zEKp14E' \ -H 'Authorization: Bearer eyJhbGciOiJSUz...UhVobA'
- Errors and Bugs
- Glossary
If you have not found the answer to your question here, please mail it to us at fintech@landsbankinn.is and we will try to assist you.
- Authentication
- Native APIs
All our native APIs are open. It means that you don't need to authenticate. Simply put your API key in a header called "apikey" where the value is the actual API key. In comparison, the PSD2 compliance APIs are not open.
- General
- Native APIs
Before you start you need to register as a user:
- If you are already registerd, log in and start
- If you are not registerd, register and start
- Glossary
- PSD2
The word "sandbox" is a fintech slang for testing environment. In our PSD2 sandbox you can retrieve account information and transaction statements, test domestic and foreign transfers and much more. With access to this data, it is possible to program solutions that "talk to" the bank's system.
- General
- Native APIs
To get access to the Landsbankinn Developer Portal, you first need to get a developer account. You can create it a developer account on the registration page. Once you have submitted your registration, we will send you an email with an activation link. Activate your account by following the link and you are ready to go! Go to Get started for further instructions about the development of your application.
- General
- Errors and Bugs
For a bug report or feature request, please drop us a line at fintech@landsbankinn.is.
If you're using the PSD2 sandbox, create a ticket at your PSD2 dashboard located at https://priora.saltedge.com.
- General
- Native APIs
- PSD2
- Sandbox
For Landsbankinn's native APIs, use apisandbox.landsbankinn.is. For production use openapi.landsbankinn.is.
For Landsbankinn's PSD2 APIs, follow these instructions.