Fallback solution (Finland only)
A simple guide to help you understand our Finnish PSD2 fallback solution available to Third Party Providers.
General information
This technical documentation is intended for Third Party Providers (TPPs) who wish to access Handelsbanken's Finnish PSD2 Fallback Solution with screen scraping applications.
Before using our fallback solution, the TPP is required to enroll to gain access to our PSD2 Live Data. Subscription to PSD2 APIs is not needed however. Information about how to enroll can be found here:
Important info: If you would like to test or use our Fallback solution, please contact us first.
Contingency mechanism
1. Service location
The PSD2 fallback solution can only be accessed via the address https://www5.handelsbanken.fi/pankki
2. Login
In order to log into NetBank on behalf of a customer, a TPP has to sign the login request using a valid eIDAS QSEAL certificate. This signature proves that the TPP is legally allowed to act as a service provider. The login request to be signed, is the HTTP POST message generated from the username input form submission (or username/password when TAN list is used) on the NetBank login page.
Signing uses the same mechanism as used in the Berlin Group PSD2 API v1.3: [https://tools.ietf.org/html/draft-cavage-http-signatures-10"].
Headers that must be included in the login message are:
- Digest: SHA-256 or SHA-512 digest of the message content, as specified by the Berlin Group Implementation Guideline.
- X-Request-ID: UUID, as specified by the Berlin Group Implementation Guideline.
- TPP-Signature-Certificate: TPP's eIDAS QSEAL certificate, as specified by the Berlin Group Implementation Guideline. [NextGenPSD2 Framework - Implementation Guidelines]
- Signature: as specified by the Berlin Group Implementation Guideline (chapter 12.2), constructed from headers Digest, X-Request-ID and TPP-Redirect-URI.
The Digest and X-Request-ID headers must be included in the signature.
2.1 Example
The intention is that a screen scraping application, that otherwise acts like a regular browser, would augment the regular NetBank login operation with the specified HTTP headers.
In this example, we assume a TPP that logs in on behalf of a customer who has user identifier '00000000' and password 'password'.
The HTML form element in this login page instance has form identifier "id27" and thus the HTTP POST message is:
[id27_hf_0=&fakeUserKeyDoNotRemove11=&username=00000000&password=password&loginButton=1].
The SHA-256 digest generated from the message body is:
[SHA-256=RLCxP4W48XJU69Q22/glEa6BzmI9j77dM2qNFs53P0Q=].
A random UUID generated for the X-Request-ID is:
[fa2d5609-b5ba-4bd2-a4d4-254e69a2972e]
Thus the headers are (the actual signature and certificate below are truncated to be human readable):
-
Digest: SHA-256=RLCxP4W48XJU69Q22/glEa6BzmI9j77dM2qNFs53P0Q= Signature: keyId="SN=f3abe28bee1e8f10,CA=OID.2.5.4.97=PSDFI-ABC-123456, C=FI, O=Samlink, CN=PSD2",\ algorithm="rsa-sha512",\ headers="Digest X-Request-ID",\ signature="Ntxy.....Sg==" TPP-Signature-Certificate: MIIDDjCCAfYCCQDzq+KL7h6PEDANBg.....nRK7aXUSsmLQQDlMRtPHIbOR4sOzXX X-Request-ID: fa2d5609-b5ba-4bd2-a4d4-254e69a2972e
3. Restrictions
Access to NetBank is restricted to the following URL paths:
-
/pankki /pankki/kirjautuminen /pankki/kirjautuminen/avainluku /pankki/kirjautuminen/salasana-vaihto /pankki/lopeta /pankki/maksut /pankki/maksut/eraantyvat /pankki/maksut/eraantyvat/muokkaa /pankki/maksut/oma-tilisiirto /pankki/maksut/oma-tilisiirto/hyvaksytty /pankki/maksut/uusi/hyvaksytty /pankki/maksut/uusi/tiedot /pankki/maksut/vahvistaminen /pankki/maksut/vahvistaminen/muokkaa /pankki/maksut/vahvistaminen/ulkomaanmaksu/hyvaksytty /pankki/maksut/vahvistaminen/vahvistaminen-hyvaksytty /pankki/suljettu /pankki/tilit-ja-kortit /pankki/tilit-ja-kortit/kortit/debit-kortin-tiedot /pankki/tilit-ja-kortit/tilit/tili/maksutapahtumat /pankki/tilit-ja-kortit/tilit/tili/tilitiedot /pankki/uloskirjautunut /pankki/virhe