Userguide Preregistration - ENG

Owned by Stine Granviken
Last updated: Jun 28, 2022
5 min read

 

 

 

All Users who are going to have smartcard with qualified certificates (QC) and /or ID@Work must be preregistered at Buypass before certificates can be issued.

Preregistration is a verification of personal information about User. Combination full name and national identity number (FNR/DNR) is checked towards the Norwegian National Registry of Persons (Folkeregisteret - FREG). The User MUST be registered in FREG and the combination name and FNR/DNR must be the same, else the Operator will have an error message in the Buypass Access Manager - BAM client.

 

If the configuration of BAM client is set up in Mixed Mode the User must be registered in local AD before preregistration is possible.

If the configuration of BAM client is set up in Buypass Mode local AD is not used, but the User will be validated, checked and preregistered directly at Buypass.

 

There are several ways of preregistration:

  1. BAM-client: One by one – one User only

  2. BAM-client: Batch or mass preregistration – one or more Users simultaneously using file input

  3. Scim-api - see BAS SCIM API documentation

 

Content this page:

 

ONE user

RA-ADM must log on to BAM client and start function “Preregister user at Buypass” from the Administration menu.

Search for the correct user by entering one or more criteria in the search fields - Operator must select only one user from the results list.

BAM-client Mode will determine how the search is carried out and how data are collected / checked:

  1. Mixed Mode (issuance of both LC and QC): Search goes towards local AD and Buypass in parallel based on what is defined as IssuerKey *. Person must exist in AD. If person is found at Buypass with this or another IssuerKey or IssuerKey is connected to another person error messages are given about this.

  2. Buypass Mode (issuing only QC): Search goes only towards Buypass based on what is defined as IssuerKey *. If person is found at Buypass with this or another IssuerKey or IssuerKey is connected to another person given messages about this.

*) See Master_Buypass in Configuration Application Tool.

 

Information to register:

  1. Username/IssuersKey (mandatory)

  2. FNR/DNRfirstnamelastname (mandatory)

  3. Email (optional)

  4. UPN - User Principle Name (optional) - new from 3.8.0

  5. Certifikate type (mandatory) - new from 3.8.0 - the field will be filled in with default values for the Organisation, so if the User is to have other combinations, it must be changed by the Operator

    1. ID@Work - Buypass ID in mobile for Users connected the organisation with central stored QC which are accessed from the Users Buypass mobile APP

    2. QC in smartcard - Buypass ID with med QC in Users employee card  

Leagal values in name are: a-zàáâãäåæèéêëìíîïñòóôõöøùúûüýÿA-ZÀÁÂÃÄÅÆÈÉÊËÌÍÎÏÑÒÓÔÕÖØÙÚÛÜÝ in addition to space, hypen (-) and apostrophe (') - no digits

 

National identity number (FNR/DNR) must be on the format:

  • Date of birth – 6 digits on the format ddmmyy

  • Personal identity number – 5 digits on the format nnnnnn

 

After registration the Operator will get either OK / NOT OK in return. If NOT OK name and FNR/DNR must be checked. If registered in AD this entry must be checked before new trial. The combination must be correct and match what is registered in FREG.

NB! If an email is registered, it will be put in the Subject Alternative (SAN) field in the certificate (default)
NB! If UPN is registered, the Organisation itself must request that Buypass set up the certificate profile so that this is also put in the Subject Alternative (SAN) field in the certificate.

  Note that the example showing the SAN field of a certificate only shows what this will look like when both email and UPN are put in the certificate - the content is from a test environment and as you can see the fields are not matched correctly.

 

 

MORE users - batch

RA-ADM must log on to BAM client and start function “Batch preregistration” from the Administration menu.

BAM-client Mode will determine how the search is carried out and how data are collected / checked:

  1. Mixed Mode (issuance of both LC and QC): Search goes towards local AD and Buypass in parallel based on what is defined as IssuerKey *. Person must exist in AD. If person is found at Buypass with this or another IssuerKey or IssuerKey is connected to another person error messages are given about this.

  2. Buypass Mode (issuing only QC): Search goes only towards Buypass based on what is defined as IssuerKey *. If person is found at Buypass with this or another IssuerKey or IssuerKey is connected to another person given messages about this.

*) See Master_Buypass in Configuration Application Tool.


In batch preregistration there will be used two types of files: a) input file which is used as resource for information of each User and b) result file which gives feedback from preregistration.

 

 

From BAMv3.8.1

The number of attributes or information to be pre-registered for a User has been expanded, and to achieve the same extensions in batch pre-registration, the file format has been changed. We no longer support .CSV format, but have introduced .JSON and .XML format support.

 

  1. Username/IssuersKey(mandatory)

  2. FNR/DNR,firstname,lastname (mandatory)

  3. Email(optional)

  4. UPN - User Principle Name (optional)

  5. Certificate type (mandatory) - the field will be filled in with default values for the Organisation, so if the User is to have other combinations, it must be changed by the Operator

    1. ID@Work - Buypass ID in mobile for Users connected the organisation with central stored QC which are accessed from the Users Buypass mobile APP

    2. QC in smartcard - Buypass ID with med QC in Users employee card  

 

The structure of the result file is the same as the input file with an addition of 2 fields:

  • IsProcessedSuccessfully - contains TRUE if pre-registration or update registration (see Update User information) is OK, otherwise it is set to FALSE
    ResultMessage - contains OK if pre-registration or update registration is OK, otherwise an error message is received

The result file can be used as a new input file without removing these fields. All record lines with the IsProcessedSuccessfully = TRUE field will be ignored when loading.

In MixedMode, users must be registered in AD.

Email and UPN

  • If the fields EMAIL and UPN are not specified in the input file, the fields in the Buypass database will not be filled in 

  • NB! This means that EMAIL and UPN are not put as attributes in the SAN field of the certificates, if this is specified in certificate profile for Organisation 

Certificate types

  • The fields IsIdAtWorkIssueAllowed and IsSmartCardIssueAllowed must be specified in the input file

 

PreRegistration file structure with XML / JSON

XML

<Employees>   <Employee>     <EmployeeId>pehj</EmployeeId>     <FirstName>PETRA PSA</FirstName>     <LastName>HJORT</LastName>     <SSN>08074900276</SSN>     <Email>petra.hjort@buypass.no</Email>     <UPN>pehj@buypass.no</UPN>     <IsIdAtWorkIssueAllowed>false</IsIdAtWorkIssueAllowed>     <IsSmartCardIssueAllowed>true</IsSmartCardIssueAllowed>     <IsProcessedSuccessfully>false</IsProcessedSuccessfully>     <ResultMessage></ResultMessage>   </Employee> </Employees>

 

JSON

[  {    "EmployeeId": "pehj",    "FirstName": "PETRA PSA",    "LastName": "HJORT",    "SSN": "08074900276",    "Email": "petra.hjort@buypass.no",    "UPN": "pehj@buypass.no",    "IsIdAtWorkIssueAllowed": false,    "IsSmartCardIssueAllowed": true,    "IsProcessedSuccessfully": false,    "ResultMessage": ""  },  {    "EmployeeId": "056bbk",    "FirstName": "Lilian",     ...... and so on...  } ]