/
How to get started as Signature Creation Application Service Provider (SCASP)

How to get started as Signature Creation Application Service Provider (SCASP)

Owned by Sissel Hoel
Last updated: Apr 28, 2025

A Signature Creation Application Service Provider (hereafter abbreviated SCASP) is the trust service provider providing a eSigning service to its customers.

Handling of documents and document formats are the responsibility of the SCASP. Authenticating the end users using their eID means is the responsibility of the IPSP. Creation and storing of the private signing key, the issuing of signing certificates and signing the hash of the document is the responsibility of the Server Signing Application Service Provider (SSASP)/Certificate Authority (CA), which is Buypass.

Signatures may be Qualified Electronic Signatures (QES) and/or Advanced Electronic Signatures (AdES).

The SCASP must enter into an agreement with an approved Identity Proofing Service Provider (hereafter abbreviated IPSP). The IPSP is responsible for authenticating the end user who is using their eID means to support the issuance of either a signing certificate, either an Qualified Certificate for creating a Qualified Electronic Signatures (QES) or a Non-Qualified Certificate for creating an Advanced Electronic Signatures (AdES) on the document. The document to be signed is presented by the SCASP.

 

Documentation

In order to hold the SCASP role, you and your organisation must look into the api-documentation to get familiar with the implementation towards BUYPASS AS as the Server Signing Application Service Provider (SSASP) - see BCSS - person signing (eSigning).

Available IPSPs are listed here https://buypassdev.atlassian.net/wiki/x/AgBsyw.

TIPS and FAQ is available at FAQ for Buypass eSigning service and the SCASP-role

 

Order forms and agreements to be filled in and signed before transition to PROD, and who are authorized to sign

  • Buypass Cloud Signature Services Order form and subscription terms with Appendices: Agreement between your organisation as SCASP and Buypass for the eSigning Service

    • Must be signed by a person that have the authorization to sign agreements on behalf of the organisation

  • Subscriber Agreement for Buypass Merchant Certificates: You will need a Merchant Certificate to be able to access the eSigning Service, see more information on Buypass BrukerstedsID

    • Can be signed by a representative of the IT-Operation or another person connected to the organisation

How to get started in the TEST/QA environment

We recommend integration and testing in the TEST/QA environment before going into PROD.

We will need from you:

  1. Your organisation number and organisation name according to an authoritative source, such as Brønnøysundregisteret in Norway, or likewise in other countries

  2. Contact details for a technical contact person; full name, email address and mobile phone number

  3. Redirect URIs for TEST (in TEST we allow for wildcards (*))

  4. Which IPSP you choose to use for authentication and identity-proofing of the end user

 

We will then:

  1. Prepare a client for your access to Buypass OIDC eSigning server in TEST/QA

  2. Prepare 2 Buypass ID on Smartcard issued to test persons (unless you already have Buypass eIDs for use in TEST/QA, or you are choosing a different IPSP)

 

And we will send (to the technical person):

  1. The client ID – by email

  2. A Buypass Merchant Certificate for client authentication towards the BCSS API - certificate by email and activation code via SMS

  3. 2 Buypass ID on Smartcard and 2 smartcard readers (unless you already have Buypass eIDs in TEST or have chosen a different IPSP) – by postal mail via the organisation’s postal address

 

 

 

How to get started in PROD

We will need from you:

  1. The filled in and signed Buypass Cloud Signature Services Order form – this will give us information about:

    1. Which IPSP you choose to use for authentication and identity-proofing of the end user

    2. What Signature quality to support (advanced electronic signature (AdES) or qualified electronic signature (QES))

    3. Contact information

  2. The filled in and signed Subscriber Agreement for Buypass Merchant Certificates

  3. Redirect URI(s) for PROD ( in PROD we do not allow for wildcards (*)).

  4. A demo of the solution in Test4/QA environment

 

We will then:

  1. Prepare a client for your access to Buypass OIDC eSigning server in PROD

  2. Connect you to the IPSP

 

And we will send:

  1. The client ID, this will be the same as for TEST – by email (to the technical person)

  2. A Buypass Merchant Certificate for client authentication towards the BCSS API in PROD (certificate by email and activation code via postal mail to a person which has been authorized in the Buypass Merchant Certificate Subscriber Agreement)