Certain operations can be used without customer authentication.
This affects the use case “account application”
(see SetAccountApplication
) as well as
other operations, e. g. GetBicFromIban
.
Operations related to a certain user (person / bank customer) require to use either of the following session management mechanisms. Which one is relevant to you, depends on the kind of integration of the web service consumer.
This session management mechanism is meant for web service consumers, who need full control of the core banking system and implement their own user authentication (customer login, clearance of user transactions).
In order to use web service operations without any session identifier,
you must add the PersonNumber
element within the SOAP header
(namespace http://www.efdis.de/ob-sf-api/
). The backend will
use this PersonNumber
to aggregate all relevant contracts and
accounts for the response to your request.
It is required that the person number represents a valid customer of the bank and it is not possible to use unauthorized third-party accounts, which are not legitimated under the person provided.
Transaction can be released using the ReleaseTransaction
operation.
This is a replacement for the TAN operations, which are used in server-side
session management.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ob="http://www.efdis.de/ob-sf-api/" ...> <soapenv:Header> <ob:PersonNumber>1234</ob:PersonNumber> </soapenv:Header> <soapenv:Body> ... </soapenv:Body> </soapenv:Envelope>
This session management mechanism is meant for web service consumers, who want to use PIN and TAN mechanisms of EFDIS.ONLINE.
In order to use web service operations, it is first required to login
with a valid EFDIS.ONLINE account, see GetUser
operation.
On success, the web service generates a session identifier and returns it
within the SOAP header SessionId
(namespace http://www.efdis.de/ob-sf-api/
). The web service
consumer can then send the SOAP header back within each subsequent request.
The session identifier gets invalidated with the SetUserLogout
operation or when a failure of response type FATAL occurs.
The EFDIS.ONLINE account can be activated in EFDIS.FORMS. Usually, this is done in combination with a welcome letter for the customer.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ob="http://www.efdis.de/ob-sf-api/" ...> <soapenv:Header> <ob:SessionId>1234</ob:SessionId> </soapenv:Header> <soapenv:Body> ... </soapenv:Body> </soapenv:Envelope>
Transactions can be released with the GetTan
and UseTan
operations.
The TAN method must have been initialized. For example, it is required to have a phone number
stored in the database for the mTAN method.