This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Using the Signup Workflow for UK

Owned by Former user (Deleted)
Last updated: Jul 22, 2021 by Former user (Deleted)
10 min read

Third-Party Providers (/wiki/spaces/OB200/pages/48629460) can create third-party applications to facilitate banking services exposed via Bank APIs. 

Before getting TPPs connected with the Banks and onboard, they are subjected to thorough verification. This verification includes a comprehensive sign-up process at the API Store, the developer portal of WSO2 Open Banking. For a TPP to start providing open banking services, it has to be registered under a Competent Authority, which is a regulatory body that authorizes and supervises the open banking services delivered by the TPP.

This page instructs you how to try out a sample TPP onboarding process.

Prerequisites

  1. Download WSO2 Enterprise Integrator (WSO2 EI) 6.6.0 and unzip the file.

  2. Set the path (WSO2EI_PATH) and hostname (EI_HOSTNAME) to WSO2 EI in the <WSO2_OB_APIM_HOME>/repository/resources/finance/script/startup.properties file.

    If you are using Microsoft SQL Server or Oracle, create the bpsdb and bps_configdb databases.

  3. Go to the <WSO2_OB_APIM_HOME>/repository/resources/finance/scripts/wso2ei-bps directory and give execution permissions to the configure-bps.sh file.

  4. Run configure-bps.sh

  5. Add Business Process Execution Langauage and humantask workflows using the web interface:

    1. Log into https://<<WSO2_EI_HOSTNAME>>:9445/carbon

      Sign in as a super admin. Default credentials are: - Username: admin@wso2.com - Password: wso2123

    2. Click Main → Manage → Processes → Add BPEL and select Upload to upload the BPEL workflows:
      1.  ApplicationRegistrationWorkflowProcess_1.0.0.zip
      2. UserSignupApprovalProcess_1.0.0.zip 
    3. Click Main → Manage → Human Tasks → Add and select Upload to upload the BPEL workflows
      1. UserApprovalTask-1.0.0.zip
      2. ApplicationRegistrationTask-1.0.0.zip

  6.  Change the URL of WSO2CARBON_DB in <WSO2_EI_HOME>/wso2/business-process/conf/datasources/master-datasources.xml to an explicit relative path.

     Click here to see a sample configuration...
    <url>jdbc:h2:./repository/database/WSO2CARBON_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000</url>
  7. Add the jdbc drivers to <WSO2_EI_HOME>/lib.

  8. Navigate to the <WSO2_EI_HOME>/wso2/business-process/bin directory, and execute the following command:

    ./wso2server.sh -Dsetup

  9. Sign in to the API management console https://<WSO2_OB_APIM_HOST>:9443/carbon.

    Sign in as a super admin. Default credentials are: - Username: admin@wso2.com - Password: wso2123

  10. Click  Main → Resources  Browse.

  11. Navigate to the /_system/governance/apimgt/applicationdata/workflow-extensions.xml registry file.

  12. In the workflow-extensions.xml registry file, navigate to Content  and click Edit as text.

  13. Add the following configurations under ProductApplicationRegisteration and  UserSignup  in the registry file:

    <ProductionApplicationRegistration executor="com.wso2.finance.tpp.prodaccess.impl.TPPProdAccessWorkFlow">
	<Property name="serviceEndpoint">http://localhost:9765/services/ApplicationRegistrationWorkFlowProcess/</Property>
	<Property name="username">admin@wso2.com@carbon.super</Property>
	<Property name="password">wso2123</Property>
	<Property name="callbackURL">https://localhost:8243/services/WorkflowCallbackService</Property>
</ProductionApplicationRegistration>
    <UserSignUp executor="com.wso2.finance.tpp.signup.impl.TPPSignUpWorkFlow">
<Property name="serviceEndpoint">http://localhost:9765/services/UserSignupProcess/</Property>
<Property name="username">admin@wso2.com@carbon.super</Property>
<Property name="password">wso2123</Property>
<Property name="callbackURL">https://localhost:8243/services/WorkflowCallbackService</Property>
<Property name="aispRole">internal/aispRole</Property>
<Property name="pispRole">internal/pispRole</Property>
<Property name="piispRole">internal/piispRole</Property>
</UserSignUp>
  14. Click  Save Content.

  15. Add claim configurations:

    If you are starting the WSO2 OB IAM and WSO2 OB APIM servers for the first time or for a newly created tenant, follow the instructions given below. Otherwise, you need to add the claim configurations as external claims via the web interfaces as instructed in here.

     Click here to find how you can add claim configurations if you are starting the WSO2 OB IAM and WSO2 OB APIM servers for the first time or for a newly created tenant...

    Add the following claim configurations to the <WSO2_OB_IAM_HOME>/repository/conf/claim-config.xml and <WSO2_OB_APIM_HOME>/repository/conf/claim-config.xml files:

    <Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicName</ClaimURI>
    <DisplayName>Legal entity name</DisplayName>
    <AttributeID>pspName</AttributeID>
    <Description>Payment Service Providers name</Description>
    <DisplayOrder>11</DisplayOrder>
    <Required />
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicCountryRegistration</ClaimURI>
    <DisplayName>Country of registration</DisplayName>
    <AttributeID>pspCountry</AttributeID>
    <Description>Country of registration</Description>
    <DisplayOrder>12</DisplayOrder>
    <Required />
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicRegisterAuthorizedNumber</ClaimURI>
    <DisplayName>Legal Entity Identifier (LEI) number</DisplayName>
    <AttributeID>pspAuthorizedNumber</AttributeID>
    <Description>Legal Entity Identifier (LEI) number</Description>
    <DisplayOrder>13</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicRegisterName</ClaimURI>
    <DisplayName>Company register</DisplayName>
    <AttributeID>pspRegisterCompany</AttributeID>
    <Description>Company register</Description>
    <Required />
    <DisplayOrder>14</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicRegisterNumber</ClaimURI>
    <DisplayName>Company registration number</DisplayName>
    <AttributeID>pspRegisterNumber</AttributeID>
    <Description>Company registration number</Description>
    <Required />
    <DisplayOrder>15</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicRegisterAddressLine1</ClaimURI>
    <DisplayName>Address line 1</DisplayName>
    <AttributeID>pspRegisterAddressLine1</AttributeID>
    <Description>Address line 1</Description>
    <DisplayOrder>16</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicRegisterAddressLine2</ClaimURI>
    <DisplayName>Address line 2</DisplayName>
    <AttributeID>pspRegisterAddressLine2</AttributeID>
    <Description>Address line 2</Description>
    <DisplayOrder>17</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicRegisterCity</ClaimURI>
    <DisplayName>City</DisplayName>
    <AttributeID>pspRegisterCity</AttributeID>
    <Description>City</Description>
    <DisplayOrder>18</DisplayOrder>
    <Required />
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicRegisterPostalCode</ClaimURI>
    <DisplayName>Postal code</DisplayName>
    <AttributeID>pspRegisterPostalCode</AttributeID>
    <Description>Postal code</Description>
    <DisplayOrder>19</DisplayOrder>
    <Required />
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicRegisterCountry</ClaimURI>
    <DisplayName>Country</DisplayName>
    <AttributeID>pspRegisterCountry</AttributeID>
    <Description>Country</Description>
    <Required />
    <DisplayOrder>20</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspCompetentAuthorityCountry</ClaimURI>
    <DisplayName>Competent authority country</DisplayName>
    <AttributeID>pspCompetentAuthorityCountry</AttributeID>
    <Description>Competent authority country</Description>
    <DisplayOrder>21</DisplayOrder>
    <Required />
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspCompetentAuthority</ClaimURI>
    <DisplayName>Competent authority</DisplayName>
    <AttributeID>pspCompetentAuthority</AttributeID>
    <Description>Competent authority</Description>
    <Required />
    <DisplayOrder>22</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspCompetentAuthorityRegisistrationNumber</ClaimURI>
    <DisplayName>Competent authority registration number</DisplayName>
    <AttributeID>pspCompetentAuthorityRegistrationNumber</AttributeID>
    <Description>Competent authority registration number</Description>
    <Required />
    <DisplayOrder>23</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspCompetentAuthorityUrl</ClaimURI>
    <DisplayName>URL of the competent authority register page showing the entity</DisplayName>
    <AttributeID>pspCompetentAuthorityUrl</AttributeID>
    <Description>Competent authority url</Description>
    <Required />
    <DisplayOrder>24</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspCompetentAuthorityRole</ClaimURI>
    <DisplayName>Please select the Open Banking role(s) you wish to enrol for</DisplayName>
    <AttributeID>pspCompetentAuthorityRole</AttributeID>
    <Description>Please select the Open Banking role(s) you wish to enrol for</Description>
    <DisplayOrder>25</DisplayOrder>
    <Required />
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspCompetentAuthorityRoleVerify</ClaimURI>
    <DisplayName>Are you registered to provide the services for all the role(s) you have selected?</DisplayName>
    <AttributeID>pspCompetentAuthorityRoleVerify</AttributeID>
    <Description>Are you registered to provide the services for all the role(s) you have selected?</Description>
    <Required />
    <DisplayOrder>26</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspCompetentAuthorityRoleVerify2</ClaimURI>
    <DisplayName>Have you applied for registration to provide the services for the role(s) you have selected?</DisplayName>
    <AttributeID>pspCompetentAuthorityRoleVerify2</AttributeID>
    <Description>Have yoy applied for registration to provide the services for the role(s) you have selected?</Description>
    <DisplayOrder>27</DisplayOrder>
    <SupportedByDefault />
</Claim>
  16. Configure e-mail sending module:

    1. Add the following properties to the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file:

      [output_adapter.email]
from_address= "<mail address from where you want to send the notification>"
username= "<username of the the mail you have provide in from_address>"
password= "<password of the the mail you have provide in from_address>"
hostname= "<hostname of the SMTP server to connect to>"
port= <port of the SMTP server port to connect to, if the connect() method does not explicitly specify on, default is set to 25>
enable_start_tls= <If true, enables the use of the STARTTLS` command. Default is set to false>
enable_authentication= <If true, attempt to authenticate the user using the AUTH command. Default. is set to false>

      If you are using a Google mail account, note that Google has restricted third-party apps and less secure apps from sending emails by default. Therefore, you need to configure your account to disable this restriction when sending emails to confirm user registrations.

      1. Navigate to  https://myaccount.google.com/security.
      2. Click  Signing in to Google  on the left menu and make sure that the  2-step Verification  is disabled or off.
      3. Click  Connected apps and sites  on the left menu and enable  Allow less secure apps .
      4. Click  Connected apps and sites  on the left menu and enable  Allow less secure apps .

Before you begin,

Before you try out the signup workflow, make sure to create the following users and roles:

  • internal/aispRole
  • internal/pispRole
  • internal/piispRole
  • internal/approverRole

For instructions to create users and roles, see Configuring Users and Roles.

Step 1 - Sign up as a TPP

  1. Navigate to the WSO2 Open Banking Developer portal at https://<WSO2_OB_APIM_HOST>:9443/devportal.

  2. Go to the Applications tab in the Developer Portal.

  3. In the Sign-in form, click Create Account.
  4. Provide a username and click Proceed Self Register.
  5. Fill the Create New Account form to complete registration.

  6. Read terms and conditions. Click the checkbox to agree to the terms and conditions.

  7. Click Register.

If you have configured workflows to WSO2 Open Banking that is described under Prerequisites, a request to approve the user sign up is sent to the admin users

Step 02 Approve the TPP user account

Follow the steps below to approve the newly created TPP user account:

It is not mandatory to include the approval step for the TPP user. In order to add this step, make sure you configured WSO2 OB EI, WSO2 OB IAM, and WSO2 OB APIM instances as explained under Prerequisites .

  1. Navigate to the Admin Portal at  https://<WSO2_OB_APIM_HOST>:9443/admin .  

  2. Locate the approval request and click Assign To Me.    

  3. Click Start to start the approval process.
  4. Select Approve and click Complete.

    The TPP user can now sign in to the API Store.

Step 03 Sign in as a TPP user

  1. Sign in to the Developer portal as the TPP at https://<WSO2_OB_APIM_HOST>:9443/devportal.

  2. Enter the username and the password you entered when signing up as a TPP.  
  3. Click Continue

The homepage of the Developer portal is now displayed along with the published APIs.

Step 04 Create an application

  1. Go to the Applications tab in the Developer Portal.

  2. Click ADD NEW APPLICATION.

  3. Enter application details.

    WSO2 Open Banking currently authenticates the TPP applications using the  Reference (Opaque)  method.


  4. Click SAVE

    An application can be used to subscribe to multiple APIs. See Subscribe to an API for the instructions.

Step 05 Subscribe to API

  1. Go to the APIs tab in the Developer portal.

  2. Select the Account and Transaction API.

  3. Go to Subscriptions at the bottom of the API and select SUBSCRIBE.
  4. Select Application from the drop-down list, set the Throttling Policy and click SUBSCRIBE.

  5. Once you subscribe, you can find the list of subscriptions in the bottom.

Now that you have subscribed to the API, generate access tokens and invoke the API.

Step 06 - Create and upload certificates

The TPP user needs to create certificates to validate whether the TPP is registered in a governing entity. It is verified in the TPP Onboarding process. There are two types of certifications that can be added to the client trust stores of the WSO2 Open Banking Identity and Access Management and WSO2 Open Banking API Management modules.

  1. Root and issuer certificates obtained from Open Banking Implementation Entity.
  2. eIDAS issuer certificates obtained from the Qualified Trust Service Providers.

See eIDAS Implementation for PSD2 Compliance to find out more information on the two approaches.

In order to support eIDAS or OB certificates in WSO2 Open Banking, you need to update the client trust stores. 

 Click here to see how it is done...

Step 07  Generate keys

  1. Sign in to WSO2 Open Banking Developer portal as a TPP user.

  2. Go to the Applications tab and select the application you used to subscribe to the Confirmation of Funds API.

  3. Scroll down and select either of the following types of keys:

    1. Production Keys: Generates access tokens in the production environment.

    2. Sandbox Keys: Generates access tokens in the sandbox environment.

  4. Click Manage at the bottom of the application.

  5. Provide the requested information as defined below:

    Field

    Description

    Grant Types

    These determine the credentials that are used to generate the access token.

    • Code: This relates to the authorisation code grant type and is applicable when consuming the API as a user.
    • Implicit: This is similar to the code grant type, but instead of generating code, this directly provides the access token.
    • Refresh Token: This is to renew an expired access token.
    • Client Credential: This relates to the client credentials grant type and is applicable when consuming the API as an application.

    Callback URL

    This is the URL used by the TPP to receive the authorisation code sent from the Account Servicing Payment Service Provider (ASPSP), e.g: bank. The authorisation code can be used later to generate an OAuth2 access token.

    Application Certificate

    This is the content between the BEGIN CERTIFICATE and END CERTIFICATE strings of the application certificate (.PEM) that you created above. 

    For testing purposes, you may use the here to download a sample application certificate, if you have configured the OB certificates.




  6. Click GENERATE KEYS to generate production or sandbox keys. It generates consumer key and consumer secret.

Step 08 Approve key generation

Follow the steps below to approve the access key generation:

  1. Navigate to the Admin Portal.
  2. Click Tasks > Application Registration.
  3. Locate the approval request and click Assign To Me.
  4. Click Start to start the approval process.
  5. Select Approve and then click Complete.

Next, you can create an application access token to invoke the APIs. For more information, see: