Beruflich Dokumente
Kultur Dokumente
The information contained in this document is proprietary and confidential and is the property of the Capgemini
Group. It is intended only for the person or organization to whom it is shared with. No part of this document may
be modified, deleted or expanded by any process or means without prior written permission from Capgemini. You
are not authorized to print, copy, disseminate, distribute this document or any part thereof without prior written
permission from Capgemini.
Table of Contents
1 DOCUMENT INFORMATION...........................................................................................................................................3
2 INTRODUCTION .............................................................................................................................................................4
25 November 2015
2. PSD2 RTS - Final Report - Draft Regulatory Technical Standards on EBA/RTS/2017/02
Strong Customer Authentication and common and secure
communication 23 February 2017
SandboxV3 Page 3 of 32
Classification: Red – Confidential
2 Introduction
2.1 Purpose of the document
This document provides the brief description of Sandbox and provides functional details of the Developer Portal
provided by Capgemini API Platform.
2.2 Overview
The Revised Payments Services Directive (PSD2) mandates banks to provide access to account (XS2A) facilities to
licensed Third Party Providers (TPPs). There are three types of Third party providers:
PSD2 prescribes the business requirements that must be met by the XS2A facilities and provides for the
establishment of further Regulatory Technical Standards (RTS) to be met by banks in the future.
API Platform is hosted on a cloud-based environment and Amazon Web Services (AWS) is the cloud service
provider. Platform has two modes:
1. Production-Mode
In Production-Mode, the platform provides its complete functionality and is fully connected with Bank’s
Foundation Services and other components.
2. Sandbox-Mode
In Sandbox-Mode, the platform provides a Developer portal, API documentation and disconnected
testing environment which could be used by developers to understand the APIs and is used for
developing and testing client applications. In this mode, there is no connectivity with Bank’s Foundation
Services.
2.3 Scope
2.3.1 In – Scope
1. Capgemini Developer Portal
a. Developer Registration
b. Change Password
c. View/Edit Profile
d. Forgot Password
e. Login
f. Developer Overview Page
g. Test Data Download
h. Static content in Capgemini Developer Portal
2. Single-Sign On between Capgemini Developer Portal and MuleSoft Developer Portal
3. Static Content in MuleSoft Developer Portal (API Documentation)
4. Block Developer APIs
SandboxV3 Page 4 of 32
Classification: Red – Confidential
5. Sandbox APIs configured as per the Test Data
SandboxV3 Page 5 of 32
Classification: Red – Confidential
3 Functional Details
3.1 Sandbox Functional Overview
A sandbox is a type of software testing environment that enables the isolated execution of software programs
(APIs in our case) for understanding, independent evaluation, testing and integrating with other software
programs (application clients).
The API Sandbox is an environment that different parties can use to mimic the characteristics of the production-
mode environment and create simulated responses from APIs.
Reduce the cost and risk associated with calling the APIs.
Allow for concurrent testing and development to fast-track app development cycles and reduce time-to-
market.
Simulate error scenarios with APIs
Sandbox can also provide preview of new APIs or upcoming versions of the existing APIs
Capgemini Developer Portal provides user/developer life cycle management options and an overview of
the Sandbox
API Specifications and Documentation through MuleSoft Developer Portal
Environment to simulate and test individual APIs in Sandbox-mode
3.1 Login Identity Federation and SSO 2.2 Send Reset Link Email Service
Developer
Mocked
5.1 Test APIs
APIs
Note: The number (before decimal point) indicates a separate interaction flow like “Registration”, “Credential Management”, “Login” etc. The number after the decimal
point indicates the sequence within the interaction flow.
SandboxV3 Page 6 of 32
Classification: Red – Confidential
3.1.1.2 API Testing
External developers will be able to test the APIs provided by the platform using the test data provided by
Capgemini Developer Portal.
Using the test data, external developers will be able to use the API Platform in “Sandbox-Mode” same as the
“Production-Mode”. API and Security Profile specifications remain same for both the modes.
API URL These are the URLs of APIs for direct api-sandbox.<Bank Domain>/*
invocation of APIs in Sandbox-Mode
SandboxV3 Page 7 of 32
Classification: Red – Confidential
For a developer to be able to gain access to APIs, they need to go through the following steps:
a) Register and Activate: During this step, platform requires minimal user information to create an account on
the developer portal. Information such as, First Name, Last Name, Organization (optional), Email which is
going to be used as the username to allow log in and password. Once this information is captured, platform
sends an email that contains an instruction for the developer to activate their account
b) Overview Page: This is the page default landing page as “Overview” Page. The developer will have an option
to API Documentation, FAQ, Help and Login through the top navigation menu and buttons/links are available
on overview page.
Once the developer has activated their account, they will use their email and password to log into the
"Capgemini Developer Portal”. Once logged-in, developer will have options to “Change Password” and “View
Profile” through the top navigation menu. On the page, buttons/links are available to download test data and
navigate to Mule Developer Portal.
c) MuleSoft Developer Portal: Once the developer is in the Capgemini Developer Portal, by click of a
button/link they will be redirected to MuleSoft Developer Portal. Through the portal they can access API
documentation and all the information required to execute APIs in Sandbox mode.
Note: MuleSoft Developer Portal is a managed service provided by MuleSoft. While navigating from Capgemini
Developer Portal to MuleSoft Developer Portal, the developer would be able to see different URLs in the browser.
Error Mapping (refer section 3.2.2.3) references are given with “Error ID” column of the appended sheet.
Ex. ERROR01, ERROR02 etc.
Emails (refer section 3.2.3) references are given with “Mail ID” column of the given table. Ex. MAIL01,
MAIL02 etc.
Please note that the document covers all major functional flows for Capgemini Developer Portal but does not
cover every clickable link on the page.
SandboxV3 Page 8 of 32
Classification: Red – Confidential
External Developer Registration & Activation (Standard Flow)
LDAP Directory
External Developer Capgemini Developer Portal (Sandbox)
(Sandbox)
First Name
Last Name
Email (will also be used as login username)
Confirm email
Password
Confirm Password
Organization (optional)
Terms of use
4
Validate input form fields
5
6
Submit Request Validate Email ID (username) is unique
7
Create Developer Account Developer Account
State: Pending Activation Data
8
Email with Activation Link Send Activation Link in Email
Confirm Email ID by 9 10
Activate Developer
clicking link received in email Activation Success Page
Account
(Valid Link)
11
Login Page
Activation link:
One-time link – can be used only once
Max Link Validity = 24 Hours
If resent within 60 seconds, same link is sent again (OTP life is defined in SSAM/ Ping Directory and can be
updated)
Resending activation link invalidates the previous link (mail)
SandboxV3 Page 10 of 32
Classification: Red – Confidential
External Developer Registration (Activation Link Expired)
LDAP Directory
External Developer Capgemini Developer Portal (Sandbox)
(Sandbox)
First Name
Last Name
Email (will also be used as login username)
Confirm email
Password
Confirm Password
Organization (optional)
Terms of use
4
Validate input form fields
5
6
Submit Request Validate Email ID (username) is unique
7
Create Developer Account Developer Account
State: Pending Activation Data
8
Email with Activation Link Send Activation Link in Email
Confirm Email ID by 9 10
clicking link received in email Error Page (Link Expired)
(Expired Link)
11
Resend Activation Page
12 13
Input Email ID Validate Email ID is not activated
14
Email with Activation Link Resend Activation Link
3.2.1.2 Login
Once external developer is registered on Capgemini Developer Portal, he can choose to login and access
Capgemini Developer Portal features.
SandboxV3 Page 12 of 32
Classification: Red – Confidential
External Developer Login
Mule
External Developer Capgemini Developer Portal (Sandbox)
(Sandbox)
1 2
Login Credentials
Login Page
(Developer not part of blocked group)
Is Account Active(Enabled)?
YES
Launch MuleSoft 4
Developer Portal Overview Page
View Profile
Logout
SandboxV3 Page 13 of 32
Classification: Red – Confidential
External Developer Login – Account not activated
Mule
External Developer Capgemini Developer Portal (Sandbox)
(Sandbox)
1 2
Login Credentials
Login Page
(Developer not part of blocked group)
Is Account Active(Enabled)?
No
5 4
Request Activation Link Account Locked Notification
6 7
Input Email ID Validate Email ID is not activated
8
Email with Activation Link Resend Activation Link
Developer will continue with “Standard Flow” of “Register and Activate” (Refer section 3.2.1.1).
SandboxV3 Page 14 of 32
Classification: Red – Confidential
External Developer Login – Account Locking
1 2
Login Credentails
Login Page
(Developer not part of blocked group)
No
No Failed Attempts>=MAX
Yes
5
Account Locked Notification
LDAP Directory
External Developer Capgemini Developer Portal (Sandbox)
(Sandbox)
1 2
Login Page Login Credentials
Yes
4
Invalid Credentials Error
SandboxV3 Page 15 of 32
Classification: Red – Confidential
1. Developer navigates to Login Page of “Capgemini Developer Portal”.
2. Developer attempts to login with valid credentials
3. Developer is part of blocked group i.e. “cn=blockedDevelopers, ou=blockedDevelopers, ou=groups,
dc=<bank>, dc=co.uk, dc=capgeminibank, dc=com”
4. Developer is displayed error message for invalid credentials.
Note: Developer is not explicitly notified that his/her account is blocked by bank.
LDAP Directory
External Developer Capgemini Developer Portal (Sandbox)
(Sandbox)
1 2
Access Change Password from
navigation after Login Submit Old & New Passwords
3
Validate password Developer Account Data
4
Email with Change Password
Update Developer Data Developer Account Data
Success notification
5
Login Page
1. After login, developer clicks on “Welcome <UserName>” through top navigation bar and accesses the
“Change password” link. This opens “Change Password” page
2. Developer enters the current password and new password. New password should be different from current
password.
3. System will validate the current password
4. Valid new password will be updated in backend system (LDAP Directory) and developer will be notified
through MAIL05.
5. Developer will be displayed success message and on click of “OK” button will be redirected to “Login Page”.
(After successful change password. User is displayed success message in popup. On click of ‘OK’ user is logged
out. i.e. SLO initiated)
SandboxV3 Page 16 of 32
Classification: Red – Confidential
3.2.1.4 External Developer View/Edit Profile
External developer has an option to update “Capgemini Developer Portal” profile.
LDAP Directory
External Developer Capgemini Developer Portal (Sandbox)
(Sandbox)
4
3 Edit existing profile details except Email
- First Name
Edit profile - Last Name
- Organisation
5
Validate input form fields
7
6 Update and display updated profile details
- First Name Developer Account Data
Submit Request - Last Name
- Email
- Organisation
1. After login, developer clicks on “Welcome <UserName>” through top navigation bar and accesses the “View
Profile” link.
2. Developer can view the profile information and will get “Edit” option.
3. User can click on the edit link to modify the details.
4. Developer can update the profile information excluding email.
5. System will validate the updated profile information.
6. Valid new profile information will be submitted to backend and success message will be displayed to user.
7. Updated profile will not be available on “View Profile” page.
SandboxV3 Page 17 of 32
Classification: Red – Confidential
External Developer Forgot Password (Standard Flow)
LDAP Directory
External Developer Capgemini Developer Portal (Sandbox)
(Sandbox)
1 2
From Login Page click on Enter registered email
Forgot password (Developer not part of blocked group)
4 3
Email with Reset password link Success Message
5 6
Developer clicks on a valid reset
Enter and confirm new password
password link
Is Account Active(Enabled)?
YES
8
9
Email with Password Reset Validate password & Confirm password
Success Notification Developer Account Data
change
1. Developer lands on the login page and navigates to “Forgot password” page
2. Developer enters the registered email id
3. Developer is displayed success message
4. Developer receives email with link (MAIL02). The email will also provide the details of the validity of the link.
5. Developer clicks on the available link. Alternatively, developer can copy/paste the link.
6. Developer will be redirected to Developer Portal page to enter new password
7. After submission system checks that account is already active
8. Developer will be shown the success message
9. Developer receives the mail notifying successful update of password (MAIL03)
SandboxV3 Page 18 of 32
Classification: Red – Confidential
External Developer Forgot Password (Link Expired)
LDAP Directory
External Developer Capgemini Developer Portal (Sandbox)
(Sandbox)
1 2
From Login Page click on Enter registered email
Forgot password (Developer not part of blocked group)
4 3
Email with Reset password link Success Message
5 6
Developer clicks on an expired
Error Page (Link Expired)
Reset Password link
7
Login Page
1. Developer lands on the login page and navigates to “Forgot password” page
2. Developer enters the registered email id
3. Developer is displayed success message
4. Developer receives email with link (MAIL02)
5. Developer clicks on the expired link. Alternatively, developer can copy/paste the link.
6. Developer is redirected to an error page with ERROR27
Note: The current out of the box functionality does not include a link for "resend link". The user would need to
invoke the reset password functionality again from the beginning. The error provides information on why the
reset has failed, and the pop-up provides instructions on what to do.
LDAP Directory
External Developer Capgemini Developer Portal (Sandbox)
(Sandbox)
1 2
From Login Page click on Enter an email which is not registered or is
Forgot password part of blocked group
3
Success Message
1. Developer lands on the login page and navigates to “Forgot password” page
2. Developer enters the email id which is not registered
3. Developer is displayed success message
Note: Developer is not notified if the entered email id is not registered or if the registered user is blocked by
bank.
1 2
From Login Page click on Enter registered email
Forgot password (Developer not part of blocked group)
4 3
Email with Reset password link Success Message
5 6
Developer clicks on a valid reset
password link Enter and confirm new password
7
Is Account Locked?
Is Account Not Activated?
No
8
9
Email with Password Reset
Failure Notification Error Message
1. Developer lands on the login page and navigates to “Forgot password” page
2. Developer enters the registered email id
3. Developer is displayed success message
4. Developer receives email with link (MAIL02)
5. Developer clicks on the available link. Alternatively, developer can copy/paste the link.
6. Developer will be redirected to Developer Portal page to enter new password
7. On form submission, system identifies that account is locked.
a. Account not activated after registration or
b. Account locked due to multiple failed login attempts
8. System displays an error message (ERROR28). The error message will have a link to go to the “Resend
Activation Link” page. (Step 6 onward of section "3.2.1.2.2.1 External Developer Login - Account not
activated")
9. Capgemini Developer Portal sends an email notifying that password reset failed (MAIL04).
1 2
From Login Page click on Enter registered email
Forgot password (Developer not part of blocked group)
4 3
Email with Reset password link Success Message
5 6
Developer clicks on a valid reset
password link Enter and confirm new password
7
Is Account Locked?
Is Account Not Activated?
Yes
8
9
Email with Password Reset
Failure Notification Error Message
1. Developer navigates to the login page on Capgemini Developer Portal, clicks on 'Forgot Password?' link.
2. Developer enters their registered email id on Forgot Password page and submits it.
3. Developer will be redirected to success page.
4. Developer receives email with link (MAIL02) to the registered email id. The email will also provide details of
validity of the link.
5. Developer clicks on the link.
6. Developer will be redirected to a page to enter new password.
7. On form submission, system identifies that account is locked.
a. Account not activated after registration or
b. Account locked due to multiple failed login attempts
8. System displays an error message (ERROR28).
9. Capgemini Developer Portal sends an email notifying that password reset failed (MAIL04).
SandboxV3 Page 21 of 32
Classification: Red – Confidential
3.2.1.6 Single Logout (SLO)
Capgemini Developer Portal supports single logout(SLO) with MuleSoft Developer Portal. SLO helps developer to
logout from both portals simultaneously. Developer does not need to logout from both applications to end the
session. If a developer logs out from our portal, he/she is automatically logged out from other portal as well.
During session timeout on any of the portals, session on the other portal will not be terminated. Example: When
session times out on Capgemini Developer Portal, session on MuleSoft Developer Portal will not be terminated
and developer can continue to work on MuleSoft Developer Portal.
3.2.1.6.1 Developer initiates logout from MuleSoft Developer Portal (Flow: Single Logout)
The following flow covers the scenario of logging out from MuleSoft Developer Portal.
7
Switch to Browser Tab-1
8 9
Logout / Change Password Session Timed Out Message
[Browser Tab-1] [Browser Tab-1]
10
Login Page
SandboxV3 Page 22 of 32
Classification: Red – Confidential
3.2.1.6.2 Developer initiates logout from Capgemini Developer Portal (Flow: Single Logout)
The following flow covers the scenario of logging out from Capgemini Developer Portal. The flow also covers the
behavior of MuleSoft developer portal post the user has log out from Capgemini Developer Portal.
5
6
Logout from Capgemini Portal Logout
[Browser Tab-1] [Browser Tab-1]
Login Page 7
[Browser Tab-1]
9 10
Browse API Catalogue Click API Link
[Browser Tab-2] [Browser Tab-2]
11
Session Timed Out Message
With Login Again Option
[Browser Tab-2]
12
Login Page
[Browser Tab-2]
3.2.1.6.3 Simple Logout from Capgemini Developer Portal (Flow: Single Logout)
The following flow covers the scenario of logging out from Capgemini Developer Portal.
1 2
Login Page Overview Page
The session of individual portal is used while the user is working on these portals. The session of PingFederate
comes into picture when the developer is using SSO to log in to Mule Portal from Capgemini portal. So, if the user
is using Capgemini Developer Portal and the session in PingFederate expires, the user would be able to continue
to use the Capgemini Developer Portal. But if they click on the link to go to Mule Developer Portal, they would be
asked to log-in.
Section 3.2.5.1 Cookies & Session Management describes more about session management.
SandboxV3 Page 24 of 32
Classification: Red – Confidential
The sessions are maintained only on the server side. Session is reset or verified only when a server-side
communication is performed. If the user does not perform an action which include a server communication
within a pre-configured time duration, then the user session is timed-out and user would need to re-login. In case
the user performs any action, which involves a servicer side communication, the session timeout is reset, and the
session will not timeout till the configured timeout value.
Certain actions like clicking on a notification dialog box or pop-up box will not involve any server-side
communication and will not resent the session timeout.
Note: During session timeout on any of the portals, session on the other portal will not be terminated. Example:
When session times out on Capgemini Developer Portal, session on MuleSoft Developer Portal will not be
terminated and developer can continue to work on MuleSoft Developer Portal.
1 2
Login Page Login
3
Overview Page
Timeout
4
5
Click on 6
Logout/Change Password/ Timeout Popup
View Profile etc.
7
Login Page
If a session is timeout in Capgemini Developer Portal, the session in MuleSoft Developer portal is not
automatically timed out and would continue till its timeout duration.
SandboxV3 Page 25 of 32
Classification: Red – Confidential
3.2.1.7.2 Session Timeout in MuleSoft Developer Portal
The following flow covers the scenario of MuleSoft Developer portal timing out.
Mule
External Developer Capgemini Developer Portal (Sandbox)
(Sandbox)
1 2
Login Page Login
3 4
MuleSoft Developer Portal
Overview Page
(Auto logged in)
[Browser Tab-1]
[Browser Tab-2]
Timeout 5
6
7
Click on API Link on Developer Portal) Click Link
or API documentation link [Browser Tab-2]
(on API Portal)
8
Session Timed Out Message
With Login Again Option
9 [Browser Tab-2]
Login Page
[Browser Tab-2]
10 11
Click Logout from MuleSoft
Logout
Developer Portal
[Browser Tab-2]
[Browser Tab-2] 12
Login Page
[Browser Tab-2]
Alternate flow where developer clocks logout link in Mule Developer Portal
10. Developer clicks on logout link in MuleSoft Developer Portal. [TAB 2]
11. Logout happens in MuleSoft Developer Portal. [TAB 2]
12. Developer is redirected to “Login Page” for re-login. [TAB 2]
SandboxV3 Page 26 of 32
Classification: Red – Confidential
3.2.2 Validations & Errors
3.2.2.1 Validation Rules
The validations listed below are applicable to the input fields on Capgemini Developer Portal (with exception of
Login Page)
Email Email addresses consist of a local part, the "@" symbol, and
the domain with extension
Neither the local part nor the domain may be empty.
local part:
Upper and lowercase letters A-Z and a-z allowed
Digits 0 to 9 allowed
Special Characters allowed - !#$%&'*+-/=?^_`{|}~
Dot . allowed, if it is not the first or last character unless
quoted and provided also that it does not appear
consecutively
Domain:
Upper and lowercase letters A-Z and a-z allowed
Digits 0 to 9 (All numeric domains are also allowed)
Hyphen -, if it is not the first or last character.
Extension:
Confirm Email Validate match with Email Field ignoring upper/lower case
Max length 50 Chars allowed.
SandboxV3 Page 27 of 32
Classification: Red – Confidential
Password/New Password Minimum 8 characters
Combination of uppercase and lowercase letters
At least one numeric character
At least one special character
Max length 50 Chars allowed.
Confirm password/ Confirm New Validate match with Password Field
Password Max length 50 Chars allowed.
Enable Login button if the Email and Password textboxes contains at least 1 character each.
Upon user hitting the login button. Form validations will be performed.
If the email structure is invalid then display a generic page/form level error that, credentials are invalid.
No inline validations will be available to Developer
Once user is moving from field A to field B, field A will be validated, and inline error will be displayed if
required.
Once user moves to the invalid field having inline error displayed, the inline error will disappear.
Submit button will be enabled, if user has moved to the last required form field.
If user leaves the last required(mandatory) field as blank/invalid, after clicking on the submit button the field
will be validate and will display inline error. At the same time the submit button will be disabled, until user
visits the invalid field.
Note: User entries will be trimmed before any processing of form input fields (except password for login). As max
length is calculated during user input itself, it considers all the spaces (” “) entered by the Developer.
Example: If user enters space at the end or start of email id during registration; system will trim (remove) the
spaces.
3.2.2.3 Error Mapping
Please refer the attached sheet for all the errors. (Developer Onboarding Error scenarios_v1.23)
SandboxV3 Page 28 of 32
Classification: Red – Confidential
Developer
Onboarding Error scenarios_v1.23.xlsx
3.2.3 Emails
Capgemini Developer Portal sends out email notifications as per the Cross functional design (Refer Section 3.2.1).
Along with “Capgemini Developer Portal”, PingFederate also displays static message in case JavaScript is not
allowed on browser.
3.2.5 Configurations
3.2.5.1 Cookies & Session Management
Cookies are required to use any feature of Capgemini Developer Portal.
“Capgemini Developer Portal” and “MuleSoft Developer Portal” developer portal maintains their own individual
sessions along with common session managed by PingFederate.
SandboxV3 Page 29 of 32
Classification: Red – Confidential
To end the session user should explicitly logout from any of the portals. In case user deletes or disables cookies
after logging in, user’s session will be timed out as developer’s session is dependent on browser’s cookie settings.
The table below indicates each portal’s current time out settings.
Visual design has specific details of how the session timeout would be displayed to developer for the Capgemini
Developer portal related functionality.
Header & Footer: Capgemini Developer Portal’s header & footer are defined in Visual Design document.
SandboxV3 Page 30 of 32
Classification: Red – Confidential
3.2.8.2 Portal Downtime Notification
Once any of the portals are down due to a planned outage or an unplanned incident, a screen will be setup to
inform the users about the current state of the portal. For the detailed look and feel of this page, please refer the
Visual Design (VD).
Through the backend console via “Deactivate Developer API”, external developer will be added to a “blocked”
group. i.e. “cn=blockedDevelopers, ou=blockedDevelopers, ou=groups, dc=<bank>, dc=co.uk, dc=capgeminibank,
dc=com”.
Once an external developer is added to blocked group, developer will not be able to login to Capgemini
Developer Portal.
Note: Test Data is common for all the developers and it is not impacted by the “Deactivate Developer API”.
SandboxV3 Page 31 of 32
Classification: Red – Confidential
About Capgemini
A global leader in consulting, technology services and digital transformation,
Capgemini is at the forefront of innovation to address the entire breadth of clients’
opportunities in the evolving world of cloud, digital and platforms. Building on its
strong 50-year heritage and deep industry-specific expertise, Capgemini enables
organizations to realize their business ambitions through an array of services from
strategy to operations. Capgemini is driven by the conviction that the business
value of technology comes from and through people. It is a multicultural company
of 200,000 team members in over 40 countries. The Group reported 2016 global
revenues of EUR 12.5 billion.