| Expand | ||||
|---|---|---|---|---|
| ||||
|
1. Overview
This section covers redirection, decoupled redirection, and decoupled CIBA supported by the UAE Open Banking Standard (the Standard) to allow a User of a TPP to use the same authentication mechanisms as they do when accessing their LFI directly.
...
User authentication with the LFI using the LFI mobile app installed on the same device on which the User is consuming the User-facing TPP service. The User starts the journey from a User-facing TPP app.
2.1.1 User Journey
...
...
2.1.2 Wireframes
...
...
This enables the User to authenticate with the LFI while using a User-facing TPP for an Open Banking services (i.e. DSR, SIR, & Service Request) using the same LFI app-based authentication method which they use when accessing the LFI mobile channel directly.
...
It is imperative in these circumstances that the LFI browser channel has been optimized for mobile browsers and device types.
2.3.1 User Journey
...
2.3.2 Wireframes
...
...
|
| Rules & Guidelines |
|---|---|---|
1 | User-facing TPPs MUST initially ask the User to identify the LFI so that the consent request can be constructed in line with the LFIs data group and/or service initiation capabilities. | |
2 | User-facing TPPs SHOULD make the User aware on the inbound redirection screen(User-facing TPP to LFI) that they will be taken to their LFI for authentication for data sharing. | |
3 | The redirection MUST take the User to the LFI web page (desktop/mobile) for authentication purposes only without introducing any additional screens. The web-based authentication MUST have no more than the number of steps that the User would experience when directly accessing the web-based LFI channel (desktop/mobile). | |
4 | After authentication, the User MUST be deep linked within the app to confirm the account(s) to which they would like the User-facing TPP to have access to. | |
5 | LFIs SHOULD have an outbound redirection screen which indicates the status of the request and informs the User that they will be automatically taken back to the User-facing TPP. | |
6 | LFIs SHOULD inform the User on the outbound redirection screen that their session with the LFI was closed. | |
7 | User-facing TPPs SHOULD confirm the successful completion of the Open Banking Service Request (DSR, SIR). |
...
This journey does not introduce any changes in the redirection flow between the User-facing TPP and the LFI.
3.1.1 User Journey
...
3.1.2 Wireframes
To demonstrate a Redirection flow on different devices, we have used one variation of the DSR journey as an example where the LFI receives all the details of the request from the TPP.
...
This journey does not introduce any changes in the redirection flow between the User-facing TPP and the LFI.
3.2.1 User Journey
...
...
3.2.2 Wireframes
To demonstrate a Redirection flow on different devices, we have used one variation of the DSR journey as an example where the LFI receives all the details of the request from the TPP.
...
We have illustrated an example where the static code on an advertisement board is a QR code. The code SHOULD contain a deepLink supported by the User-facing TPP which SHOULD invoke the User-facing TPP app/webpage on scanning.
Guidelines | |
|---|---|
| 1 | The Call to Action (CTA) COULD be a static QRCode/NFC tag. Scanning of the static code by the User SHOULD invoke a User-facing TPP page/app deep linking them to the service represented by the code. |
| 2 | User-facing TPPs MUST initially ask the User to identify the LFI so that the consent request can be constructed in line with the LFIs data group and/or service initiation capabilities. |
| 3 | User-facing TPPs SHOULD make the User aware on the inbound redirection screen(User-facing TPP to LFI) that they will be taken to their LFI for authentication for data sharing. |
| 4 | If the User has an LFI app installed on the same device the redirection MUST invoke the LFIs app for authentication purposes only without introducing any additional screens. The LFIs app-based authentication MUST have no more than the number of steps that the User would experience when directly accessing the LFI app (biometric, passcode, credentials) and offer the same authentication method(s) available to the User when authenticating in their LFIs direct channels |
| 5 | After authentication, the User MUST be deep linked within the app to confirm the account(s) to which they would like the User-facing TPP to have access. |
| 6 | LFIs SHOULD have an outbound redirection screen which indicates the status of the request and informs the User that they will be automatically taken back to the User-facing TPP. |
| 7 | LFIs SHOULD inform the User on the outbound redirection screen that their session with the LFI was closed. |
| 8 | User-facing TPPs SHOULD confirm the successful completion of the Open Banking Service Request (DSR & SIR). |
44. Effective Use of Redirection Screens
...