Recipient IDNow verification with Apex Toolkit

In this blog post, I will show you how to use IDNow from Apex Toolkit, as well as the difficulties you may face with implementation.

Let’s first look at what IDNow is and why you may need it. IDNow is a web-based platform for identity-proofing, providing Know Your Customer (KYC) and other identity verification services, including document (ID) verification and biometric verification for finance, insurance, government, and other industries. 

Docusign partners with IDNow to provide identity verification for its electronic signature solutions. To comply with EU industry eSignature standards, including the eIDAS, Docusign delivers EU Advanced Electronic Signatures (AdES) and EU Qualified Electronic Signatures (QES). AdES require identity verification; QES require face-to-face identity verification and are best suited for high-value, regulated, or cross-border agreements. IDNow provides the face-to-face identity verification for Docusign-provided QES.

Using IDNow verification from your Apex app

To invoke recipient IDNow verification from Apex, use the withSignatureProviders method:

dfsle.Recipient myRecipient = dfsle.Recipient.fromSource(...........)
dfsle.IDNowProvider idNow = new dfsle.IDNowProvider();
myRecipient = myRecipient.withSignatureProviders(
              new List<dfsle.SignatureProvider> {idNow});

Requirements 

So far, it seems very easy. However, before you request IDNow verification, you need to have some additional conditions in place before making the successful request. Without them, your request will result in an error:

  1. You will need to make sure IDNow is included in your account list of signature providers. The AccountSignatureProviders:list method will return the full list enabled for your account. For Apex to work, you will need the “Pen 25” signature provider in your list. Here’s how that looks in the return JSON from the AccountSignatureProviders:list call:
    ...
    {
      "signatureProviderId": "25",
        "signatureProviderName": "universalsignaturepen_idnow_tsp",
        "signatureProviderDisplayName": "IDnow - EU Qualified (COSELL)"
    ...
    }
    ...
    

     

  2. In addition to having “Pen 25” in your list of signature providers, you need to have an IDNow account. If you don’t already have such an account, contact Docusign Sales when requesting “Pen 25” and discuss any possible configuration details.

    Note: This is required only for “Pen 25” as used by the Apex Toolkit.

    Trying to use IDNow without an account will result in an error like this:  

    {
      "errors": [
        {
          "cause":"OBJECT_NOT_FOUND",
          "errorType":null,
          "id":"4…………5",
          "key":"docuSignAccountId",
          "message":null,
          "translationKey":null
        }
      ]
    }
    
  3. For testing in the developer environment, it is mandatory to use X-MANUALTEST-HAPPYPATH appended to the recipient username.

    Note: Trying to update the username by removing the X-MANUALTEST-HAPPYPATH in demo may prevent connection to IDNow.

    For example:

    dfsle.Recipient myRecipient = dfsle.Recipient.fromSource(
        'Test name X-MANUALTEST-HAPPYPATH', // Recipient name
        'mail@mail.com', // Recipient email
        null, //Optional phone number
        'signer', //Role Name. Specify the exact role name from template
        new dfsle.Entity(myContact.Id)
    );
    
    Note: X-MANUALTEST-HAPPYPATH use in production is not supported, and if used will lead to a blank page during the IDNow identification stage.

Once all conditions are met, you can create a sample request from Apex. After the recipient signs, they are going to be presented with a popup window asking them to continue to the next step.

IDNow signing: next step

At this point, the signer will be redirected to IDNow to complete the verification process.

Additional requirements 

IDNow requires specific firewall settings in order to establish the connection. Allow communication from the following IP addresses and ports:

  • IPs 213.95.84.37, 213.95.145.0/27
  • Ports UDP 3478, UDP range 6200-7000, TCP 443.  UDP protocol is required for IDNow to work. If UDP is not allowed, the workaround will be to use the IDNow mobile app and 4G.

The connection can be tested using the URL: https://video.idnow.de/call-quality-check

Supported browsers:

  • Chrome (Recommended)
  • Firefox (Supported)

Browsers not supported:

  • Edge
  • Internet Explorer
  • Safari
  • Opera

Now, when you have your code and all requirements in place, IDNow will help you comply with EU regulations and complete your agreements.

  Additional resources

Ivan DInkov
Author
Ivan Dinkov
Sr. Developer Support Advisory Engineer
Published