Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Partners are vendors or solution providers who offer their products/services to ensure the effective implementation and operation of MOSIP-based identity systems.
Partner Management Portal (PMP) is a web based application that is designed to facilitate the collaboration and integration of external partners with the MOSIP ecosystem. This portal serves as a platform to onboard all types of MOSIP partners, manage their details and build partner specific functionalities for seamless interaction.
We are undertaking a comprehensive overhaul of our existing Partner Management Portal (PMP). This revamp includes introducing a suite of new features and significantly enhancing the current ones. Our aim is to improve usability and elevate the overall user experience (UX). Also incorporating tech stack upgrade and realigning our focus to bring user centered design to PMP, we are committed to making the PMP more intuitive, efficient, and aligned with our partners' evolving needs.
You can refer to the comprehensive documentation as below:
PMS - Revamp : Documentation that includes the features in new UI
PMS - Legacy: Existing documentation (Old UI)
Common policies group examples include 'Telecom', 'Banking', 'Insurance' among others.
Data Share Policy
Authentication Policy
Note: Policies are not applicable for Device Provider, FTM Provider and MISP Partner as data is not shared with them.
Refer to the default policies loaded while installing MOSIP.
Partner policies control the data that needs to be shared with a partner. The policies reside in auth_policy table of mosip_pms DB..
PMS Revamp
Partner Type
What do they do in MOSIP?
Why do they need PMS portal?
Authentication Partner
They are also called Relying Party or Service Providers which uses MOSIP authentication services for delivering services
Shares partner certificate which would be used to build a trust store in MOSIP to cryptographically validate that they were the ones who were authenticating the citizens also this certificate is used to encrypt the response shared in e-KYC.
They choose a policy which they want to use and request for approval for the policy from the partner admin.
Once a policy is approved, they can perform eSignet (OIDC Client) and/or API based authentication.
They can create OIDC client for an approved policy which is used in eSignet authentication.
They can generate API Keys against the policy in order to use it during citizen authentication.
They can also deactivate an OIDC Client or API Key if it is compromised
Device Provider
Provide devices for Registration and Authentication
Shares partner certificate which would be used to build a trust store in MOSIP to cryptographically validate that the biometric data was captured by a device issued by the device provider.
Provides make & model details of devices for book keeping.
Provides SBI information for book keeping.
FTM Chip Provider
Provides secure chip for Authentication devices
Shares partner certificate which would be used to build a trust store in MOSIP to cryptographically validate that the biometric data was captured by a device integrated with a chip issued by the FTM chip provider.
Provide chip model details for book keeping.
ABIS Partner
Provides ABIS engine to deduplicate biometrics
Shares partner certificate which would be used for encryption the biometric data that is shared during deduplication.
The request for a policy based on which data is shared with them for deduplication
Manual Adjudication System
Manual Adjudication system helps a biometric expert to compare two sets of biometric data and few demographic data, so that, the adjudicator can take the final decision that the identified record is actually a duplicate.
Shares partner certificate which would be used for encryption the biometric and demographic data that is shared during deduplication.
The request for a policy based on which data is shared with them for adjudication
SDK Partner
Provides SDKs that are used for performing matching of two records, checking the quality of the biometrics or generating biometric templates.
They don’t need Partner Management Portal
MISP (MOSIP Infrastructure Service Providers)
They provide infrastructure services to MOSIP and help relying parties (authentication partners) access the authentication endpoints exposed by MOSIP
Share partner certificate which helps verify that the ISP is a genuine partner, the certificate uploaded is generally not used in MOSIP.
Generate License Keys which would be used for during citizen authentication.
ID Authentication Module / Online Verification Partner
Module that stores ID data used for authenticating the citizens
This is an internal module
Generally added from the backend by the administrator
Printing/ Credential Partner
They provide print solution
Shares partner certificate which would be used for encryption the face and demographic data that is shared for printing the ID card.
The request for a policy based on which data is shared with them for printing
Policy type
Partners
Description
Auth policy
AP
Specifies authentication types and KYC fields to be shared during authentication.
Datashare policy
Online Verification Partner, Credential Partner, Manual Adjudiation, ABIS partner
Specifies data to be shared with partners
Partner Type
Associated Role
Partner Admin
PARTNER_ADMIN
Policy Manager
POLICYMANAGER
Authentication Partner
AUTH_PARTNER (new UI)
Credential Partner
CREDENTIAL_PARTNER
Device Provider
DEVICE_PROVIDER
FTM Provider
FTM_PROVIDER
The key features of Authentication Partner and the Partner Management System are here below.
A Partner can self-register with much of the process as automated with least manual intervention.
Partner has to select the Policy Group and then choose an applicable Policy which is based on the Partner Type the organization belongs to. Policy selection gets easier as there is description provided against each policy helping a Partner carefully select an applicable policy.
The new interface of PMP, for its user part, has undergone a complete revamp not only on UI but the UX been worked upon ground up. The select few points from the UX enhancements are as below:
Card view presentation – You now get ‘Partner User Dashboard’ and this offers Card view presentation for each functionality with brief / one liner description to help you understand the services offered in:
User Profile - User can view his organisation name and username on the top right , the user dropdown on the top right- has two options: User Profile and Logout.
Login: Existing Partner who has already registered can login to the portal with email / username and password.
Retrieve Password / Forgot Password: Partner will have option to reset password using the Forget Password option.
Upload and Re-upload: Easily upload or re-upload Certificate Authority (CA) signed Partner Certificate.
Download: Download CA signed Partner Certificate and corresponding MOSIP Signed Certificate.
Request Policies: Request policies within selected policy group.
Policy List: View a tabular list of requested policies along with Partner Admin approval status.
View Policy Details: Access detailed views of individual policies, including status of Partner Admin approval/rejection.
OIDC Client:
Create OIDC Client: Create OIDC Clients for approved policies.
View OIDC Details: Access a tabular list and individual views of submitted OIDC Client details, including OIDC Client IDs.
Edit: Edit existing OIDC Client details.
Deactivate: Deactivate OIDC Client whenever needed.
API Key:
Generate API Key: Create API Keys for approved policies.
View API Key Details: View a tabular list and individual details of submitted API Keys.
Deactivate: Deactivate API Keys when necessary.
Complete support on Chrome, Firefox, Edge and Safari ensures a seamless user experience across these popular browsers.
Currently supports English, French and Arabic with plans to incorporate additional languages in future releases.
Optimized for standard browser sizes (laptop/desktop) with responsive UI design for laptop/desktop views.
Partner Management Service provides various partner services like onboarding partners and providing partner data to other modules.
The diagram below illustrates the relationship of this service to other MOSIP services.
Registration processor fetches ABIS datashare policy from PMS.
PMS sends notification messages to partners via notification service (of Kernel).
Audit logs are logged into Auditmanager.
All PMS data is stored in mosip_pms DB.
PMS invokes the client management endpoint of eSignet to register OIDC client
Partner Management System (PMS) is undergoing a major revamp and as our first step, we have introduced a brand new web application - Partner Management Portal. This brings:
Technology stack upgrade
Introduce new partner types.
Introduce new features.
Enhancement of existing features.
Improved usability and user experience.
This release marks the developer's preview release (1.3.0-dp.1) of Partner Management System which focuses on implementation of workflow in the new UI. This version of PMS is designed to run on 1.2.0.1 version of MOSIP platform.
The key features of Authentication Partner incorporated in this release are:
Partner Certificate:
Upload and Re-upload: Easily upload or re-upload Certificate Authority (CA) signed Partner Certificate.
Download: Download CA signed Partner Certificate and corresponding MOSIP Signed Certificate.
Policies:
Request Policies: Request policies within selected policy group.
Policy List: View a tabular list of requested policies along with approval status from 'Partner Admin'.
View Policy Details: Access detailed views of individual policies, including status of Partner Admin approval/rejection.
Authentication Services:
OIDC Client:
Create OIDC Client: Create OIDC Clients for approved policies.
View OIDC Details: Access a tabular list and individual views of submitted OIDC Client details, including OIDC Client IDs.
Edit: Edit existing OIDC Client details.
Deactivate: Deactivate OIDC Client whenever needed.
API Key:
Generate API Key: Create API Keys for approved policies.
View API Key Details: View a tabular list and individual details of submitted API Keys.
Deactivate: Deactivate API Keys when necessary.
We are reconstructing the entire PMS ground up and our upcoming releases is going to keep the best of current system and rebuild everything else from scratch.
The 'Legacy PMS' will be available during the overhaul and new system is to gradually take over in phase wise releases of the system, ensuring thereby a smooth and seamless transition. This means existing system will continue to work and be available during the course of undergoing the rebuilding process.
Certificates of partner are uploaded to as part of onboarding.
fetches credential data share partners and their polices from PMS.
Certificates of Authentication Partners are sent to IDA module as IDA runs independently. The certificates are shared using (which futher uses Websub to share data with IDA).
Rest of the content can be referred to here:
Moving further from the current release our upcoming PMS releases will aim to introduce new features and incorporate all the essential functionalities of ''. The upcoming releases is also going to focus on working afreash on other Partner Type(s), Refer to to the to know more about what all will unveil gradually.
This guide contains all the information required for successful deployment and running of Partner Management Portal. It includes information about the Database and roles.
Partner Management Service DB Scripts to be run: DB scripts
mosip-pms-client needs to have below roles in keycloak:
CREATE_SHARE`
DEVICE_PROVIDER
PARTNER
PARTNER_ADMIN
PMS_ADMIN
PMS_USER
PUBLISH_APIKEY_APPROVED_GENERAL
PUBLISH_APIKEY_UPDATED_GENERAL
PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL
PUBLISH_MISP_LICENSE_GENERATED_GENERAL
PUBLISH_MISP_LICENSE_UPDATED_GENERAL
PUBLISH_OIDC_CLIENT_CREATED_GENERAL
PUBLISH_OIDC_CLIENT_UPDATED_GENERAL
PUBLISH_PARTNER_UPDATED_GENERAL
PUBLISH_POLICY_UPDATED_GENERAL
REGISTRATION_PROCESSOR
SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL
ZONAL_ADMIN
Add below property to partner-management-default.properties file in mosip-config repository to Deploy PMS Revamp 1.3.0-DP.1 release in your env.
The following guide outlines some important properties that can be customized for a given installation. Please note that this list is not exhaustive but serves as a checklist for reviewing properties that are likely to differ from the default settings. For a complete list of properties, refer to the files listed below.
Partner Management Services uses the following configuration files:
Copy
This property is used by kernel-authcodeflowproxy-api to check request is coming from allowed urls not.
These properties are used to specify the keymanager API to upload certificates and get original partner uploaded certificates.
These properties are used to set attributes for partner management services.
app id : ApplicationId for partner
client id : Kernel auth client ID for partner management services
client secret : Kernel auth secret key for partner management services
These configurations are used to create user in keycloak and map to a role.
Note : All partner types should be created as roles in keycloak.
These properties are used to specify the auth manager API to validate the token.
This property is used to populate required roles which should be allowed in UI.(Roles are nothing but partner types)
These properties specify the url to redirect after logout and the end session endpoint in OIDC.
These configurations specify the E-Signet claims mapping file url, amr-acr mapping file url and the service apis for create and update OIDC and OAuth Client.
These properties are used to set the user inactivity idle time.
Inactivity Timer : Specifies the duration (in minutes) before the session is timed out due to inactivity.
Prompt Timer : Specifies the duration (in minutes) before the user is prompted about the impending session timeout.
Copy
This property is used to set the server request and response time(in minutes) for Axios.
Copy
These properties are used to set attributes for OIDC client creation and update.
Grant Types : Specifies the grant types used by the OIDC client.
Client Authentication Methods : Specifies the client authentication methods.
Copy
These properties specify partner type roles that are used to grant access to various APIs in partner management service.
Copy
This repository contains the UI code for Partner Management portal. To know more about the features and functions present on the portal, refer here.
Note: The code is written in React JS.
Install node.js- To build the react JS code that runs on node, recommended Node: 21.7.3, Package Manager: npm 5.2+
Check out the source code from GIT – To download the source code from git, follow the steps below to download source code on your local system.
git clone https://github.com/mosip/partner-management-portal (to clone the source code repository from git)
Build the code
Follow the steps below to build the source code on your system.
Navigate to the pmp-reactjs-ui directory inside the cloned repository.
Run the command npm run build in that directory to build the code.
Build Docker image
Follow the steps below to build the docker image on your system.
docker build -t name . (replace name with the name of the image you want, "." signifies the current directory from where the docker file has to be read.)
Example: docker build -t pmp-reactjs-ui .
Run the Docker image
Follow the steps to build docker image on your system.
docker run –d –p 80:80 --name container-name image-name (to run the docker image created with the previous step,-d signifies to run the container in detached mode, -p signifies the port mapping left side of the":" is the external port that will be exposed to the outside world and right side is the internal port of the container that is mapped with the external port. Replace container-name with the name of your choice for the container, replace image-name with the name of the image specified in the previous step)
Example: docker run -d -p 3000:3000--name nginx pmp-reactjs-ui
Now you can access the user interface over the internet via browser.
Example: http://localhost:3000
Build & deploy the code locally
Follow the steps below to build the source code on your system.
Navigate to the pmp-reactjs-ui directory inside the cloned repository. Then, run the following command in that directory:
npm install
npm start
Now, you can access the user interface via browser.
Example: http://localhost:3000
Partner Management Portal (PMP) is used by both; PMS Admin and Partner User.
Partner Administrator: Partner Admin
Partners: Partner User
Important:
We are revamping the PMS (Partner Management System), we also have worked on the UX and the interface, the new interface for 'Partner Users' is ready and launced with the current release, However please note that with the current release the interface revamp covers only the user flow of it; for admin activities you still will have to make use of 'Older Admin Interface' which also is going under the knife to come up with arfresh new UX and Interface. This essentially means the following:
Partner User - 'Authentication Partners' can use the new interface to perform all the activities mentioned under 'Authenticatioin Partner Workflow'
Partner Admin - Partner Admin still will have to user the older 'Partner Admin Interface to perform all the activities explained under 'What all activities does a 'Partner Admin' perform for Authentication Partner?'.
Being a ‘Partner Admin’ you can perform following 3 activities to complete the end to end functionality pertaining to Authentication partner.
It should be noted that all these activities that you can perform as an admin you will still have to use the older 'Partner Admin Interface' as of now untill we complete its revamp which is already underway on a war footing.
Upload Root CA and Sub CA Certificates
Create Policy Group and Policy
Approve/Reject Policy
Only after you 'Upload Root CA and Sub CA Certificates (From Older PMP Interface)' that a Partner will then be able to 'Upload CA signed Partner Certificate.
As a process of Partner onboarding onto PMP after successful registration, Partner is required to Upload CA signed Partner Certificate on behalf of their organisation which would be used to build a trust store in MOSIP to cryptographically validate that they are from a trusted organisation to perform authentication of citizens. Also this certificate is used to encrypt the response shared in e-KYC.
Important:
You will have to use older Partner Admin interface, Yes! you read it correct! before a Partner will be able to ‘Upload ‘CA Signed Certificate’ it is prerequisite that the ‘Partner Admin’ must upload the Root CA and Sub CA certificates and this you can do from ‘Older PMP Interface’.
Go to Older PMP Interface and click on Upload CA Certificate option on the left navigation pane.
Select the Partner Domain.
Choose the Root CA Certificate to upload (only files with extensions as .cer or .pem).
Click Upload.
Similarly, sub/intermediate CA certificate should be uploaded by following the above steps (1-4).
As Partner Admin you are required to ‘Create Policy Group’ and ‘Create Policy(s)’ which a ‘Partner’ will be able to select while self-registering on PMP.
As an admin you will also have privilege to ‘Approve Policy Request’ when a Partner selects a Policy and it comes to you for approval, You can read more about this here.
Login as Partner Admin into the PMS portal (Older PMP Interface).
Click on Policy > Policy Group. The existing policy groups are listed on the screen and the new ones can be created.
Click on Create Policy Group (+).
Enter the ‘Policy Group Name’ and ‘Description’.
Click Save.
On successful creation of Policy Group(s), Polices can be created under a respective group.
Note:
MOSIP supports two types of policies, i.e. Auth Policy and Datashare Policy. Only Auth Policy is used by Authentication Partners.
Click on Policy > Policy Group on the left navigation pane, The existing policy groups are listed on the screen and the new ones can be created. You can also search or filter any data pertaining to policy groups, use the filter menu.
Click Auth Policy > Create Policy.
Add the Name and Description.
Select the Policy Group from the dropdown, (Select the Policy Group - Auth Policy) here under which this Policy you are creating will be added.
Add the Policies Data.
Click Save.
Note:
Once the policy is created, it will be in inactive state. You have to Activate a Policy before a Partner will be able to select it while ‘Requesting a Policy’.
Once you 'Create Policy' you will also be required to activate it and then it will reflect when a Partner wants to select a policy. You can also change the status of Policy Group ( Deactivate) or edit it using the Action menu as shown below.
Select the Policy you want to activate or edit.
From the Actions menu, select Activate/Edit.
When a Partner have chosen a 'Policy Group' and the 'Policy', an approval request will come to you and you can approve or reject a ‘Policy Request’ using ‘Request Policy’ screen.
When a Partner have chosen a 'Policy Group' and the 'Policy' an approval request will come to you and you can approve or reject a ‘Policy Request’ using ‘Request Policy’ screen.
Click on Partner Policy Mapping in the left navigation pane.
Select the policy mapping that needs an approval.
Click on Manage Policy on the ‘Action Menu’ appearing against a Policy.
Click on Approve.
To be able to access the services by PMP and to validate that the partner is from a trusted organisation, undergoing self registration on PMP and uploading CA signed certificate is necessary'.
Self Register on PMS Interface
Upload CA signed Certificate
The Authentication Partner can register themselves on MOSIP PMS portal by clicking Register on the Login Page, a form comes up.
Enter the Authentication Partner details:
Partner type (Authentication Partner)
First and Last name
Organization Name
Address, Phone number
e-mail, Username and password
Click on Register, a popup comes up which asks you to 'Choose a Policy Group' and seeks you to 'Agree to Terms and Conditions' before you can be considered as 'Authentication Partner.
Select the relevant/applicable Policy Group on Select Policy Group popup using Policy Group dropdown by reading through policy group description in dropdown.
On Submit it will ask you to read through ‘Terms and Condition’ and having carefully read through it you can agree and accept it.
Validations:
User can select only one Policy Group per Partner Type.
Policy selected once cannot be edited later.
Terms & Conditions: Partner consent refers to voluntary and informed agreement provided by a partner user on behalf of the Partner Organisation, to a specific action or process where the users have a clear understanding of what they are consenting to. User consent is important to ensure data privacy, where it is compliant to obtain explicit consent from partners before collecting, processing, or sharing their personal/ organisation level data.
A detailed description explaining which of their personal and organisation data is used and for what purposes it will be used in PMP will be informed while seeking user consent.
User is now in Home Page/Dashboard where the following features are provided to Authentication Partner: 1) Partner Certificate, 2) Policies and 3) Authentication Services: OIDC Client and API Key generation.
Once registered, as a process of Partner onboarding onto PMP after successful registration, user is required to perform upload CA signed Partner Certificate on behalf of their organisation which would be used to build a trust store in MOSIP to cryptographically validate that they are from a trusted organisation to perform authentication of citizens. Also this certificate is used to encrypt the response shared in e-KYC.
Tips:
Later when required a Partner can also ‘Download Certificate’ and ‘Re-Upload Certificate’ (As the need may be).
Important:
Before a Partner can upload a ‘CA Signed Certificate’ it is prerequisite that the ‘Partner Admin’ should have already had uploaded the Root CA and Sub CA certificates (From older PMP interface).
Go to Authentication Partner (New UI) -> Dashboard.
Click on Partner Certificate option, Click on the Upload button to upload the partner certificate signed by CA.
Select the CA signed partner certificate from local system by tapping on the upload section (blue area).
Certificate is successfully fetched from local system.
Click on Submit, Partner Certificate is uploaded successfully.
On closing the popup, The user can view the uploaded certificate details in the form of a list view.
There is also an option to download initially uploaded CA signed certificate and also the MOSIP Signed Certificate.
Reuploading certifacte is required in cases when MOSIP Signed Certificate gets expired after one year.
Note:
'MOSIP Signed Certifcate has a validity of 1 year from the time of Partner Certificate Upload.
You must ensure that you re-upload the partner certificate again so that new MOSIP signed certificate can be generated and other functionalities such as Request Policy, Authentication Policies can function.
Pre-Requisite: Policy Manager (in our case 'Admin') must have created a Policy Group and then created a Policy within it for the Partner to be able to ‘Request a Policy’.
Click on the 'Request Policy' option in User homepage/dashboard.
Each policy name is provided with policy description, You can make a suitable policy selection. You can provide appropriate request comments and submit the policy request details. A message conveying Policy request submitted successfully to admin is displayed.
This newly created policy request will be in ‘Pending for Approval’ status. You can also click on action menu to see all the submitted policy details irrespective of its status.
Once the request is approved (Partner Admin will Approve Policy Request). Once the request is approved you can view the status turns to ‘Approved’ status.
After the partner has selected a policy group, uploaded partner certificate, requested for policy and also got admin approval - partner can now perform 'Authentication Services':
OIDC Client: Create OIDC Client for approved policy
API Key : Generate API Key for approved policy
Prerequisites: Policy requested by the Partner must be already approved by Policy Manager (Read More here).
The authentication partner needs to provide the following details to create OIDC Client
Select suitable Authentication policy for OIDC Client creation. Only the policies that are APPROVED by admin will be available in dropdown for selection.
Enter the public key in JWK format, name or label for OIDC Client, LogoURI and one or more Redirect URI.
On successful submission, user can find this record in tabular list of submitted OIDC Client details in ‘Activated’ status. Tabular list and individual view of submitted OIDC Client details along with OIDC Client ID, Edit OIDC Client details and Deactivate OIDC Client can also be seen from here.
This Client ID can then be consumed in eSignet to perform authentication. Client ID can be accessed by clicking on eye icon.
User can utilize this OIDC Client ID to perform eSignet based authentication of citizens
The user can also view every OIDC Client detail individually using the View option
The user can also edit the OIDC Client details in Activated status (only OIDC Client Name, LogoURI and RedirectURI are editable) by selecting the edit option in Action Menu.
User can deactivate the OIDC Client ID by clicking on deactivate option . The deactivate popup window appears and on clicking confirm, the OIDC Client record is changed to Deactivated status. Once deactivated, the client ID can not be used anymore for authentication.
The authentication partner needs to provide the following details to generate API Key
Select suitable Authentication policy for API Client. Only the policies that are Approved by admin will be available in dropdown for selection.
Enter an appropriate name or label for API Key to be generated and submit, On successful submission, a popup window displays API Key along with a copy button.
This API Key can be viewed by user in PMS application only once due to security reasons, hence the user is well notified with an appropriate message in the same API Key popup window to avoid closing the window unless user has not copied the API Key.\
User can find this record in tabular list of submitted API details in ‘Activated’ status.
User can either view individual API Key entries or view the consolidated list in tabular view.
You also have an option to deactivate an API Key, which thereafter cannot be used for authentication. On clicking confirm, the API Key record is changed to Deactivated status. Once deactivated, it cannot be activated again. You may need to generate a new API key as per requirement.
PMP (Partner Management Portal) is going under a comprehensive overhaul. This revamp includes improving usability and elevate the overall user experience (UX). The focus is to bring user centered design to PMP, make the PMP more intuitive, efficient, and aligned with our partners' evolving needs.
Card view presentation is there for each functionality with brief description to help you understand the services offered in Partner User Dashboard.
After successfully registering you can access the Home Page / Dashboard. You will be able to view the features and functionalities on the dashboardand based on your Partner Type.
Note: You can access the partner dashboard only when you are duly registered and have selected the 'Policy Group'.
Each functionality that the user can perform is displayed in each card so that there is independent navigation for each tasks.
Partner Certificate: Upload or Reupload CA Signed Partner Certificate and Download CA Signed Partner Certificate & corresponding MOSIP Signed Certificate
Policies: Request for a policy within the selected policy group, tabular list of requested policies along with status of admin approval, view requested policy details along with admin comments/status.
Authentication Services:
OIDC Client : Create OIDC Client for approved policy, tabular list and individual view of submitted OIDC Client details along with OIDC Client ID, Edit OIDC Client details and Deactivate OIDC Client
API Key : Generate API Key for approved policy, tabular list and individual view of submitted API Key details and Deactivate API Key.
You can view your organisation name and username on the top right called 'User Profile', logout options is also placed here only.
Login to PMP and Go to Dashboard.
Click on Re-Upload button of Authentication Partner Type.
Re-upload certificate pop-up window appears. The time and date of previous certificate upload is also displayed for user reference. Click on the certificate upload section (blue area) to upload a new partner certificate from the local system.
After selecting the certificate from local system, the fetched certificate name is displayed.
Click on Submit, Partner certificate upload success message is displayed.
Click on Close to come back to list view of partner certificate.
You can retrieve password in case you are unable to recall.
Click on Forgot Password link displayed on login page to reset password.
Enter registered email address and submit, a message is displayed informing user that further instructions to reset password has been sent on te email address entered.
Click on the Reset password link received on his email address, you will be redirected to Change Password screen.
Enter a new password that adheres to password policy and re enter to confirm before you save it.
After clicking submit, This new password will be further used in subsequent logins
This guide enables the Foundational Trust providers to use the PMP portal effectively. Below is the workflow:
Partner self-register through the portal.
Partner admin and uploads CA certificate.
Partner admin/ Partner uploads partner certificate.
Partner admin/ Partner creates FTM.
Partner admin/ Partner uploads certificate from the menu before approval/ rejection.
Partner admin approves/ rejects the FTM.
The partner can register themselves on the MOSIP PMP portal by clicking Register on the landing page.
They need to fill up a form with the details below:
First and Last name
Organization Name
Partner type (Device Provider)
Address, e-mail, phone number
Username and password
To view the details entered, click Home to see the dashboard.
The Partner admin needs to upload the CA certificate to enable the partner to use the portal. To do so, the Partner admin:
Clicks Upload CA Certificate option on the left navigation pane of the partner portal.
Selects the Partner Domain as FTM.
Chooses the certificate to upload (only files with extensions such as .cer or .pem).
Clicks Upload.
The uploaded certificates can be viewed by clicking on View Certificates-> View.
Similarly, the Partner certificates can be added by the Partner admin or partner.
The certificate can be uploaded by clicking Home-> Upload Certificate -> Upload.
The certificate can be viewed by clicking Home-> View Certificate ->View.
The partner can create FTM details by,
Clicking FTM Details -> Create FTM
Fill up the information like Partner Name, Make and Model.
Clicking Save.
The partner can upload FTM certificates by,
Selecting Upload Certificate option from the Actions menu against the FTM created.
Entering the Partner Domain as FTM and choosing the certificate file.
Clicking Upload.
The Partner Admin can choose to approve or reject the FTM certificate uploaded. Below illustrates the workflow:
Finally, you can see the FTM activated.
PMS Portal is used by the Partners to onboard with MOSIP and manage Devices, FTM, Create API Keys and Create OIDC clients etc.
Partner Management module has two services:
Partner Management service
Policy Management service
The documentation here will guide you through the prerequisites required for the developer's setup.
Below is a list of tools required in Partner Management Services:
JDK 11
Any IDE (like Eclipse, IntelliJ IDEA)
Apache Maven (zip folder)
pgAdmin
Postman
Git
Notepad++ (optional)
lombok.jar (file)
settings.xml (document)
Follow the steps below to set up Partner Management Services on your local system:
Install Apache Maven.
Copy the settings.xml to ".m2" folder C:\Users\<username>\.m2.
Install Eclipse.
Open the lombok.jar file and wait for some time until it completes the scan for Eclipse IDE and then click Install/Update. Specify the eclipse installation location if required by clicking the ‘Specify location…’ button. Then, click Install/Update the button to proceed.
Check the Eclipse installation folder C:\Users\userName\eclipse\jee-2021-12\eclipse to see if lombok.jar is added. By doing this, you will not have to add the dependency of lombok in your pom.xml file separately as it is auto-configured by Eclipse.
Configure the JDK (Standard VM) with your Eclipse by traversing through Preferences → Java → Installed JREs.
Open the project folder partner-management-services\partner where pom.xml is present.
Open the command prompt from the same folder.
Run the command mvn clean install -Dgpg.skip=true to build the project and wait for the build to complete successfully.
After building a project, open Eclipse and select Import Projects → Maven → Existing Maven Projects → Next → Browse to project directory → Finish
This will import 5 projects into Eclipse: partner, partner-management-service, pms-common, policy-management-service and policy-validator
After successful importing of all the projects, update each project by right-clicking on Project → Maven → Update Project.
E.g.: You can download kernel-auth-adapter.jar and add to the project Libraries → Classpath → Add External JARs → Select Downloaded JAR → Add → Apply and Close).
Properties Files - Update application-dev.properties and bootstrap.properties files in below folder partner-management-services\partner\partner-management-service\src\main\resources to run the Partner Management Service locally
Click the "run" option, the service will start locally on port 9109.
Policy management service also can run by following the above steps.
The APIs can be tested with the help of Postman or Swagger-UI.
Swagger is an interface description language for describing restful APIs expressed using JSON. Can access Swagger-UI of partner-management-services for dev-environment from https://dev.mosip.net/v1/partnermanager/swagger-ui/index.html?configUrl=/v1/partnermanager/v3/api-docs/swagger-config and localhost from http://localhost:9109/v1/partnermanager/swagger-ui/index.html?configUrl=/v1/partnermanager/v3/api-docs/swagger-config.
Can access Swagger-UI of policy-management-services for dev-environment from https://dev.mosip.net/v1/policymanager/swagger-ui/index.html?configUrl=/v1/policymanager/v3/api-docs/swagger-config and localhost from http://localhost:9107/v1/policymanager/swagger-ui/index.html?configUrl=/v1/policymanager/v3/api-docs/swagger-config.
Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster. It is widely used tool for API testing.
PMS Portal UI:
The table below outlines the frameworks, tools, and technologies used in PMS Portal.
Partner Management Services:
The table below outlines the frameworks, tools, and technologies employed by Partner Management Services.
PMS Revamp Portal web application is currently compatible and certified with the following list of browsers:
Scope for Release 1.3.0-dp.1 - Compatible on standard browser size (laptop/desktop) and UI responsiveness in laptop/desktop.
Compatibility on Mobile and also on specific tablet and mobile sizes will be taken up only after Release 1.3.0-dp.1.
Partner Management System (PMS) module provides the following services:
Partner Management Service
Policy Management Service
For an overview of role of partners in MOSIP, refer .
Provides various partner services like onboarding partners and providing partner data to other modules.
The diagram below illustrates the relationship of this service to other MOSIP services.
Registration processor fetches ABIS datashare policy from PMS.
PMS sends notification messages to partners via notification service (of Kernel).
Audit logs are logged into Auditmanager.
All PMS data is stored in mosip_pms DB.
This service manages partner policies.
Audit logs are logged into Auditmanager.
All policies are stored stored in mosip_pms DB.
Datashare service fetches partner policies and shares data with partners accordingly.
Partner management portal allows the partners to register themselves in MOSIP. With LTS release, the following types of partners can register themselves:
Authentication Partners
Credential Partners(with limited features)
Device Providers
FTM Provider
A Partner Admin can create Policies that are required for Authentication and Credential partners. The section below describes the types of policies that are supported by MOSIP.
To create policies, policy groups should be defined. Policy groups can be considered as the regulatory bodies in a country, examples could be Telecom, Insurance, Banking, etc.
Login as Partner Admin into the PMS portal.
After successful login, on the left navigation pane, click on Policy -> Policy Group.
The existing policy groups are listed on the screen and the new ones can be created.
To create Policy groups
Click Policy -> Policy Group -> +Create Policy Group
Enter the Policy group Name and Description and click Save.
To search or filter any data pertaining to policy groups, use the filter menu.
You can also change the status of policy group(Deactivate/Re-activate) or edit it using the Action menu as shown below.
On successful creation of Policy groups, polices can be created under that group. MOSIP supports two types of policies, i.e., Auth policy and Datashare policy.
Click Auth Policy -> Create Policy.
Add the Name and Description.
From the dropdown, select the Policy group.
Add the Policies Data.
Click Save.
Note: Once the policy is created, it will be in Inactive state. You have to activate it before using it for a partner.
Select the policy you want to activate or edit.
From the Actions menu, select Activate/Edit.
Use the filter menu.
Data Share policy can be created/edited in the same way as the steps mentioned in the previous section on Auth policy by using Data Share Policy menu options.
Partners in MOSIP are created in a self-service mode. The partner visits the MOSIP partner management portal and requests for collaborating with MOSIP by providing basic details such as organization name and email-id, purpose of registration (how they want to collaborate with MOSIP - as a device provider, authentication partner, print partner, etc), basic credentials and performing an OTP based verification. Once these details are filled by the partner and a request is sent to MOSIP, the Partner Admin verifies the details of the partners and allows the partner to integrate with MOSIP.
To know more about each of the partners, click:
These features can also be accessed by clicking on side panel (in the form of icons) or clicking on the hamburger menu on the top left which is available across all screens of PMP to help user to easily navigate.
Once the details are in Activated status, user will be able to view the OIDC Client ID generated, by clicking on the eye icon ( ). clicking on the OIDC Client ID eye icon, opens a popup window which displays the Client ID and a copy button.
The PMP Interface 'Card View' for 'Authentication Partner' presents you with following features, These features can also be accessed by clicking on side panel (in the form of icons) or expanding the hamburger menu ( ) on the top left which is available across all screens of PMP to help user to easily navigate.
Click on Partner Certificate option in the dashboard / side panel / hamburger menu ( ), you will be redirected to list view of partner certificate.
Download lombok.jarand settings.xml from .
For the code setup, clone the repository and follow the guidelines mentioned in the .
For the environment setup, you need an external JAR that is available with different versions. Download the below-mentioned JARs with appropriate latest/appropriate versions. You will need to input the appropriate artifact ID and version and other inputs. kernel-auth-adapter.jar
For API documentation, refer .
Download the and then import it in your postman.
Certificates of partner are uploaded to as part of onboarding.
fetches credential data share partners and their polices from PMS.
Certificates of Authentication Partners are sent to IDA module as IDA runs independently. The certs are shared using (which futher uses Websub to share data with IDA).
To know more about the partner portal, refer .
To know more about the developer setup, read .
Refer .
.
| Partner Type | Associated Role |
|---|
By default, on clicking Auth policy, the screen displays the list of existing auth .
Tool / Technology
Version
Description
License
React JS
18.2.0
React JS is used to develop the UI web application
Node JS
21.7.3
Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine.
Tailwind CSS
3.4.3
Tailwind CSS is a Utility-first CSS framework for building rapid custom UI.
Tool / Technology
Version
Description
License
Java SE 11
OpenJDK 11
Language Runtime in Docker Image
GNU General Public License, version 2, with the Classpath Exception
Ubuntu Server
20.04
Docker base image Operating System
Free
Spring
5
Application Framework
Apache License 2.0
Apache commons
Version compatible with Spring 5
Utilities
Apache License 2.0
Hibernate
5.2.17.Final
ORM
Apache Software License 2.0
Hibernate validator
6.0.12.Final
validator
Apache Software License 2.0
Jackson
2.12.0
JSON marshal/unmarshal
Apache Software License 2.0
Junit
4.x and above
Unit Testing
Common Public License - v 1.0
mockito
2.22.0
Junit - Mock Objects
MIT
logback
1.1.6
Log
GNU Lesser GPL Version 2.1
velocity
1.7
Templating
Apache Software License 2.0
Swagger
Open API - 3
API Documentation
Apache Software License 2.0
PostgreSQL
Server: 10
Database
Postgres License BSD 2-clause "Simplified License"
Sonar
7.2
Code quality Checking
Open Source License
Micrometer Prometheus
1.4.2
Metrics
Apache Software License 2.0
gson
2.8.5
JSON parser
Apache Software License 2.0
h2 database
1.4.197
JUnit Test DB
EPL 1.0, MPL 2.0
lombok
1.18.8
Development - reduce the boilerplate code
MIT
IText PDF
5.5.13.3
PDF Generation
AGPL 3.0
icu4j
63.1
Transliteration
Unicode-3.0
SL No
Browser
Version
Chrome
Version 126.0.6478.185 and above
Firefox
Version 128.0.3 and above
Edge
Version 127.0.2651.86 and above
Safari
Version 16.6 and above
Partner Admin | PARTNER_ADMIN |
Policy Manager | POLICYMANAGER |
Authentication Partner | AUTH_PARTNER |
Credential Partner | CREDENTIAL_PARTNER |
Device Provider | DEVICE_PROVIDER |
FTM Provider | FTM_PROVIDER |
Name of property | Value | File Name |
| dev |
|
| dev |
|
| jdbc:postgresql://$HOST:$PORT/mosip_pms |
|
| Password of DB |
|
Replace all URL’s | ${mosip.api.internal.url} should be set to the URL to the your env where all below dependent services are running. WebSub, MasterData, KeyManager, AuthManager, DataShare, Notifier, Esignet, IDP etc |
|
|
|
| Key Cloak Secret of mosip-pms-client |
|
| mosip-pms-client |
|
| Key Cloak Secret of mosip-pms-client |
|
| Key Cloak Secret of mosip-pms-client |
|
|
|
| http://localhost:9109/v1/partnermanager/login-redirect/ |
|
| http://localhost:3000/ |
|
| ${mosip.api.internal.url}/v1/esignet/oidc/.well-known/openid-configuration |
|
| Config Server URL pointing to identity-mapping.json |
|
| Config Server URL pointing to amr-acr-mapping.json |
|
| ${mosip.api.internal.url}/v1/esignet/client-mgmt/oidc-client |
|
| ${mosip.api.internal.url}/v1/esignet/client-mgmt/oidc-client |
|
| ${mosip.api.internal.url}/v1/esignet/client-mgmt/oauth-client |
|
| ${mosip.api.internal.url}/v1/esignet/client-mgmt/oauth-client |
|
Below is the workflow that includes the registration process for an Auth or Credential partner and the steps that need to be followed for using the partner portal.
The partner self-registers through the portal.
Partner selects the relevant Policy Group.
Partner admin uploads the CA certificate.
Partner admin or partner uploads the partner certificate.
Partner admin or Partner maps the Partner Policy.
Partner admin approves or rejects partner policy mapping.
Partner logins after the approval and generates the API key for the approved partner policy mapping using an unique label.
The Auth/ Credential partner can register themselves on MOSIP PMS portal by clicking Register on the landing page.
They need to fill up a form with the details below:
First and Last name
Organization Name
Partner type (Authentication Partner/ Credential Partner)
Address, e-mail, phone number
Username and password
To view the details entered, click Home to see the dashboard.
On successful registration, the partner can see their username displayed on the top right corner.
Partner selects the relevant Policy Group from Map Policy Group dropdown.
Clicks Save.
The Partner admin needs to upload the CA certificate to enable the partner for using the portal. To do so, the Partner admin:
Clicks Upload CA Certificate option on the left navigation pane of the partner portal.
Selects the Partner Domain.
Chooses the certificate to upload (only files with extensions as .cer or .pem).
Clicks Upload.
The uploaded certificates can be viewed by clicking on View Certificates-> View.
Similarly, the Partner certificates can be added by the Partner admin/ partner.
Once the certificates are uploaded,
Partner maps the policy to the Policy group by clicking on Partner Policy Mapping -> +Map Policy.
Partner enters the Partner Name.
Selects the Auth Policy Name from the dropdown.
Enters a value for the Request Details (unique value) and clicks Save.
Once this is done, you will see a message saying Policy mapping grequest submitted successfully.
Also, the status is displayed as "In progress" and this means that the partner cannot generate the API key until the request is approved by the Partner admin.
Once the Partner Policy Mapping request is raised by the partner, the Partner admin has the privilege to approve/ reject the mapping. To do so,
Partner admin logs into the PMS portal and clicks on Partner Policy Mapping in the left navigation pane.
Selects the policy mapping that needs an approval.
From the action menu against the policy mapping, selects Manage Policy.
Clicks Approve.
Once the request is approved, the partner can view the status being updated to Approved instead of InProgress.
Partner logins after the Partner Policy Mapping is approved by the Partner admin and generates the API key with an unique label. To do so,
Partner clicks Partner Policy Mapping on the left navigation pane.
From the actions menu, click Generate API Key.
Partner enters a unique value for the Label field.
Click Generate.
The API key is generated and can be used by the partner.
The partner can also deactivate a particular API Key by clicking on the cross-mark (X) next to it. Please note, once deactivated, it cannot be activated again. You may need to generate a new API key as per requirement.
This guide enables the Device provider partner to use the partner portal effectively. Below is the workflow:
The partner self-registers through the portal.
Partner admin uploads the CA certificate.
Partner admin or Partner uploads the partner certificate.
Partner admin or Partner creates device details.
Partner admin approves or rejects device details.
Partner admin or Partner creates SBI details.
Partner admin approves or rejects SBI details.
Partner admin or Partner maps devices and SBI.
The Device Provider partner can register themselves on the MOSIP PMS portal by clicking Register on the landing page.
They need to fill up a form with the details below:
First and Last name
Organization Name
Partner type (Device Provider)
Address, e-mail, phone number
Username and password
To view the details entered, click Home to see the dashboard.
The Partner admin needs to upload the CA certificate to enable the partner for using the portal. To do so, the Partner admin:
Clicks Upload CA Certificate option on the left navigation pane of the partner portal.
Selects the Partner Domain.
Chooses the certificate to upload (only files with extensions such as .cer or .pem).
Clicks Upload.
The uploaded certificates can be viewed by clicking on View Certificates-> View.
Similarly, the Partner certificates can be added by the Partner admin/ partner.
The certificate can be uploaded by clicking Home-> Upload Certificate -> Upload.
The certificate can be viewed by clicking Home-> View Certificate ->View.
The partner can add devices to the portal. To do so,
Partner clicks Device details-> Create Device.
Enters the necessary details to create/add devices like:
Partner Name
Device Type and Sub Type
Make and Model
Click Save.
The Partner Admin can choose to approve/reject the device details entered by the partner.
The Partner can create SBI by filling in the required details.
The Partner Admin can choose to approve/reject the SBI details entered by the partner.
The partner can map the device with an SBI.
Partner Management Services are the self-services which are used by the partners themselves via a portal. Partner Management Portal is a web based UI application that provides services to various types of partners.
Partner Management module has two services:
Policy Management service
Partner Management service
The documentation here will guide you through the prerequisites required for the developer's setup.
Below are a list of tools required in Partner Management Services setup:
JDK 11
Any IDE (like Eclipse, IntelliJ IDEA)
Apache Maven (zip folder)
pgAdmin
Postman
Git
Notepad++ (optional)
lombok.jar (file)
settings.xml (document)
Follow the steps below to set up Partner Management Services on your local system:
Download lombok.jar and settings.xml from here.
Unzip Apache Maven and move the unzipped folder in C:\Program Files and settings.xml to conf folder C:\Program Files\apache-maven-3.8.4\conf.
Install Eclipse, open the lombok.jar file and wait for some time until it completes the scan for Eclipse IDE and then click Install/Update.
Check the Eclipse installation folder C:\Users\userName\eclipse\jee-2021-12\eclipse to see if the lombok.jar is added. By doing this, you don't have to add the dependency of lombok in your pom.xml file separately as it is auto-configured by Eclipse.
Configure the JDK (Standard VM) with your Eclipse by traversing through Preferences → Java → Installed JREs.
For the code setup, clone the repository and follow the guidelines mentioned in the Code Contributions.
Open the project folder where pom.xml is present.
Open command prompt from the same folder.
Run the command mvn clean install -Dgpg.skip=true -DskipTests=true to build the project and wait for the build to complete successfully.
After building of a project, open Eclipse and select Import Projects → Maven → Existing Maven Projects → Next → Browse to project directory → Finish.
After successful importing of project, update the project by right-click on Project → Maven → Update Project.
For the environment setup, you need an external JAR that is available here with different versions. (E.g.: You can download kernel-auth-adapter.jar and add to project Libraries → Classpath → Add External JARs → Select Downloaded JAR → Add → Apply and Close).
Clone mosip-config repository.
Create an empty folder inside the mosip-config with sandbox-local name and then copy and paste all config files inside sandbox-local folder except .gitignore, README and LICENSE.
As Partner Management Services is using two properties files, partner-management-default and application-default, you will have to configure them according to your environment. The same files are available here for reference.
To run the server, two files are required- kernel-config-server.jar and config-server-start.bat.
Put both the files in the same folder and change the location attribute to sandbox-local folder in config-server-start.bat file and also check the version of kernel-config-server.jar towards the end of the command.
Example:
java -jar -Dspring.profiles.active=native -Dspring.cloud.config.server.native.search-locations=file:C:\Users\myDell\mosipProject\mosip-config\sandbox-local -Dspring.cloud.config.server.accept-empty=true -Dspring.cloud.config.server.git.force-pull=false -Dspring.cloud.config.server.git.cloneOnStart=false -Dspring.cloud.config.server.git.refreshRate=0 kernel-config-server-1.2.0-20201016.134941-57.jar.
As mentioned in the steps above, you may have to make some changes in the two properties files as per your environment.
Run the server by opening the config-server-start.bat file.
The server should now be up and running.
Below are the configurations to be done in Eclipse:
1. Open Eclipse and run the project for one time as Java application, so that it will create a Java application which you can see in debug configurations and then change its name. (e.g.: project name with environment - "partner-management-dev").
2. Open the arguments and pass this -Ddomain.url=dev.mosip.net -Dapplication.base.url=http://localhost:8090 -Dspring.profiles.active=default -Dspring.cloud.config.uri=http://localhost:51000/config -Dspring.cloud.config.label=master in VM arguments.
3. Here, the domain URL represents the environment on which you are working (eg., it can be dev2.mosip.net or qa3.mosip.net).
4. Click Apply and then debug it (starts running). In the console, you can see a message like "Started PartnerManagementService in 34.078 seconds (JVM running for 38.361)".
Policy management service also can run by following the above steps.
For API documentation, refer here.
The APIs can be tested with the help of Swagger-UI and Postman.
Swagger is an interface description language for describing restful APIs expressed using JSON. Can access Swagger-UI of partner-management-services for dev-environment from https://dev.mosip.net/v1/partnermanager/swagger-ui/index.html?configUrl=/v1/partnermanager/v3/api-docs/swagger-config and localhost from http://localhost:9109/v1/partnermanager/swagger-ui/index.html?configUrl=/v1/partnermanager/v3/api-docs/swagger-config.
Can access Swagger-UI of policy-management-services for dev-environment from https://dev.mosip.net/v1/policymanager/swagger-ui/index.html?configUrl=/v1/policymanager/v3/api-docs/swagger-config and localhost from http://localhost:9107/v1/policymanager/swagger-ui/index.html?configUrl=/v1/policymanager/v3/api-docs/swagger-config.
Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster. It is widely used tool for API testing.
Download the JSON collection and then import it in your postman.
This should point to the URL of your env where KeyCloak is running. Ex:
