Gluu Open Banking Identity Platform
FAPI and CIBA Certified
Open Banking and PSD2 are revolutionizing the financial industry by giving consumers more control over their financial data. With Gluu’s Open Banking Identity Platform, you can take advantage of these changes while maintaining the security and integrity of your infrastructure and policies. Our platform allows you to unlock the potential of Open Banking and PSD2 while ensuring that your customers’ data is safe and secure.
Get Started with Open Banking
Gluu’s open banking distribution provides the streamlined core to your open banking needs.
Our open banking solution is trimmed down to increase performance and reduce the security surface area.
Gluu is the premier choice for your open banking needs, securing your digital transformation 24/7, with support when you need it.
OpenID Connect Certified
Pass your audit:
Gluu is certified to conform with the Financial Grade OpenID Provider profile. Called “FAPI” for short, this profile provides detailed requirements for the security features needed to perform payments and other bank transactions. Gluu has also submitted many other certifications for both its OpenID Provider and Relying Party software. In fact, Gluu has submitted more OpenID certification tests than any other vendor.
CIBA Ready for Offline Authentication
CIBA, or “Client Initiated Backchannel Authentication” is an OpenID standard that is used to enable certain out-of-band security use cases, like when a customer speaks with an agent at a call center. It’s critically important for the agent to verify the identity of the person calling, and CIBA provides a solution to use a mobile device to accomplish this. Gluu is the only open-source implementation to certify against the FAPI CIBA OpenID Provider conformance profile.
Flexible Consent Management
Banks have different ways they may want to handle the consent flow for a transaction. Gluu provides extreme flexibility. In some cases, banks may want to redirect to an internal consent management application and hide all personal information from the third party facing OpenID Provider. In other cases, banks may want to utilize the Gluu Server to present a consent journey, integrating with various backend systems. Gluu supports both approaches, enabling a bank’s product team to specify their preference.
Implement OpenID Connect offline access
This scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token that grants access to the End-User’s User Info Endpoint even when the End-User is not present (not logged in).
The revised Payment Services Directive (PSD2) allowed ubiquitous financial transactions among EU member countries. Gluu supports strong customer authentication (SCA) methods supporting all modern Multifactor Authentication methods and is designed to ensure the tokens remain unchanged without prior knowledge of the payment service.
Open Banking Certified Client API
Gluu’s client API (oxd) will dynamically register an OpenID Connect client and return an identifier for the application which must be presented in subsequent API calls. Gluu can act as a translation service to ensure your service transactions conform with FAPI-CIBA requirements.
PAR and JARM
Pushed Authorization Requests-PAR
PAR is handled by an additional endpoint of the Authorization Server (AS). Clients POST their authorization parameters to this endpoint, in return the clients get a reference (named as request URI value) that will be used in further authorization requests by the client. PAR enables the OAuth clients to push the payload of an authorization request directly to the authorization server in exchange for a request URI value. This request URI value is used as a reference to the authorization request payload data in a subsequent call to the authorization endpoint. We can set different PAR lifetimes for different clients.
JWT Secured Authorization Response Mode-JARM
This is a new JWT-based response mode to encode authorization responses known as JARM, (see Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0). Here clients are enabled to request the transmission of the authorization response parameters along with additional data in JWT format. This mechanism enhances the security of the standard authorization response since it adds support for signing and encryption, sender authentication, and audience restriction. It also provides protection from replay, credential leakage, and mix-up attacks. It can be combined with any response type.
Build a Digital Banking Platform with APIs
Gluu Partners with leading Fintech solution providers to empower them to set the new standard when building modern banking mobile applications. By securing their APIs with Gluu’s authentication engine Fintechs can transact confidently with their clients without the need to rip and replace their existing infrastructure. Gluu’s certified FAPI-CIBA conformant solutions are licensed as open-source providing maximum flexibility without locking up your data system in a proprietary or legacy technology. Gluu can easily be configured to be scalable for on-premises systems as well as leverage elastic computing provided by newer, cloud-native technologies.
The Open Banking distribution is open source. If you love Kubernetes and Linux containers, you can try either the Cloud Native distribution.
You can configure the Gluu Open Banking Identity Platform to satisfy several use cases: Authorization, Identity, Mobile push notifications (CIBA), and Dynamic Client Registration.
Dynamic Client Registration
One of the challenges of many banking ecosystems is scaling trust management–which clients are authorized to call your bank’s new open APIs? The Gluu Open Banking Identity Platform gives you the ability to validate software statement JWTs issued by a banking ecosystem operator. You have quite a bit of flexibility to integrate with internal systems for provisioning, intrusion detection, or audit.
In an Open Banking ecosystem, where the OpenID Provider is registering and issuing tokens to third parties, it’s essential to minimize services and software. Any software running on the Authorization Server that is not essential is a liability. The Open Banking Distribution has a special security profile that maximizes the operational security readiness to improve its security posture.