/
Guidelines from Samtrafiken

Guidelines from Samtrafiken

Secure Management of OAuth2 Private Keys for Samtrafiken's System

As a reseller, you have a critical responsibility to securely store and handle the private key used for OAuth2 authentication against Samtrafiken's system. This key provides access to issue Skånetrafiken tickets, and its security is therefore of utmost importance.

Basic Security Requirements

  1. Access to the key must be limited to only those systems and individuals who absolutely need it

  2. The key must never be shared through insecure communication channels such as email or chat

  3. Regular reviews of who has access to the key must be conducted

  4. Backups of the key must also be stored and managed in a secure manner to prevent unauthorized access

Recommended Security Measures

  • Use a secure key management service (KMS) for storage

  • Implement strong access control with multi-factor authentication

  • Log all usage of the key for traceability

  • Have documented procedures for key rotation

  • Establish an incident response plan for potential key compromise

Secure Management of Device Key

  • The Device key should not be stored in backend systems

  • The Device key should not be logged

  • The Device key should be stored encrypted in the app

  • Samtrafiken offers the option to encrypt the device key for secure transfer from Samtrafiken's system to the app

Test Participation and Release Management

The Retailer commits to actively participate in testing activities related to releases from all involved parties (Samtrafiken, PTAs, and associated systems). This includes:

  • Participating in scheduled test cycles for major and minor releases

  • Conducting thorough regression testing of their systems when new versions are deployed

  • Providing timely feedback and test results

  • Allocating necessary resources for testing within agreed timeframes

  • Following established test protocols and documentation procedures (if there are any)

  • Reporting bugs and issues through designated channels https://samtrafiken.atlassian.net/wiki/spaces/SamA/pages/4497408014

  • Verifying fixes and participating in retesting as needed

Availability and Communication

The Retailer shall maintain reliable communication channels with Samtrafiken and Public Transport Authorities (PTAs), which entails:

  • Designating primary and backup contact persons for different areas (technical, business, support)

  • Being responsive during agreed business hours

  • Participating in scheduled status meetings and emergency calls when required

  • Maintaining up-to-date contact information in shared documentation

  • Following established escalation procedures

  • Providing advance notice of any planned system maintenance or updates

  • Being available for urgent issues according to agreed service levels

  • Using designated communication tools and platforms for project coordination