Introduction to the Custom Element for Account Setup Version 2 · 2020-05-14 · Introduction to...
Transcript of Introduction to the Custom Element for Account Setup Version 2 · 2020-05-14 · Introduction to...
©2020 Morningstar. All Rights Reserved.
AccountView Version: 1.88
Custom Element Version: 2.2.3
Document Version: CEASdoc-2.0-20200605
Document Issue Date: June 5, 2020
Technical Support: (866) 856-4951
Telephone: (781) 376-0801
Fax: (781) 376-8040
Web: byallaccounts.morningstar.com
i
Table of Contents
About this document................................................................................................... 1
Changes in this version ........................................................................................... 1
Custom Element for Account Setup ............................................................................... 1
Known limitations ....................................................................................................... 1
User types ............................................................................................................. 1
Browser support ..................................................................................................... 2
Authentication ........................................................................................................... 2
Download and install the custom element ...................................................................... 2
Incorporate the custom element into your parent page ................................................... 3
Minimum example .................................................................................................. 3
Example setting all attributes .................................................................................. 3
Attributes .............................................................................................................. 4
Events .................................................................................................................. 7
Managing events in the workflow ......................................................................... 9
userExit .......................................................................................................... 9
badAuthentication ............................................................................................ 9
internalError .................................................................................................. 10
dataChanged ................................................................................................. 10
dataChangedAsync ......................................................................................... 10
dataChangedAsyncAuthenticate ....................................................................... 10
Customizations to the user interface ........................................................................... 10
Applying the customizations .................................................................................. 11
Appendix A. Cumulative changes to the Custom Element .......................................... A-1
Introduction to the Custom Element for Account Setup
ByAllAccounts, Inc. 1 CEASdoc-2.0-20200605
About this document This document provides a preliminary overview of the custom element for Account Setup
which is currently under development for Morningstar® ByAllAccountsSM (BAA) aggregation
service.
Changes in this version
This document is evolving along with the Custom Element Version 2 (CEV2) which is
currently at version 2.2.3.
The changes introduced in this release are:
▪ Custom element will display a User Agreement as the first element of the workflow if the
Firm has not disabled User Agreements and the user has not accepted the latest version
of the User Agreement.
▪ If the user declines the User Agreement, then the custom element issues a
UserDeclinedAgreement event followed by a userExit event.
Refer to Appendix A Cumulative changes to the Custom Element for important information
about these and other recent changes.
Custom Element for Account Setup Morningstar® ByAllAccountsSM aggregation service provides a W3C custom HTML element
that implements the ByAllAccounts Consumer User Interface (CUI) account setup
functionality for aggregation within another application without the use of iframes or
browser tabs.
The custom element (mstar-aggregation-consumer-accountsetup) enables account setup. The
main features are selecting financial institutions (FI), entering FI credentials, discovering
accounts, and aggregating the account data. The aggregated account data, which can
include balance, holding, and transaction information from the FI, are available via other
Morningstar ByAllAccounts applications and APIs.
The custom element can be fully customized to integrate into your parent page, with
customizations to terminology, styles, and features.
This document describes the custom element, steps for embedding it in a web application,
methods of authentication, and ways to customize it.
Known limitations The capabilities, interfaces, and behaviors of the Account Setup custom element are subject
to change as we make refinements based on customer feedback.
This section describes the known limitations for the Account Setup custom element.
User types
The Account Setup custom element can only be used with BAA Investor users and those
users must:
▪ have full Read-Write permission to their own data
▪ be Single Sign On (SSO) users (either non-SAML-SSO or SAML-SSO)
▪ be in a BAA Firm configured to use ConsumerUI V2.0. Note that a BAA Firm can be
configured to use only one version of ConsumerUI.
Introduction to the Custom Element for Account Setup
ByAllAccounts, Inc. 2 CEASdoc-2.0-20200605
Browser support
▪ Chrome – fully supported
▪ Firefox – fully supported
▪ Internet Explorer and Microsoft Edge – Partially supported. All functionality works
but the CSS styling is not encapsulated so the styling becomes global and affects the
parent page. In particular, the header elements (h1, h2…) use the Morningstar Design
System (MDS) fonts.
▪ Safari – not yet tested
Authentication Authentication is handled by the parent page before it invokes the custom element;
authentication can be accomplished via SAML Single Sign On (SSO) or non-SAML SSO (via
DataConnect). In either case, the custom element makes service calls to
www.byallaccounts.net. To allow these calls within the user’s browser, the parent page’s
domain(s) must be configured in the custom element’s CORS whitelist within the
ByAllAccounts service. Your Morningstar Implementation Manager will assist you with
getting this configuration established.
▪ SAML SSO – For this case, use the auth-context attribute to indicate the use of SAML.
The SAML interchange establishes a SAML session with a cookie (named
BaaWebAppSAMLSSO) that identifies that session and which must be available to the
custom element. A SAML load-balancing cookie (named amlbcookie) is also required.
These are the names for the cookies in the production environment; in lower
environments they will have different names.
▪ Non-SAML SSO – The parent page acquires values for jsessionid and csrftoken and must
pass them to the custom element using the auth-context attribute.
Although it provides many details not relevant to the custom element, the guide for
AccountView SSO may provide some helpful information about non-SAML SSO.
http://www.byallaccounts.net/Manuals/Accountview/AccountView_SingleSignOn.pdf.
Likewise, this guide for SAML connectivity may be helpful:
http://www.byallaccounts.net/Manuals/Accountview/Morningstar_BAA_SAML_Connectivity_
Guide.pdf.
Download and install the custom element Note: Ultimately the custom element will be distributed via the npm repository as a
versioned npm package named mstar-aggregation-consumer-accountsetup. However, for
now it is available as a packaged file (with a .tgz extension) from Morningstar
ByAllAccounts. In the installation instructions below, use the name of the .tgz file you
receive from ByAllAccounts.
The mstar-aggregation-consumer-accountsetup custom element is built with Angular and
can be used in frameworks such as React, and Vue, or in vanilla JS applications.
Install the package by running the following command in your development environment:
npm install <xxxx>.tgz
After the npm package is installed, there is a mstar-aggregation-consumer-accountsetup
folder under the node_modules directory. The folder contains:
▪ mstar-aggregation-consumer-accountsetup.js – Main JavaScript bundle for the
Account Setup custom element.
Introduction to the Custom Element for Account Setup
ByAllAccounts, Inc. 3 CEASdoc-2.0-20200605
▪ assets – Folder containing various configuration files and images for the custom
element.
▪ package.json – File that describes the npm package.
Depending on your build system/framework, there may be different steps to take to get
Web Components loaded. In any case, the build system should ensure that the assets folder
and the main JS file (mstar-aggregation-consumer-accountsetup.js) of the custom element
are placed under the application’s distribution (/dist) folder from where it is being served.
Incorporate the custom element into your parent page Import the necessary JavaScript files into your HTML page and create an instance of the
mstar-aggregation-consumer-accountsetup tag element. Then add code to:
▪ Reference the font faces.
▪ Load the custom element.
▪ Instantiate the element in the page.
▪ Set attributes. Minimally set auth-context, which is required.
If the route attribute is used, set it after the auth-context. That is, the user
authentication must be set before the element can attempt the operation.
▪ Make the custom element visible in the page.
The following sections include:
▪ A simple code example showing the minimum requirements
▪ A more detailed example showing all the attributes
Additionally, consider how to handle the events described in Events on page 7.
Minimum example
At a minimum you must define the auth-context attribute for authentication, as shown here.
By default, the custom element starts with add accounts. To begin with editing credentials,
use the route attribute.
<!-- Load the custom element main JavaScript bundle file -->
<script src="./mstar-aggregation-consumer-accountsetup.js"></script>
<script>
mstarWebComp = document.createElement(“mstar-aggregation-consumer-accountsetup”);
mstarWebComp.setAttribute(“auth-context”, JSON.stringify(
{ jsessionId: “212764322EB9DBEBED880425DE3216EB.s1a”,
csrfToken: “DBC63BDE361C192B3CEF641B4C551DD8AC27B4A0276E91”
}));
content.appendChild(mstarWebComp);
</script>
Example setting all attributes
This example uses all available attributes for the custom element.
Because the attributes that customize the user interface (ui-config-file, translate-file-path,
override-css-file, and custom-fonts) typically do not change during the lifetime of a parent
Introduction to the Custom Element for Account Setup
ByAllAccounts, Inc. 4 CEASdoc-2.0-20200605
page, for simplicity they are defined first. The others (auth-context, route) may be reset
any number of times during the life of the parent page. In this example, hostname.com
should be replaced with your host name for those files.
For more information about the attributes, refer to Attributes, page 4.
<!-- Load the custom element main JavaScript bundle file -->
<script src="./mstar-aggregation-consumer-accountsetup.js"></script>
<script>
mstarWebComp = document.createElement(“mstar-aggregation-consumer-accountsetup”);
mstarWebComp.setAttribute(“ui-config-file”, “https://hostname.com/customassets/config/ui-config.json”);
mstarWebComp.setAttribute(“translate-file-path”, “https://hostname.com/customassets/i18n/”);
mstarWebComp.setAttribute(“override-css-file”, “https://hostname.com/customassets/css/corporatestyle.css”);
mstarWebComp.setAttribute(“custom-fonts'”, “https://fonts.googleapis.com/css?family=Lobster”);
mstarWebComp.setAttribute(“auth-context”, JSON.stringify(
{ jsessionId: “212764322EB9DBEBED880425DE3216EB.s1a”,
csrfToken: “DBC63BDE361C192B3CEF641B4C551DD8AC27B4A0276E91”
}));
mstarWebComp.setAttribute(“route”, “/edit-credential;credentialId=21911”);
content.appendChild(mstarWebComp);
</script>
Attributes
The following table describes the attributes for the custom element. The only required
attribute is auth-context. The only requirement for order of attributes is that if you use
route, you must set it after setting auth-context. Refer to the table below for details.
Any of these attributes can be set (and reset) at any time but ui-config-file, translate-file-
path, and override-css-file typically do not change during the lifetime of a parent page. An
example of when auth-context and route might be reset during the lifetime of a parent
would be handling of an error event. For information about events, see Events page 7.
Attribute Req’d? Parameters and Description
auth-context
Yes Possible Parameters
Must contain one of:
▪ { jsessionId: <jsessionid value>, csrfToken: <csrf token value> }
▪ {saml: “true”}
▪ {}
Introduction to the Custom Element for Account Setup
ByAllAccounts, Inc. 5 CEASdoc-2.0-20200605
Attribute Req’d? Parameters and Description
Description
The auth-context attribute is used for user authentication. It is required
and may be reset any number of times during the lifetime of the parent
page. For example, it would need to be reset after a timeout.
It must contain one of the possible parameters: the jsessionId/csrfToken
pair, the SAML indicator, or an empty object.
If the user was authenticated via non-SAML single sign-on then the
jsessionId and csrfToken pair must be included, using the form:
{ jsessionId: <jsessionid value>, csrfToken: <token>}
If the user was authenticated via SAML then the SAML cookie (named
BaaWebAppSAMLSSO in production) must exist in the browser and only
the SAML flag is included in the attribute:
{saml: “true”}
To prevent further use of the element by the user, use the empty value to
clear the authentication data from the element:
{}
route
No Possible Parameters
▪ /add-account
▪ /edit-credential;credentialId=<BAAID>
To suppress the progress step, set the optional showProgressStep
parameter to false, as shown:
▪ /add-account;showProgressStep=false
▪ /edit-credential;credentialId=<id>;showProgressStep=false
Introduction to the Custom Element for Account Setup
ByAllAccounts, Inc. 6 CEASdoc-2.0-20200605
Attribute Req’d? Parameters and Description
Description
The route attribute specifies the operation to be initiated, so:
▪ /add-account
will cause the first step (FI selection) to be displayed. This value is the
default.
▪ /edit-credential;credentialId=<BAAID>
where <BAAID> is the ByAllAccounts unique internal identifier for the
Account Credential to be edited. This route will display the form
containing the current login and password.
Use the optional parameter
showProgressStep=false
with each route for which you want to suppress the final progress step that
appears after a successful account add or edit.
The custom element defaults to the Add account page when it is first made
visible in the parent page. If you want to suppress the progress step for
that, you must explicitly set route and use the optional parameter.
The route attribute may be set any number of times during the life of the
parent page. For example, you would set a route to add an account then
could have another route to edit the account.
Note: If you set the route attribute, you must set it after the auth-context
attribute because user authentication must be set before the element can
attempt the operation. Otherwise, a badAuthentication event will occur.
translate-file-path
No Possible Parameters
The path to the custom en.json file.
Description
The translate-file-path attribute identifies the URL that is the path to the
en.json file that you created to provide custom terminology for certain text
and labels displayed by the custom element. The path is relative to the
base href of the deployed application.
ui-config-file
No Possible Parameters
Path and file name to your custom user interface (UI) configuration file.
Description
The ui-config-file attribute identifies the URL that is the path to and the
name of the file that contains options for turning on/off UI sections in the
custom element. The path is relative to the base href of the deployed
application.
override-css-file
No Possible Parameters
The path and file name for your custom cascading style sheet (CSS) file.
Description
The override-css-file attribute identifies the URL that is the path to and file
name of a custom CSS file containing overrides to the default Morningstar
Design System (MDS) styles.
Introduction to the Custom Element for Account Setup
ByAllAccounts, Inc. 7 CEASdoc-2.0-20200605
Attribute Req’d? Parameters and Description
custom-fonts
No Possible Parameters
The path and name for your font definitions.
Description
The custom-fonts attribute identifies the URL that is the path to and file
name of a custom font definition file that will override to the default
Morningstar Design System (MDS) fonts.
Events
The following table describes the events that the mstar-aggregation-consumer-accountsetup
custom element may communicate to the parent page and the actions that trigger them.
These events signal that the user has completed their work with the custom element or
there is an error that the custom element cannot resolve and that must be handled by the
parent page.
Other events that occur within the custom element are handled by the custom element
itself. For example, any problems that occur when a user interacts with the custom element
to enter credentials are handled by the custom element.
Managing events in the workflow on page 9 describes ways in which the parent page may
need to handle these events.
Trigger Name Event Detail
String
Description
User completes
action and/or
exits the
operation
userExit “User exit”
User has 1) completed
the account add,
2) completed the account
edit, 3) canceled out of
the workflow, or 4)
declined user agreement
User declines
user agreement
userDeclinedAgreement “User declined
user
agreement”
User did not accept the
terms of the latest user
agreement when
prompted.
Introduction to the Custom Element for Account Setup
ByAllAccounts, Inc. 8 CEASdoc-2.0-20200605
Trigger Name Event Detail
String
Description
A request to
server finds
user’s
authentication
context is not
valid (resulted
in a 401
Unauthorized)
badAuthentication “Unauthorized
access”
User’s authentication
context is either not valid
or has timed out. The
user will no longer be
able to interact with the
element after a
badAuthentication (401)
event until the element
receives changes to the
auth-context attribute
that provide valid
authentication data.
The user’s authentication
could end at any time.
Whenever the parent
page receives a
badAuthentication event
it must get new tokens
(or a new cookie in the
case of SAML) and invoke
a setAttribute auth-
context with the new
tokens before the user
can proceed with the
operation they had
started.
A request to
the server
resulted in an
error other
than 401 or an
internal code
error occurred
internalError One of:
“Forbidden
access”
“Service
unavailable”
“Unknown
server error”
“Unknown
error”
“Resource not
found”
An unexpected error
occurred during user’s
interaction with the
element. The parent page
must remedy the
problem and possibly
display a message to the
user.
Some causes include:
Forbidden access: User
does not have the
necessary permissions;
user may have read only
permissions.
Service unavailable:
Possibly an intermittent
service interruption.
Resource not found:
Could be a misnamed
path or file.
Introduction to the Custom Element for Account Setup
ByAllAccounts, Inc. 9 CEASdoc-2.0-20200605
Trigger Name Event Detail
String
Description
User makes a
change to
credential or
account
dataChanged “Data
changed”
The user made a change
to a credential or account
that may have resulted in
synchronous changes to
any or all of the
following: authentication
status, accounts linked to
the credential, financial
data for those accounts.
User initiates
an aggregation
operation
dataChangedAsync “Async Data
change”
The user initiates the
service to run the
asynchronous process of
composite "aggregate"
which can be
discover/add/aggregate
or just aggregate.
User initiates
an authenticate
operation
dataChangedAsyncAuthenticate
“Async
Authenticate
Data change”
The user initiates an
authentication operation,
which causes the service
to run the asynchronous
process of attempting to
authenticate.
Managing events in the workflow
This section describes managing the trigger events listed in Events on page 7.
userExit
The custom element sends the userExit event when the user exits the custom element, such
as by completing adding an account, completing editing an account, cancelling out of the
workflow, or declining the user agreement. The userExit event can also occur when an
account add or edit credential successfully completes and the progress step is suppressed.
Upon userExit, the parent page could hide the custom element or activate it again. To
activate it again, if the authorization context is still valid, the parent page can set the route
attribute to reopen the custom element at set point in the workflow.
badAuthentication
A badAuthentication event can be caused by:
▪ timeout: the user stops interacting with the custom element for a period of time and the
session for the auth-context times out.
▪ authentication ended: the authorized connection ended. For SAML SSO users, that could
mean their cookie timed out.
Introduction to the Custom Element for Account Setup
ByAllAccounts, Inc. 10 CEASdoc-2.0-20200605
For badAuthentication events, the parent page must reauthenticate the user and set a new
auth-context. Until the reauthentication happens, the custom element is in a blocked state
and is greyed out.
When the authentication is reestablished, the user may proceed from where they left off.
internalError
The internalError event can happen for several reasons. For example, a “Resource not
found” error would occur if the parent page provided an invalid credential identifier when
requesting a route to edit-credential.
When an internalError occurs, the user interface for the custom element remains static. The
parent page needs to recognize that error and remedy the problem. The parent page can
pass a message to the user, describing the type of error.
dataChanged
The dataChanged event lets the parent page know something has changed and they should
refresh any display of account, credential, position, and transaction data. The event is
emitted each time one of these data changes occurs, so the parent page could receive this
event multiple times during a single session of the custom element.
dataChangedAsync
The dataChangedAsync event lets the parent page know the user submitted a composite
“aggregate” that triggered the service to run the complex and long running process
asynchronously. The composite "aggregate" can be discover/add/aggregate or just
aggregate. When the parent page receives this event it can poll for asynchronous activity
completion and then query the API to obtain the changed data.
dataChangedAsyncAuthenticate
The dataChangedAsyncAuthenticate event lets the parent page know that an authentication
was initiated. The asynchronous process can be complex and long-running. When the parent
page receives this event, it can poll for asynchronous activity completion and then query the
API to obtain the authentication status.
Customizations to the user interface There are multiple types of customization you can optionally provide for the custom
element. You apply these customizations using the files provided in the assets folder.
▪ Terminology – the i18n/en.json translation file contains all the static text displayed on
pages, dialogs, and buttons within the interface. Edit this file to customize text and
terminology. Configure the element to user your custom terminology file by setting the
translate-file-path attribute.
▪ Styles – define an optional CSS file to override the default Morningstar Design System
(MDS) styles and adjust fonts, colors, and backgrounds for elements in the display.
Introduction to the Custom Element for Account Setup
ByAllAccounts, Inc. 11 CEASdoc-2.0-20200605
Configure the element to use your custom CSS file by setting the override-css-file
attribute.
To use fonts other than the MDS Univers font, you can add a global entry like this to
your CSS file:
* { font-family: YourFont, Verdana, sans-serif !important; }
▪ Fonts – define an optional fonts file to override the default Morningstar Design System
(MDS) fonts for elements in the display. Configure the element to use your custom fonts
by setting the custom-fonts attribute. These new fonts are then available to be set using
the CSS file specified using the override-css-file attribute.
▪ Optional features – the config/ui-config.json contains options that enable you to turn
on/off UI features in the custom element. Configure the element to user your custom
configuration file by setting the ui-config-file attribute. Only a subset of the options
currently applies to the custom element. These options are:
"cui-fi-select": { "fiLogosVisible": false, "includeURLinSearch": false }
Note that:
▪ "fiLogosVisible” - controls whether the popular institution logos are available in the FI
selection step
▪ "includeURLinSearch" - controls whether the FI URLs are included in the search criteria
when the user is searching for an institution
Applying the customizations
To customize terminology, styles, fonts, and optional features:
1. Edit the files provided in the assets folder. These files and edits are described in
Customizations to the user interface on page 10.
2. Modify your web server to allow our origin (www.byallaccounts.net for PROD) to access
those files. We suggest the following:
▪ Header set Access-Control-Allow-Origin “www.byallaccounts.net”
▪ Header set Access-Control-Allow-Headers "Cache-Control,Content-
Type,Accept,Referer,User-Agent,Sec-Fetch-Dest"
▪ Header set Access-Control-Allow-Methods "GET,OPTIONS"
If this access is not allowed, then the custom element will not be able to access the
customization files and will have to use its own version of those files.
3. Set the appropriate attribute for each custom file. For attribute information see
Attributes, page 4
Introduction to the Custom Element for Account Setup
ByAllAccounts, Inc. A-1 CEASdoc-2.0-20200605
Appendix A. Cumulative changes to the Custom Element
This appendix keeps a running list of released versions and a summary of the changes in
each version starting with version 1.11.2.
WARNING: When a release is required, you must use the latest version of the custom
element. If you do not, any project you have that uses the custom element will fail
because the new version has changes to the underlying API.
Date Version Required? Summary of Changes
December 5, 2019 1.11.2 No ▪ The custom element now supports
financial institution (FI) requests.
▪ The dataChangedAsync event is now
issued after credential authentication is
initiated. This response is in addition to
other situations, such as initiated
aggregation, that also cause
dataChangedAsync to be issued.
▪ Refinements were made so that
unanswered security questions are
handled more efficiently.
▪ The custom element is now built with
Morningstar Design System MDS 2.31.
▪ Document change December 9, 2019 to
add name of SAML cookie.
December 19,
2019 1.12.4 No ▪ When authentication is initiated, the new
event dataChangedAsyncAuthenticate is
initiated instead of dataChangedAsync
(BAPP-2277)
▪ When adding accounts for a financial
institution (FI) that does not support
account discovery, both account number
fields how have a “?” icon for the account
number instructions (BAPP-2207)
▪ Users can now tab to the “?” info icon on
the FI Request page (BAPP-2230)
▪ A spacing issue was fixed on the Financial
Institution (FI) request form (BAPP-2210)
▪ When a user clicks Exit during aggregation
with Security Questions and Answers
(SQAs), the Polling for status now stops as
expected (BAPP-1785)
▪ Document change January 9, 2020 to add
the cookie named amlbcookie
February 20, 2020 1.13.8 No ▪ The website URL is now searched in
addition to the user login URL (BAPP-
2436)
▪ Documentation change: the s1a suffix was
added to the jsessionid values in the code
examples
Introduction to the Custom Element for Account Setup
ByAllAccounts, Inc. A-2 CEASdoc-2.0-20200605
Date Version Required? Summary of Changes
March 13, 2020 1.14.1 No ▪ To better help users identify the correct
financial institution during a financial
institution (FI) search, the home website
URL is now shown instead of the user login
URL if it is available. When submitting
credentials, both the website URL and the
user login URL are shown if both are
available (BAPP-2502)
May 14, 2020 2.1.4 No This release introduces Custom Element
Version 2 (CEV2) which replaces the original
Custom Element. In addition to new
underlying technology, changes include:
▪ A new attribute for setting custom fonts.
▪ No longer set the required font faces using
a stylesheet reference.
▪ Now provide the hostname (URL) for the
customization files when setting the
attributes that customize the user
interface.
▪ To enable authentication service calls to
www.byallaccounts.net, the parent page’s
domain(s) must be configured in the
custom element’s CORS whitelist within
the ByAllAccounts service.
▪ The whitelist requirement now applies to
non-SAML SSO in addition to SAML SSO.
June 5, 2020 2.2.3
No As of this release, by default new users are
presented with a user agreement. A new
userDeclinedAgreement event occurs if the
user does not accept the terms of the user
agreement and the userExit event is
triggered. The user agreement feature can
be disabled at the Firm level. Disabling it at
the Firm level disables it globally for all
ByAllAccounts services including
AccountView.