Custom metadata setup for USI 5.0
Table of Contents
USI Integration Setting
The following setup is according to RIO Education AU Reporting Engine 2.15 or later. Please consider upgrading the RIO Education AU Reporting Engine to the latest version if your org is using an older version.
Go to Setup > Custom Metadata Types, and search for USI Integration Setting.
Enter it, click "Manage USI Integration Settings", and create a new Production/Sandbox_USI field.
Configure the settings as below.
Note that if any of the fields is not available in the edit layout, please ensure that the field is exposed/added onto the Metadata layout.
| Label | Production_USI |
| USI Integration Setting Name | Production_USI |
| SF Organization Id | [Salesforce Org Id] |
| Organisation Code | [Your org code] |
| Active | True |
ActAs Configuration
| First Party ABN (WDCi's) | 67132380780 |
| Second Party ABN | [Your ABN] |
| SSID | [Request from WDCi team] |
Field Settings
| Student being a Contact | Student being a PersonAccount | |
|
USI Field |
rio_ed__Unique_Student_Id_USI__c |
rio_ed__Unique_Student_Id_USI__pc |
|
USI Verified Field |
rio_ed__Unique_Student_Id_USI_Verified__c |
rio_ed__Unique_Student_Id_USI_Verified__pc |
|
USI SingleName Verification Field |
redu_Single_Name_Only__c |
redu_Single_Name_Only__pc |
|
USI Last Verification Date Field |
rio_edaurep__USI_Last_Verification_Date__c |
rio_edaurep__USI_Last_Verification_Date__pc |
|
USI Response Message Field |
rio_edaurep__USI_Response_Message__c | rio_edaurep__USI_Response_Message__pc |
Environment Settings
| Environment | [Production/Sandbox] |
| Cert Developer Name | [Name of the credential cert added in the previous steps] |
| Service Token Endpoint | https://softwareauthorisations.ato.gov.au/R3.0/S007v1.3/service.svc |
| USI API Endpoint | For Production: https://portal.usi.gov.au/service/v5/usiservice.svc For Sandbox: https://3pt.portal.usi.gov.au/service/v5/usiservice.svc |
| USI Namespace | http://usi.gov.au/2022/ws |
Timestamp Settings
| Timestamp Duration (min) | 5 |
| Lifetime Duration (min) | 60 |
USI integration API actions (BulkVerifyUSI)
Head to Setup > Custom Metadata Types, and search for USI Integration API Actions.
Enter it, click "Manage USI Integration Settings", and create 2 new API Actions as below.
Configure their settings respectively.
| Label | BulkVerifyUSI |
| USI Integration API Action Name | BulkVerifyUSI |
| USI Integration Setting | Production_USI [Lookup to USI Integration Setting above] |
| Action | BulkVerifyUSI |
| Active | True |
SOAP envelope settings
SOAP Digest #0 Content: |
<u:Timestamp xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" u:Id="_0"><u:Created>{!usi_timestampfrom}</u:Created><u:Expires>{!usi_timestampto}</u:Expires></u:Timestamp> |
SOAP Digest #1 Content: |
|
SOAP SignedInfo: |
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"></SignatureMethod><Reference URI="#_0"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>{!usi_soapdigest0}</DigestValue></Reference></SignedInfo> |
SOAP Envelope: |
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">{!usi_soapheader}{!usi_soapbody}</s:Envelope> |
SOAP Header: |
<s:Header><a:Action s:mustUnderstand="1">http://usi.gov.au/2022/ws/BulkVerifyUSI</a:Action><a:MessageID>{!usi_uuid_messageid}</a:MessageID><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1">{!usi_usiapiurl}</a:To><o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><u:Timestamp u:Id="_0"><u:Created>{!usi_timestampfrom}</u:Created><u:Expires>{!usi_timestampto}</u:Expires></u:Timestamp>{!usi_auth_encrypteddata}<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">{!usi_soapsignedinfo}<SignatureValue>{!usi_soapsignaturevalue}</SignatureValue><KeyInfo>{!usi_auth_securitytokenreference}</KeyInfo></Signature></o:Security></s:Header> |
SOAP Body: |
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><BulkVerifyUSI xmlns="http://usi.gov.au/2022/ws"><OrgCode>{!usi_orgcode}</OrgCode><NoOfVerifications>{!usi_data_recordcount}</NoOfVerifications><Verifications>{!usi_data_level1body}</Verifications></BulkVerifyUSI></s:Body> |
Request data
| The following is the reference to be used for Student being a Contact | |
Level 1 Data Body: |
<Verification><RecordId>{!usi_data_runningnumber}</RecordId><USI>{!rio_ed__Unique_Student_Id_USI__c}</USI><FirstName>{!FirstName}</FirstName><FamilyName>{!LastName}</FamilyName><DateOfBirth>{!Birthdate}</DateOfBirth></Verification> |
Level 1 Data Body (Alternate): |
<Verification><RecordId>{!usi_data_runningnumber}</RecordId><USI>{!rio_ed__Unique_Student_Id_USI__c}</USI><SingleName>{!LastName}</SingleName><DateOfBirth>{!Birthdate}</DateOfBirth></Verification> |
| The following is the reference to be used for Student being a PersonAccount | |
| Level 1 Data Body: | <Verification><RecordId>{!usi_data_runningnumber}</RecordId><USI>{!rio_ed__Unique_Student_Id_USI__pc</USI><FirstName>{!FirstName}</FirstName><FamilyName>{!LastName}</FamilyName><DateOfBirth>{!PersonBirthdate}</DateOfBirth></Verification> |
| Level 1 Data Body (Alternate): | <Verification><RecordId>{!usi_data_runningnumber}</RecordId><USI>{!rio_ed__Unique_Student_Id_USI__pc}</USI>SingleName>{!LastName}</SingleName><DateOfBirth>{!PersonBirthdate}</DateOfBirth></Verification> |
|
NOTE: Some organisations use the MiddleName field too. In this case, consider a custom formula field to concatenate both the FirstName and MiddleName, and replace the {!FirstName} merge field with the custom formula field instead. Under BulkVerifyUSI, ensure at Request Data, Level 1 Data Body(Alternate): any SingleName is replaced with rio_edaurep__USI_SingleName_Verification__c for general use. | |
USI integration API actions (ServiceToken)
| Label | ServiceToken (ActAs) |
| USI Integration API Action Name | ServiceToken_ActAs |
| USI Integration Setting | Production_USI [Lookup to USI Integration Setting above] |
| Action | ServiceToken |
| Active | True |
SOAP envelope settings
SOAP Digest #0 Content: |
<u:Timestamp xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" u:Id="_0"><u:Created>{!usi_timestampfrom}</u:Created><u:Expires>{!usi_timestampto}</u:Expires></u:Timestamp> |
SOAP Digest #1 Content: |
<a:To xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" u:Id="_1" s:mustUnderstand="1">{!usi_servicetokenurl}</a:To> |
SOAP SignedInfo: |
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod><Reference URI="#_0"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>{!usi_soapdigest0}</DigestValue></Reference><Reference URI="#_1"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>{!usi_soapdigest1}</DigestValue></Reference></SignedInfo> |
SOAP Envelope: |
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">{!usi_soapheader}{!usi_soapbody}</s:Envelope> |
SOAP Header: |
<s:Header><a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action><a:MessageID>{!usi_uuid_messageid}</a:MessageID><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1" u:Id="_1">{!usi_servicetokenurl}</a:To><o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><u:Timestamp u:Id="_0"><u:Created>{!usi_timestampfrom}</u:Created><u:Expires>{!usi_timestampto}</u:Expires></u:Timestamp><o:BinarySecurityToken u:Id="_binarysecuritytoken" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">{!usi_soapbinarysecuritytoken}</o:BinarySecurityToken><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">{!usi_soapsignedinfo}<SignatureValue>{!usi_soapsignaturevalue}</SignatureValue><KeyInfo><o:SecurityTokenReference><o:Reference URI="#_binarysecuritytoken" /></o:SecurityTokenReference></KeyInfo></Signature></o:Security></s:Header> |
SOAP Body: |
<s:Body><trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>{!usi_usiapiurl}</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><trust:Lifetime><wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">{!usi_lifetimefrom}</wsu:Created><wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">{!usi_lifetimeto}</wsu:Expires></trust:Lifetime><wst14:ActAs xmlns:wst14="http://docs.oasis-open.org/ws-sx/ws-trust/200802"><v13:RelationshipToken xmlns:v13="http://vanguard.business.gov.au/2016/03" ID="35e6d176-bcf0-c7ac-c98d-5eae177e414d"><v13:Relationship v13:Type="OSPfor"><v13:Attribute v13:Name="SSID" v13:Value="{!usi_actasssid}" /></v13:Relationship><v13:FirstParty v13:Scheme="uri://abr.gov.au/ABN" v13:Value="{!usi_actasfirstpartyabn}" /><v13:SecondParty v13:Scheme="uri://abr.gov.au/ABN" v13:Value="{!usi_actassecondpartyabn}" /></v13:RelationshipToken></wst14:ActAs><trust:SecondaryParameters><trust:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType><trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType><trust:KeySize>256</trust:KeySize><trust:CanonicalizationAlgorithm>http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm><trust:KeyWrapAlgorithm>http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm><trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns:i="http://schemas.xmlsoap.org/ws/2005/05/identity"><i:ClaimType Uri="http://vanguard.ebusiness.gov.au/2008/06/identity/claims/abn" Optional="false" /><i:ClaimType Uri="http://vanguard.ebusiness.gov.au/2008/06/identity/claims/credentialtype" Optional="false" /></trust:Claims></trust:SecondaryParameters><trust:SignatureAlgorithm>SHA256withRSA</trust:SignatureAlgorithm><trust:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</trust:ComputedKeyAlgorithm></trust:RequestSecurityToken></s:Body> |
FAQ
If the following error is observed,
Or otherwise an error with E9008 (indicating error code 9008), then this means that there is an issue with the authentication in ATO RAM.
Before the USI database can be accessed, we have to verify our identity via ATO.
If there is no RAM link associated between WDCi's and your ABN in the ATO’s system, then, the verification will fail.
When this happens, check if your ABN is correct, and if WDCi's ABN is correct. Make sure their placement in the USI Integration Setting - Custom Metadata is correct.
Note that First Party ABN refers to WDCi's.
Second Party ABN refers to yours.
This might be due to an outage of the USI web service. Please check this link: https://www.usi.gov.au/help/system-outages for outage messages and further information.