BCID Certificates and BCID Enterprise Mappings
BCID Certificates are a special kind of SHAKEN certificate. For more background on SHAKEN certificates, please refer to STI Certificates.
BCID Certificates and BCID Enterprise Mappings enable calls to be signed (similar to STI Certificates and STI Authentication Policies), but also, enable the SHAKEN passport to contain a customer’s name, logo, and/or call reason. Terminating service providers will send this information to the phone’s screen, when a person receives a call from that customer.
Setup BCID Certificates in ClearIP
To request BCID certificates through ClearIP, users must add an entry in the BCID Certificates page. If multiple OCNs/SPIDs are used to sign different sets of calls, then multiple entries should be created in the BCID Certificates page for each OCN/SPID.
Each OCN/SPID must be registered with both the STI-PA and BCID before being added to ClearIP.
Log into ClearIP and go to the BCID Certificates page under the STI dropdown menu. Click the Add button and fill out the form as follows:
Set the Name as a readable name to refer to the BCID certificate (e.g. “ABC Telecom STI PA BCID Certificate”). This name is for internal use only. Set the SPID as the Operating Company Number (OCN) in the STI-PA web portal. Set the STI-PA Participant ID as the primary Operating Company Number (OCN) or SPID from the STI-PA web portal. Set the STI-PA User ID (this is the same user ID that is configured in the STI-PA website). Set the STI-PA Password (this is the same password that is configured in the STI-PA website).
ClearIP automatically generates new BCID certificates before the current certificate expires, so users do not have to perform any additional steps to maintain certificates. ClearIP ensures that a valid BCID certificate is always available in the service provider’s certificate repository to prevent service disruption.
Setup BCID Enterprise Mappings in ClearIP
Only outbound calls should be configured with a BCID Enterprise Mapping. BCID Enterprise Mappings can be applied to an operator, SBC, service provider, group, user, and/or calling number.
A BCID Enterprise Mapping can be Enabled or Disabled. If a BCID Enterprise Mapping is the most specific match for a particular call, but is Disabled, BCID Enterprise Mapping will be skipped for that call.
BCID Certificate
Calls must be authenticated using a specific certificate. You must select one of the BCID certificates you configured on the “BCID Certificates” page.
If your organization has been approved by the STI-PA and onboarded/provisioned into BCID, then you must have created a certificate in the Certificates page, so that you can select that certificate in this field.
BCID Enterprise ID
The BCID Enterprise ID refers to the enterprise ID configured within the BCID ecosystem. The Enterprise ID (EID) is assigned to the enterprise by the Onboarding Agent. It is used to select the correct image and reason to send to the phone.
Include Call Reason If Single Reason Provisioned
When a customer is set up in the BCID ecosystem, they can associate one or more call reasons to a calling number. (note: this association is done by the enterprise through their BCID onboarding agent and not through ClearIP). If there is only one call reason associated with the calling number, ClearIP will use this setting to decide whether or not to automatically include that single call reason in the call’s BCID information.
Attestation level
All BCID Enterprise Mappings will use an attestation level of A, therefore, attestation level is not a configurable option for BCID in ClearIP. Below is a reminder of what Attestation Level A means:
Attestation Level A
An attestation level of A denotes Full Attestation. This means that the originating service provider:
- Is responsible for the origination of the call onto the VoIP network.
- Has a direct authenticated relationship with the customer and can identify the customer.
- Has established a verified association with the telephone number used for the call.
The originating service provider indicates that an identifiable caller is authorized to assert a calling number according to the service provider’s own policy. For example, calls from a subscriber using their registered phone number can be authenticated with attest A.
BCID Enterprise Mapping Examples
Sign calls from enterprise
BCID restricts signing of calls with name, logo, and/or reason to a list of vetted calling numbers.
| User | Calling Number | Status | BCID Certificate | BCID Enterprise ID | Comment |
|---|---|---|---|---|---|
| 1st National Bank | Enabled | TransNexus BCID | abcdefghabcdefghabcdefghabcdefgh | Enable BCID for all calls from 1st National Bank | |
| 2nd National Bank | Enabled | TransNexus BCID | bcdefghibcdefghibcdefghibcdefghi | Enable BCID for all calls from 2nd National Bank |
Sign calls from enterprise using specific calling number
ClearIP can also be used to further restrict the BCID authentication of calls with a calling number that can be found in a list of trusted calling numbers. This list can be maintained manually by users or automatically through the ClearIP API.
| User | Calling Number | Status | BCID Certificate | BCID Enterprise ID | Comment |
|---|---|---|---|---|---|
| 1st National Bank | 12025550107 | Enabled | TransNexus BCID | abcdefghabcdefghabcdefghabcdefgh | Enable BCID for calls from 1st National Bank using calling number 12025550107 |
| 2nd National Bank | 14045266060 | Enabled | TransNexus BCID | bcdefghibcdefghibcdefghibcdefghi | Enable BCID for calls from 2nd National Bank using calling number 14045266060 |
Sign calls from enterprise excluding specific calling number
ClearIP can also be used to disable BCID authentication of calls with a calling number. This list can be maintained manually by users or automatically through the ClearIP API.
| User | Calling Number | Status | BCID Certificate | BCID Enterprise ID | Comment |
|---|---|---|---|---|---|
| 1st National Bank | 12025550107 | Disabled | TransNexus BCID | abcdefghabcdefghabcdefghabcdefgh | Disable BCID for calls from 1st National Bank using calling number 12025550107 |
| 1st National Bank | Enabled | TransNexus BCID | abcdefghabcdefghabcdefghabcdefgh | Enable BCID for all other calls from 1st National Bank |
View BCID Authentication in SIP Messages
You can review the authentication results of signed calls by going to the SIP Messages page, clicking on the Columns button.
When you select the BCID Authentication option, ClearIP only displays column headers related to authentication:
- BCID Authentication Status - Whether the authentication was successful or not.
- BCID Authentication Service Provider Code - The service provider code for the call.
- BCID Authentication Origination Identifier - The origid value of an authenticated call that is sent. The origid is a unique number associated with the call source.
- BCID Authentication Enterprise ID - The Enterprise ID that was used for the call.
- BCID Authentication Display Identity Record ID - The Display Identity Record ID that was used, configured in the BCID ecosystem.
- BCID Authentication Onboarding Agent ID - The BCID onboarding agent ID for the call.
- BCID Authentication Vetting Agent ID - The BCID vetting agent ID for the call.
View SIP Identity header and token
To look at the SIP identity header created for a signed SIP invite sent previously, go to the SIP Messages page and locate the SIP message for the call in which you are interested. It may be helpful to filter calls by BCID Authentication Status. Click on the blue Show button corresponding to the desired SIP message under the Show Message column.
Scroll down to find the SIP Response which looks like the image below. This is the response sent from ClearIP to the SBC. The SIP Identity header value is contained in the Identity header field in the SIP response. The switch or SBC must be configured to copy the Identity header and insert it into the redirected SIP Invite routed to the carrier.
SIP Response
SIP/2.0 302 Moved Temporarily
Via: SIP/2.0/TCP sip.clearip.com:5060
From: <sip:+14045266060@transnexus.com:5060>
To: <sip:+18554742536@sip.clearip.com:5060>
Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMuY2xlYXJpcC5jb20vOTk5OTk5OTktOTk5OS00OTk5LTk5OTktOTk5OTk5OTk5OTk5LzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwLnBlbSJ9.eyJhdHRlc3QiOiJBIiwiY3JuIjoiUmVxdWVzdGVkIEFnZW50IENhbGxiYWNrIiwiZGVzdCI6eyJ0biI6WyIxODU1NDc0MjUzNiJdfSwiaWF0IjoxNTc3ODM2ODAwLCJvcmlnIjp7InRuIjoiMTQwNDUyNjYwNjAifSwib3JpZ2lkIjoiOTk5OTk5OTktOTk5OS00OTk5LTk5OTktOTk5OTk5OTk5OTk5IiwicmNkIjp7ImljbiI6Imh0dHBzOi8vY2RuLmJyYW5kZWRjYWxsaW5naWQuY29tL2ltYWdlcy8wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC5ibXAiLCJuYW0iOiJUcmFuc05leHVzLCBJbmMuIn0sInJjZGkiOnsiL2ljbiI6InNoYTI1Ni0wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIn19.abcdefghijklmnopqrstuvwzyzABCDEFGHIJKLMNOPQRSTUVWZYZ0123456789012345678901234567890123;info=<https://certificates.clearip.com/99999999-9999-4999-9999-999999999999/00000000000000000000000000000000.pem>;alg=ES256;ppt=shaken
Contact: <sip:+18554742536@sip.clearip.com:5060>;q=0.99
Reason: SIP;cause=302;text="no-fraud-detected"
Call-ID: 123456
CSeq: 1 INVITE
Content-Length: 0
To decode the token contained in the Identity header, click on the STI Authentication Token tab. An example decoded token is shown below.
View decoded token
{
"header": {
"alg": "ES256",
"ppt": "shaken",
"typ": "passport",
"x5u": "https://certificates.clearip.com/99999999-9999-4999-9999-999999999999/00000000000000000000000000000000.pem"
},
"payload": {
"attest": "A",
"crn": "Requested Agent Callback",
"dest": {
"tn": [
"18554742536"
]
},
"iat": 1577836800,
"orig": {
"tn": "14045266060"
},
"origid": "99999999-9999-4999-9999-999999999999",
"rcd": {
"icn": "https://cdn.brandedcallingid.com/images/00000000000000000000000000000000.bmp",
"nam": "TransNexus, Inc."
},
"rcdi": {
"/icn": "sha256-0000000000000000000000000000000000000000000"
}
},
"signature": "abcdefghijklmnopqrstuvwzyzABCDEFGHIJKLMNOPQRSTUVWZYZ0123456789012345678901234567890123"
}
The header contains general information about the format of the identity token and also includes a reference to the originating service provider’s certificate. This information is the same as that contained in the identity header.
The payload contains information about the call with most of it taken directly from the SIP Invite.
The dest field contains the destination or called number. This is the value from the To header in the SIP Invite. In the SIP Messages page, this value is shown under the Asserted Called Number column.
The iat field represents the exact date and time that the identity token was created. Specifically, it represents the number of seconds that have elapsed since 00:00:00 UTC 1 January 1970.
The orig field contains the originating or calling number. This is the value from the P-asserted-identity header in the SIP Invite. If that is not available, the orig field copies the value in the From header. In the SIP Messages page, this value is shown under the Asserted Calling Number column.
The origid field is a unique number that can be associated with the call source. It can be used for trace back and allows one to create reputation profiles based on call sources.
The rcd field contains the URL of the customer’s logo, as well as the name of the customer.
The rcdi field contains the secure hash of the logo file.
SIP Response Identity Header Options
By default, ClearIP returns the token in the Identity header of a SIP 302 response.
SIP/2.0 302 Moved Temporarily
Via: SIP/2.0/TCP sip.clearip.com:5060
From: <sip:+14045266060@transnexus.com:5060>
To: <sip:+18554742536@sip.clearip.com:5060>
Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMuY2xlYXJpcC5jb20vOTk5OTk5OTktOTk5OS00OTk5LTk5OTktOTk5OTk5OTk5OTk5LzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwLnBlbSJ9.eyJhdHRlc3QiOiJBIiwiY3JuIjoiUmVxdWVzdGVkIEFnZW50IENhbGxiYWNrIiwiZGVzdCI6eyJ0biI6WyIxODU1NDc0MjUzNiJdfSwiaWF0IjoxNTc3ODM2ODAwLCJvcmlnIjp7InRuIjoiMTQwNDUyNjYwNjAifSwib3JpZ2lkIjoiOTk5OTk5OTktOTk5OS00OTk5LTk5OTktOTk5OTk5OTk5OTk5IiwicmNkIjp7ImljbiI6Imh0dHBzOi8vY2RuLmJyYW5kZWRjYWxsaW5naWQuY29tL2ltYWdlcy8wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC5ibXAiLCJuYW0iOiJUcmFuc05leHVzLCBJbmMuIn0sInJjZGkiOnsiL2ljbiI6InNoYTI1Ni0wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIn19.abcdefghijklmnopqrstuvwzyzABCDEFGHIJKLMNOPQRSTUVWZYZ0123456789012345678901234567890123;info=<https://certificates.clearip.com/99999999-9999-4999-9999-999999999999/00000000000000000000000000000000.pem>;alg=ES256;ppt=shaken
Contact: <sip:+18554742536@sip.clearip.com:5060>;q=0.99
Reason: SIP;cause=302;text="no-fraud-detected"
Call-ID: 123456
CSeq: 1 INVITE
Content-Length: 0
ClearIP can be configured to return the token value in an alternative header if configured in the SBCs page under the Identity Header field:
- X-Identity
X-Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMuY2xlYXJpcC5jb20vOTk5OTk5OTktOTk5OS00OTk5LTk5OTktOTk5OTk5OTk5OTk5LzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwLnBlbSJ9.eyJhdHRlc3QiOiJBIiwiY3JuIjoiUmVxdWVzdGVkIEFnZW50IENhbGxiYWNrIiwiZGVzdCI6eyJ0biI6WyIxODU1NDc0MjUzNiJdfSwiaWF0IjoxNTc3ODM2ODAwLCJvcmlnIjp7InRuIjoiMTQwNDUyNjYwNjAifSwib3JpZ2lkIjoiOTk5OTk5OTktOTk5OS00OTk5LTk5OTktOTk5OTk5OTk5OTk5IiwicmNkIjp7ImljbiI6Imh0dHBzOi8vY2RuLmJyYW5kZWRjYWxsaW5naWQuY29tL2ltYWdlcy8wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC5ibXAiLCJuYW0iOiJUcmFuc05leHVzLCBJbmMuIn0sInJjZGkiOnsiL2ljbiI6InNoYTI1Ni0wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIn19.abcdefghijklmnopqrstuvwzyzABCDEFGHIJKLMNOPQRSTUVWZYZ0123456789012345678901234567890123;info=<https://certificates.clearip.com/99999999-9999-4999-9999-999999999999/00000000000000000000000000000000.pem>;alg=ES256;ppt=shaken
- Identity Embedded in Contact
Contact: <sip:+18554742536@sip.clearip.com:5060>;q=0.99?Identity=eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMuY2xlYXJpcC5jb20vOTk5OTk5OTktOTk5OS00OTk5LTk5OTktOTk5OTk5OTk5OTk5LzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwLnBlbSJ9.eyJhdHRlc3QiOiJBIiwiY3JuIjoiUmVxdWVzdGVkIEFnZW50IENhbGxiYWNrIiwiZGVzdCI6eyJ0biI6WyIxODU1NDc0MjUzNiJdfSwiaWF0IjoxNTc3ODM2ODAwLCJvcmlnIjp7InRuIjoiMTQwNDUyNjYwNjAifSwib3JpZ2lkIjoiOTk5OTk5OTktOTk5OS00OTk5LTk5OTktOTk5OTk5OTk5OTk5IiwicmNkIjp7ImljbiI6Imh0dHBzOi8vY2RuLmJyYW5kZWRjYWxsaW5naWQuY29tL2ltYWdlcy8wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC5ibXAiLCJuYW0iOiJUcmFuc05leHVzLCBJbmMuIn0sInJjZGkiOnsiL2ljbiI6InNoYTI1Ni0wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIn19.abcdefghijklmnopqrstuvwzyzABCDEFGHIJKLMNOPQRSTUVWZYZ0123456789012345678901234567890123%3Binfo%3D%3Chttps%3A%2F%2Fcertificates.clearip.com%2F99999999-9999-4999-9999-999999999999%2F00000000000000000000000000000000.pem%3E%3Balg%3DES256%3Bppt%3Dshaken
- Identity Embedded in Contact URI
Contact: <sip:+18554742536@sip.clearip.com:5060?Identity=eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMuY2xlYXJpcC5jb20vOTk5OTk5OTktOTk5OS00OTk5LTk5OTktOTk5OTk5OTk5OTk5LzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwLnBlbSJ9.eyJhdHRlc3QiOiJBIiwiY3JuIjoiUmVxdWVzdGVkIEFnZW50IENhbGxiYWNrIiwiZGVzdCI6eyJ0biI6WyIxODU1NDc0MjUzNiJdfSwiaWF0IjoxNTc3ODM2ODAwLCJvcmlnIjp7InRuIjoiMTQwNDUyNjYwNjAifSwib3JpZ2lkIjoiOTk5OTk5OTktOTk5OS00OTk5LTk5OTktOTk5OTk5OTk5OTk5IiwicmNkIjp7ImljbiI6Imh0dHBzOi8vY2RuLmJyYW5kZWRjYWxsaW5naWQuY29tL2ltYWdlcy8wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC5ibXAiLCJuYW0iOiJUcmFuc05leHVzLCBJbmMuIn0sInJjZGkiOnsiL2ljbiI6InNoYTI1Ni0wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIn19.abcdefghijklmnopqrstuvwzyzABCDEFGHIJKLMNOPQRSTUVWZYZ0123456789012345678901234567890123%3Binfo%3D%3Chttps%3A%2F%2Fcertificates.clearip.com%2F99999999-9999-4999-9999-999999999999%2F00000000000000000000000000000000.pem%3E%3Balg%3DES256%3Bppt%3Dshaken>;q=0.99
SIP Invite containing Identity header
The SBC must be configured to copy the Identity header from the SIP 302 response and insert it into the SIP Invite sent to the termination carrier. In the call trace, you should confirm whether your SBC is inserting the Identity header into the outgoing SIP Invite.
Here is an example SIP Invite containing the Identity header which is sent to a termination carrier.
INVITE sip:+18554742536@sip.clearip.com:5060 SIP/2.0
Via: SIP/2.0/TCP sip.clearip.com:5060
From: <sip:+14045266060@transnexus.com:5060>
To: <sip:+18554742536@sip.clearip.com:5060>
Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMuY2xlYXJpcC5jb20vOTk5OTk5OTktOTk5OS00OTk5LTk5OTktOTk5OTk5OTk5OTk5LzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwLnBlbSJ9.eyJhdHRlc3QiOiJBIiwiY3JuIjoiUmVxdWVzdGVkIEFnZW50IENhbGxiYWNrIiwiZGVzdCI6eyJ0biI6WyIxODU1NDc0MjUzNiJdfSwiaWF0IjoxNTc3ODM2ODAwLCJvcmlnIjp7InRuIjoiMTQwNDUyNjYwNjAifSwib3JpZ2lkIjoiOTk5OTk5OTktOTk5OS00OTk5LTk5OTktOTk5OTk5OTk5OTk5IiwicmNkIjp7ImljbiI6Imh0dHBzOi8vY2RuLmJyYW5kZWRjYWxsaW5naWQuY29tL2ltYWdlcy8wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC5ibXAiLCJuYW0iOiJUcmFuc05leHVzLCBJbmMuIn0sInJjZGkiOnsiL2ljbiI6InNoYTI1Ni0wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIn19.abcdefghijklmnopqrstuvwzyzABCDEFGHIJKLMNOPQRSTUVWZYZ0123456789012345678901234567890123;info=<https://certificates.clearip.com/99999999-9999-4999-9999-999999999999/00000000000000000000000000000000.pem>;alg=ES256;ppt=shaken
Call-ID: 123456
CSeq: 1 INVITE
Content-Length: 0
BCID Authentication Process
Understanding how the authentication process works in ClearIP can help users configure appropriate enterprise mappings and troubleshoot problems.
For more information on BCID enterprise mappings and configuration details, please refer to the top of this page. This section will break down the steps of the BCID authentication process in ClearIP, authentication error handling (policy action configuration) throughout the process and common questions that can arise during authentication configuration.
BCID vs SHAKEN
Authenticating a call with BCID is very similar to standard STIR/SHAKEN authentication. BCID authentication involves generating a SHAKEN PASSporT with extra rich call data claims (rcd) attached. These rcd claims allow the terminating service provider (TSP) to confidently pass the calling enterprise’s logo and call reason to their users. TSPs that support BCID will be paid by the BCID ecosystem for passing logos and call reasons to their end users’ devices. TSPs that do not support BCID, but support STI verification, will be able to verify a BCID authenticated call in the same way they verify a normal STI authenticated call. It may be helpful for the reader to review and understand STI authentication process before proceeding.
All calls are processed for authentication as follows:
- If the organization has BCID authentication enabled and BCID Enterprise Mappings are configured, ClearIP will attempt to authenticate the call with BCID.
- If the organization does not have BCID authentication enabled or BCID authentication fails, and the organization has STI authentication enabled, ClearIP will attempt to authenticate the call with normal STI authentication.
BCID authentication is always given priority over STI authentication. Due to the high level of trust given to BCID authenticated calls, BCID authentication can only be used for calls from vetted enterprises using vetted TNs. Consequently, if a call is received from a non-vetted source, ClearIP will be unable to accomplish BCID authentication, but can automatically fall back to normal STI authentication. Therefore, it may be beneficial to configure users with both a BCID Enterprise Mapping and an STI Authentication Policy. Calls that are successfully authenticated with BCID will not be charged for STI authentication.
BCID authenticated calls are signed with Attestation level A and their PASSporTs are sent in-band. Support for out-of-band BCID authenticated PASSporTs is not available at this time, but may be added in the future.
SIP Message BCID Authentication Status
During the processing outlined below, the SIP message’s BCID Authentication Status may be set to a variety of values. If the SBC sending the call has Return Authentication Status In SIP Response enabled, then an “X-Authentication-Status” header containing the BCID Authentication Status will be returned in the SIP response. The user can also examine the BCID Authentication Status of a given SIP Message in the ClearIP interface under Analytics -> SIP Messages.
NOTE: If BCID authentication fails and normal STI authentication is attempted, the “X-Authentication-Status” header will likely contain the results of the normal STI authentication.
Enterprise Mapping Check
The first step in the BCID authentication process is to check that there is a BCID Enterprise Mapping enabled. As a reminder, ClearIP by default does not authenticate calls with BCID; users must configure mappings to enable BCID authentication.
ClearIP will attempt to match the asserted calling number to the most specific enterprise mapping. Example: a mapping that matches the call’s user will be matched before a mapping that matches call’s service provider. Once a mapping is matched, the status of that mapping checked:
- If the status is enabled, then then the authentication process continues.
- If the status is disabled, the SIP message’s BCID Authentication Status is set to “no-authentication-requested” and the BCID authentication process is terminated. NOTE: Even if there is another enabled mapping that matches, BCID authentication will not occur if the best matching mapping is disabled.
Certificate Check
Next, ClearIP will search for a valid BCID Certificate that corresponds to the certificate identified in the enterprise mapping. If the certificate was not issued or has expired, then the SIP message’s BCID Authentication Status is set to “no-authority” and BCID authentication is terminated.
Originating Service Provider Check
Next, ClearIP will verify the that certificate’s originating service provider (OSP) is registered with the BCID ecosystem. If the OSP has not been provisioned to BCID, then the SIP message’s BCID Authentication Status is set to “no-authority” and BCID authentication is terminated. NOTE: In order to speed up call processing, ClearIP caches data from the BCID ecosystem. Therefore, there may be a delay before information updated by BCID propagates into ClearIP.
Calling Number Check and BCID Enterprise ID Lookup
Next, ClearIP will look up the caller’s asserted calling number and the BCID Enterprise Mapping’s BCID Enterprise ID in the BCID database. If the calling number and/or enterprise have not been provisioned to BCID, then the SIP message’s BCID Authentication Status is set to “no-authority” and BCID authentication is terminated. NOTE: In order to speed up call processing, ClearIP caches data from the BCID ecosystem. Therefore, there may be a delay before information updated by BCID propagates into ClearIP.
Display Identity Record Lookup
Next, ClearIP will look up the asserted calling number’s display identity record in the BCID database. If a display identity record is not found, then the SIP message’s BCID Authentication Status is set to “no-authority” and BCID authentication is terminated. NOTE: In order to speed up call processing, ClearIP caches data from the BCID ecosystem. Therefore, there may be a delay before information updated by BCID propagates into ClearIP.
PASSporT Creation
Next, ClearIP will generate a SHAKEN PASSporT with BCID rich call data (rcd) claims. The display identity record is used populate the icon URL, icon URL integrity hash (used to validate the authenticity of the icon that is downloaded from the URL), the enterprise’s name, and the call reason.
If exactly one call reason is provisioned in the BCID ecosystem for the calling number, and the ClearIP enterprise mapping has Include Call Reason If Single Reason Provisioned set to yes, then that call reason will be included in the PASSporT claims. Otherwise, no call reason will be included.
All BCID PASSporTs have an attestation of A. These claims are mapped into the PASSporT as follows:
{
"attest": "A",
"crn": "call reason",
"rcd": {
"icn": "icon/logo URL",
"nam": "display name",
},
"rcdi": {
"/icn": "icon/logo integrity hash",
},
...
}
The PASSporT is generated, signed, and returned in the SIP response according to the Identity Header setting of the SBC of the call. The SIP message’s BCID Authentication Status is set to “successful”.