Onboarding and Renewal

Documentation
1
  1. Onboarding
    IMPORTANT: The Onboarding section acts as a guide for Taxpayers to help users operate the On- boarding ZATCA Portal in order to obtain the necessary Cryptographic Stamp Identifiers (CSID) and perform any other relevant activities such as the revocation of CSID(s). Please note that Taxpayers should refer to the Guideline of the E-Invoicing Generation Solution (EGS) Unit for any steps taking place on the Taxpayer’s EGS Unit.
    1.2 Introduction and Objectives of the Onboarding Functionality

The Onboarding functionality is developed by ZATCA in order to provide Taxpayers who are using
E-invoicing Generation Solution Unit(s) (EGS Unit(s)) with a way to obtain the necessary Cryptographic Stamp Identifiers (CSID(s)) to allow for the first-time onboarding of their EGS Unit(s). In addition, the CSID(s) needs to be renewed and Taxpayers can request for the renewal of their CSID(s) before the expiry of the existing CSID. In certain situations, Taxpayers may need to revoke their existing CSID(s). Hence, the Onboarding functionalities also include a way for Taxpayers or ZATCA to initiate the revocation process for their existing CSID(s).
A CSID is technically a cryptographic certificate, which is a credential that is used for authentication and signing purposes. The certificate is also known as a public key certificate or an identity certificate. It is an electronic document used as proof of ownership of a public key. A CSID is used to uniquely identify an Invoice Generation Solution Unit associated with a Taxpayer for the purpose of stamping (technical- ly cryptographically signing) Simplified Invoices (B2C) and for accessing the Reporting and Clearance APIs.
The Onboarding feature in FATOORA portal is the starting point for the onboarding process. It allows Taxpayers to initiate the onboarding and renewal process by generating a One-Time-Password (OTP) to be used for their EGS Unit(s), in addition to accessing a list of all of their Onboarded EGS Units, which is also the starting point for revoking any CSID(s).

The primary objective of the Onboarding functionality enables:
● Taxpayers to undergo the first-time onboarding of their EGS Unit(s) by receiving the necessary CSID(s)
● Taxpayers to renew CSID for onboarded EGS Unit(s) before the expiry date of the existing CSID(s)
● Taxpayers to request the revocation of an existing CSID for onboarded EGS Unit(s) through the FATOORA Portal.

1.3 Onboarding Overview
The Onboarding functionality aims to address the following:
● Onboarding of a new EGS Unit(s) (i.e. receiving a CSID for the first-time)
● Renewal of existing CSID(s) for EGS Unit(s)
● Revocation of CSID(s) for one or more EGS Unit(s) (by the Taxpayer or automatically by ZATCA)

1.3.1 Onboarding of a new EGS Unit(s)

The first-time onboarding process requires the generation of a One-Time-Password (OTP) from the FATOORA Portal, which is entered into the Taxpayer׳s EGS Unit(s) either manually or automatically, followed by the generation of a CSR. The Taxpayer׳s EGS Unit(s) would then need to undergo the
necessary compliance checks. Upon successful completion, ZATCA CA generates the CSID(s) for every EGS Unit(s) which are then sent to the Taxpayer׳s EGS Unit(s).
There are two methods to generate an OTP. The first method involves the Taxpayer receiving an OTP through the FATOORA Portal, which would be manually entered into the Taxpayer׳s EGS Unit(s). The second option involves the Taxpayer accessing the FATOORA Portal through their own EGS Units and receiving the OTP, and hence the OTP would be automatically read by their EGS Unit(s). In the first method, it is possible that the Taxpayer would be able to onboard or renew the CSID for single or multiple EGS Unit(s) at the same time, whilst the second option only allows the onboarding or renewing of the CSID for a single EGS Unit.

Diagram 1
Diagram 1790×522 54.8 KB

Diagram 2
Diagram 2806×511 53.3 KB

1.3.2 Renewal of existing CSID(s) for EGS Unit(s)
The process for the renewal of a CSID is similar to that of first-time onboarding; however, it involves the revocation of the existing CSID and the issuance of a new one.

Diagram 3
Diagram 3809×457 50.4 KB

Diagram 4
Diagram 4809×553 63 KB

1.3.3 Revocation of CSID(s) for one or more EGS Unit(s) by the Taxpayer
Taxpayers may wish to revoke their existing CSID(s) for a number of reasons, including:
● If the Taxpayer believes that the private key or the EGS Unit itself is compromised
● If the EGS Unit is discontinued or transferred to another Taxpayer or sold
● If the Taxpayer discovers that the information in the CSID is not accurate
● If the EGS Unit is lost, stolen or damaged
● If the Taxpayer discovers that unauthorized onboarding of a EGS Unit has occurred
● If there is a major upgrade in the EGS unit.

In order to revoke existing CSID(s), Taxpayers need to access the FATOORA Portal and view a list of all of their onboarded EGS Units(s) and select the ones with active CSID(s)
that they would like to revoke.

Diagram 5
Diagram 5760×438 42 KB

1.4 Description of the Onboarding Process
1.4.1 Taxpayer accessing and logging into the FATOORA Portal using Single Sign On (SSO) using the existing credentials of FATOORA Portal (ERAD)
1.4.1.1 Description

The FATOORA Portal is the front-end aspect of the Onboarding functionality and it is regarded as the starting point for Taxpayers to generate CSID(s) for their EGS Unit(s) for the first time, renew their existing CSID(s) and revoke them. Through the FATOORA Portal, Taxpayers can generate One-Time- Passwords (OTPs) for the first-time onboarding and the renewal process. Taxpayers can also view a list of all of their onboarded EGS Units along with the status of each unit and revoke existing CSID(s).

1.4.1.1.1 The FATOORA Portal can be accessed and all of its functionalities can be used by all Taxpayers who are registered on the main FATOORA Portal (ERAD) for VAT purposes and who have a VAT Registration (TRN) status of “Active” or “Reactive”.
1.4.1.1.2 Taxpayers who have a TRN status of “Deregistered” or “Suspended” would not be able to access the FATOORA Portal.
1.4.1.1.3 Taxpayers whose VAT registration status used to be “Active” or “Reactive” but changes to “Dereg- istered” or “Suspended” would be able to access the FATOORA Portal for a period of 90 days but can only view a list of their previously onboarded EGS Units and cannot use any other onboarding functionalities such as generating an OTP. Once the buffer period of 90 days is over, these Tax- payers will no longer be able to access the FATOORA Portal.

1.4.1.2 Process Flow
The process of accessing the FATOORA Portal is as follows:

  1. The Taxpayer accesses the FATOORA Portal by clicking on the relevant tile on the FATOORA Portal (ERAD).
  2. The Taxpayer is redirected to the FATOORA Portal (ERAD) SSO in order to provide their FATOORA Portal (ERAD) credentials and log-in.
  3. Upon the successful log-in (authentication) and meeting of the authorization criteria, the Taxpayer is redirected again to the FATOORA Portal landing page.
  4. On the main landing page, the Taxpayer can see the following tiles:

● Onboard New Solution Unit/Device
● Renew Existing Cryptographic Stamp Identifier (CSID)
● View List of Solutions and Devices
● E-invoicing Statistics
● API Documentation

image

In case the Taxpayer does not meet the defined authentication and authorization criteria for accessing the FATOORA Portal, the Taxpayer will not be able to log in and an error message is displayed indicat- ing that the Taxpayer cannot access the FATOORA Portal.
Note: The Taxpayer can choose to toggle the language between English and Arabic by using the icon on the header of the page.

Onboarding and Renewal
1.4.2 Generating an OTP to obtain a CSID for the first time or renewing an existing CSID (Manual OTP entry)
1.4.2.1 Description

The onboarding and renewal process begins with the Taxpayer accessing the FATOORA Portal to gen- erate an OTP. For a Taxpayer generating an OTP through the FATOORA Portal, there are two options. The first option assumes the manual OTP entry, whereby Taxpayers can generate up to 100 OTPs in one request, which can then be used to onboard multiple EGS Unit(s) at the same time or renew the existing CSID(s). In the first option, the Taxpayer would need to manually enter the OTP(s) into the EGS Unit(s). The second option assumes an automatic OTP entry, whereby the Taxpayer can access the FATOORA Portal through their own EGS Unit, and the EGS Unit would then automatically read the OTP code through the header and automatically enter it into the EGS Unit, with no interference from the Taxpayer. The sec- ond scenario only allows for onboarding or renewing of the CSID for a single EGS Unit.

1.4.2.2 Process Flow

Option 1 - The process for generating the OTP code(s) on the FATOORA Portal and entering them manually is as follows:

  1. The Taxpayer accesses the FATOORA Portal through a browser (e.g. on a computer) that is not a part of their EGS Unit(s).

  2. The Taxpayer clicks on a tile named “Onboard new solution unit/device” and is prompted to click on “Generate OTP code”.

image

  1. The Taxpayer choses to generate OTP code(s) for single or multiple EGS Unit(s) by entering the number of OTP codes they would like to be generated (User should enter 1 or more (up to 100 per request) based on the number of EGS Unit(s) that they would like to onboard).
    image

  2. The FATOORA Portal generates the OTP code(s) (valid for 1 hour), which will be displayed on the Portal and can be copied or downloaded in a file.
    image

image

  1. The Taxpayer enters the OTP code(s) on their own EGS Unit(s) within 1 hour of the OTP code׳s generation.

Option 2 - The process for generating an OTP code on the FATOORA Portal through automatic entry is as follows:

  1. The Taxpayer accesses the FATOORA Portal through their own EGS Units
  2. The E-invoicing Generation Solution FATOORA Portal automatically generates the OTP code (val- id for 1 hour). As the Taxpayer is using their own EGS Unit to access the FATOORA Portal, the OTP code will be automatically entered in the Taxpayers EGS Units (based on the https header on the browser) without interference from the Taxpayer.

1.4.3 Sending a Certificate Signing Request (CSR) in order to receive a Compliance CSID
1.4.3.1 Description

As a part of the first-time onboarding and renewal process, the Taxpayer׳s EGS Unit(s) must submit a Certificate signing request (CSR) to the E-invoicing Platform once an OTP is entered into the EGS unit. The CSR is an encoded text that the EGS Unit(s) submits to the E-invoicing Platform and the ZATCA CA in order to receive a Compliance CSID. This is a self-signed certificate issued by the E-invoicing Platform allowing clients to continue the Onboarding process.

The CSR inputs are as follows:

 

Inputs

 

Business Term

 

Description

 

Specification

Type of input (Manual/Auto- mated)

 

 

 

Common Name

 

 

Name or Asset Tracking Number for the Solution Unit

Provided by the Taxpayer for each Solution unit: Unique Name or Asset Tracking Number of the Solution Unit

 

 

 

Free text

 

Manual (Some solutions can have the feature to fill this automatically)

 

 

EGS Serial Number

Manufacturer or Solution Provider Name, Model or Version and Serial Number

Automatically filled and not by the Taxpayer: Unique identification code for the EGS.

 

 

Free text

 

Manual (Some solutions can have the feature to fill this automatically)

 

 

 

Organization Iden- tifier

 

 

 

VAT or Group VAT Registration Number

VAT Registration Number of the Taxpayer (Taxpayer

/ Taxpayer device to provide this to allow to check if the OTP is correctly associated

with this TIN)

 

 

 

15 digits, starting and ending with 3

 

 

 

Automated (de- pending on solution)

 

 

 

 

Organization Unit Name

 

 

 

 

 

Organization Unit

The branch name for Taxpayers. In case of VAT Groups this field should contain the 10-digit TIN number of the individual group member whose EGS Unit is being on- boarded

 

 

If 11th digit of Orga- nization Identifier is not = 1 then Free

text If 11th digit of Or- ganization Identifier

= 1 then needs to be a 10 digit number

 

 

 

 

Automated (de- pending on solution)

 

 

Organization Name

 

 

Taxpayer Name

 

 

Organization/Tax- payer Name

 

 

Free text

 

 

Automated (de- pending on solution)

 

 

Country Name

 

 

Country Name

 

 

Name of the country

 

 

2 letter code (ISO 3166 Alpha-2)

 

 

Automated (de- pending on solution)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Invoice Type (Func- tionality Map)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Functionality Map

The document type that the Taxpayer’s solution unit will be issuing/generating. It can be one or a combination of Stan- dard Tax Invoice

(T), Simplified Tax Invoice (S), (X), (Y). The input should be using the digits 0 & 1 and mapping those to “TSXY” where:

0 = False/Not sup- ported

1= True/Supported

(X) and (Y) are for future use and

should be set to 0 by default for the time being.

For example: 1000 would mean Solu- tion will be generat- ing Standard Invoic- es only. 0100 would mean Solution

will be generating Simplified invoices (B2C) only and 1100 means Solution will be generating both Standard (B2B) and Simplified invoices

(B2C).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Free text

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Manual (Some solutions can have the feature to fill this automatically)

 

 

 

 

 

 

 

Location

 

 

 

 

 

 

 

Location of Branch or EGS Unit

The address of the Branch or location where the device or solution unit is primarily situated (could be website address for e-com- merce). Preferably

in the Short Address format of the Saudi National Address https://splonline. com.sa/en/nation-

al-address-1/

 

 

 

 

 

 

 

Free Text

 

 

 

 

 

 

 

Automated (de- pending on solution)

 

 

Industry

 

 

Industry or Location

 

Industry or sector for which the device or solution will gener- ate invoices

 

 

Free Text

 

 

Manual
Note: All CSR fields are mandatory and the input must follow the specification; otherwise, a CSR could be rejected. Please refer to the EGS vendor's manual or support for information on how to resolve issues.

1.4.3.2 Process flow

The process for sending a CSR is as follows:
Once the OTP(s) has been entered into the Taxpayer’s EGS Unit(s), either by the Taxpayer or through the automated process, the CSR process is initiated as per the below steps:
1.4.3.2.1 Create CSR and include the required data
1.4.3.2.2 Generate public/private key pair
1.4.3.2.3 Send CSR to generate self signed certificate.

Possible errors that can occur when submitting a CSR include:
1.4.3.2.4 Invalid OTP/OTC (not exactly six digits, not numeric)
1.4.3.2.5 OTP/OTC not matching for this VAT Registration Number (OTP/OTC provided does not match an active valid OTP/OTC that was generated for this Taxpayer on the portal)
1.4.3.2.6 OTP/OTC expired
1.4.3.2.7 Invalid VAT Registration Number (Syntax, not corresponding to a valid VAT Registration Number on FATOORA Portal (ERAD)
1.4.3.2.8 Invalid request type
1.4.3.2.9 Missing fields (with details of the fields missing)
1.4.3.2.10 One or more of the compliance steps has failed.

Please refer to the EGS vendor’s manual or support for information on how to resolve issues.

1.4.4 Completion of the Compliance checks by the EGS Unit
1.4.4.1 Description

Once a CSR is sent successfully and the Compliance CSID is obtained, the Taxpayer׳s EGS Unit(s) must undergo compliance checks in order to ensure that the EGS Unit is able to generate compliant invoices. Upon successful completion and passing of the compliance checks, the EGS Unit receives a Production CSID. The Production CSID is a certificate issued by the ZATCA CA to enable clients to authenticate and use the core e-invoicing APIs.

1.4.4.2 Process Flow
It must be noted that the EGS performs the steps for the completion of the compliance checks automatically. The Taxpayer should refer to the EGS Guideline for the onboarding procedure appropriate to their device. The process for the completion of the compliance checks is as follows:

  1. Formulate a compliant CSR and receive the CSID for onboarding / renewal (checking the capability of the EGS Units to perform renewal). Note that reaching compliance checks implicitly means that the EGS Unit has successfully acquired a compliance CSID
  2. Based on the invoice type that has been added to the CSR, validation checks are required.

a. If the Invoice Type is “1000”, then the user should send 3 requests for
i. Standard Tax Invoice (B2B)
ii. Standard Debit Note (B2B)
iii. Standard Credit Note (B2B)
b. If the Invoice Type is “0100”, then the user should send 3 requests for
i. Simplified Tax Invoice (B2C)
ii. Simplified Debit Note (B2C)
iii. Simplified Credit Note (B2C)

The compliance verification of an EGS is concluded when the EGS Unit has undergone the compliance checks:
● The submitted documents are checked against all the validations as well as the relevant referential/ additional checks and all tests are successfully passed.
● Once found to be compliant, the compliance flag is checked.

In the case where one or more tests have failed or are not completed, the Taxpayer׳s EGS Unit will have to re-initiate the onboarding/renewal process starting from issuing a new OTP and a CSR and undergo the compliance tests again. For further details, please refer to the EGS User Manual.

1.4.5 Generating a new CSID for the EGS Unit or Renewing the existing CSID

1.4.5.1 Description

The CSID generation process occurs at the back-end of the E-invoicing Generation Solution and is initi- ated upon the successful completion of the compliance checks and can be regarded as the final step in the journey of receiving a new CSID. The process flow is common for both receiving a CSID for the first- time and also for renewing the existing CSID. However, for renewal, the existing CSID of the EGS Unit is revoked and a new one is issued.
1.4.5.2 Process Flow
The process for the generation and renewal of a CSID is as follows:

  1. The EGS Unit(s) submit(s) a request to receive its production CSID(s).
  2. ZATCA CA issues the CSID(s) for the Taxpayer׳s EGS Unit(s). In cases of renewal, the ZATCA CA first revokes the existing CSID and then issues the new one.
  3. The FATOORA Platform relays the new CSID(s) to the Taxpayer׳s EGS Unit that originally submitted the CSR to the FATOORA Platform.
    1.4.6 View List of EGS Unit(s)

1.4.6.1 Description

The FATOORA Portal has a tile that can be accessed from the dashboard, which contains a summary list of the logged-in Taxpayer׳s onboarded EGS Unit(s).
The list includes the following information for each EGS Unit that are provided as part of the CSR:
1.4.6.1.1 Common Name: Name or Asset Tracking Number for the Solution Unit
1.4.6.1.2 EGS Serial Number: Manufacturer or Solution Provider Name, Model or Version and Serial Number
1.4.6.1.3 Organization Identifier: VAT or Group VAT Registration Number
1.4.6.1.4 Organization Unit Name: Organization Unit
1.4.6.1.5 Organization Name: Taxpayer Name
1.4.6.1.6 Country Name
1.4.6.1.7 Invoice Type: Functionality Map
1.4.6.1.8 Location: Location of Branch or Device or Solution Unit
1.4.6.1.9 Industry: Industry or location

In addition, the list also presents the following:
1.4.6.1.10 CSID Status (Active or expired or revoked)
1.4.6.1.11 Onboarding Date
1.4.6.1.12 Certificate Expiry Date
1.4.6.1.13 Revocation Date (if applicable)
1.4.6.1.14 Revoke CSID (checkboxes to be selected)
As an action button:
1.4.6.1.15 Revoke CSID(s) (button appears upon selection of devices to be revoked)

1.4.6.2 Process Flow
The process for viewing the list of all onboarded EGS Unit(s) on the FATOORA Portal as follows:

  1. The Taxpayer accesses the FATOORA Portal
  2. The Taxpayer clicks on “View List of Solutions and Devices”

image
3. The Taxpayer will be able to view a list that includes a summary of all EGS Unit(s) that have been onboarded by the Taxpayer, as per the information provided above. The Taxpayer can filter, sort and search based on specific inputs available in the list of Solutions and Devices. (Sorting can take place using the blue arrows next to column headings as shows in the picture below).

1 Like