The Reference FAP (Federation Architecture Pattern) for Partner Onboarding provides a complete, production-ready implementation of the onboarding lifecycle inside Federated Ecosystems — distributed infrastructures where multiple organizations interconnect, exchange, and validate data and services under a unified trust and compliance framework.
This project is entirely implemented as a flow-based application executed on ORCE (Orchestration Engine).
ORCE acts solely as the execution environment, while the flow itself defines all business logic, configurations, integrations, and validation steps declaratively.
The onboarding process includes six major phases:
- Verify certificates
- Create DID and chain files
- Publish and verify identity resources
- Generate credential IDs and registry checks
- Issue Verifiable Credentials (VCs)
- Build a Verifiable Presentation (VP)
All communication between the flow and external verification or trust systems is handled directly inside the orchestration logic.
After the Verifiable Presentation (VP) is generated, the flow automatically triggers outbound requests to federated trust anchors and compliance verification services.
These endpoints are defined inside the flow as HTTP Request nodes responsible for:
- Submitting the Verifiable Presentation (VP) to the Compliance API for trust validation and conformity checks
- Interacting with Trust Anchor services (such as Notary, Registry, or Signing endpoints) to validate digital proofs, timestamps, and signatures
- Exchanging status and validation responses back into the runtime context (msg.complianceResult, msg.validationStatus, etc.) for subsequent processing or UI rendering
This mechanism ensures that every onboarding session passes through a complete verification cycle, including cryptographic validation of issued credentials and external compliance confirmation from the federated infrastructure.
The communication logic is embedded in the final flow sections (Step 5 – Issue Verifiable Credentials and Step 6 – Create Verifiable Presentation), using ORCE’s native HTTP nodes to orchestrate interactions between the internal onboarding process and external Trust Anchor services.
A quick and reliable setup guide to deploy and run the Reference FAP flow on ORCE.
Before importing or configuring the Reference FAP, you first need to start an ORCE instance.
The following command runs ORCE using the official ecofacis/xfsc-orce:2.0.12 image:
docker run -d \
--name orce \
-p 1880:1880 \
-p 8080:8080 \
ecofacis/xfsc-orce:2.0.12Port 1880 → ORCE Editor / Deployment Interface
Port 8080 → ORCE File Browser / uibuilder Source Access
Access the ORCE Editor in your browser at http://localhost:1880 to import and deploy the Reference FAP flow.
Use port 8080 to upload your UI source files and static assets after deployment.
Once the ORCE container is running, you can proceed with Step 1 to import the flows.full.json (Reference FAP flow) and apply your configurations.
This step covers importing flows.full.json into your ORCE engine, setting the uibuilder URL, and configuring the MongoDB connection used by the 0-Integration Flow (and other MongoDB nodes).
- Open ORCE → Menu ≡ → Import (Ctrl + I)
- Paste or upload
flows.full.json - Click Import (do not deploy yet)
Locate the ✅ UI flow and open the uibuilder node.
- In the URL field, set any short and unique path name you prefer (for example: /partneronboarding).
- Make sure it does not conflict with existing HTTP routes.
In the ✅ 0 Integration Flow, open the MongoDB node → click the pencil icon next to the connection field and fill in:
Username: yourUsername
Password: yourPassword
Host: mongodb+srv://your-cluster.mongodb.net
Database: yourDatabaseName
Click Update, then Done.
Tip: once one MongoDB connection is updated, all nodes sharing that configuration inherit it automatically.
Open the flow named General Values to view static data:
apiAiKey— API key for AI integrationChecksum— used for VC file synchronization
Modify values as needed before deploying. Changes after deployment require redeployment.
Click Deploy in the top-right corner.
If configured correctly, deployment completes successfully. Fix any errors before retrying.
Upload the front-end UI source to enable the web interface.
Browse to:
https://{your-domain}/fscloud/files/data/uibuilder/{your-uibuilder-url}/src/
Open the folder matching your uibuilder URL (e.g. /partneronboarding) → src/.
All required UI files are already included in this repository under the ui/src/ folder.
You can simply open that folder on your local machine and upload its contents here — there’s no need to build or compress anything.
- In the engine’s File Browser, click the Upload (↑) button.
- Navigate to ui/src/ inside this repository.
- Select all files (index.html, index.js, index.css, images, etc.) and upload them directly.
- Once uploaded, they will appear in the /src directory of your uibuilder path.
You can also open the file browser inside ORCE and drag-and-drop the files into this folder — whichever is easier for you.
Return to the ORCE editor → double-click the uibuilder node → click Open.
If the UI loads in a new tab, the setup is complete.
✅ Deployment Complete!
+---------------------------------------------------------+
| ORCE (Orchestration Engine) |
| Execution environment for flow-based automation |
+---------------------+-----------------------------------+
|
v
+----------------------------------------------------------+
| Reference FAP Flow – Partner Onboarding |
|----------------------------------------------------------|
| Step 1: Verify Certificates |
| Step 2: Create Decentralized Identifier (DID) |
| Step 3: Publish and Verify Identity Resources |
| Step 4: Generate Credential IDs and Check Registries |
| Step 5: Issue Verifiable Credentials (VCs) |
| Step 6: Create Verifiable Presentation (VP) |
+----------------------------------------------------------+
|
v
[ Federation Services: Wizard, Compliance, Registry ]
| Step | Description | Input | Output |
|---|---|---|---|
| 1 | Verify RSA/X.509 certificates | Certificate chain | msg.certVerified = true/false |
| 2 | Create DID and chain files | Organization data | msg.did, msg.chainFileUrl |
| 3 | Publish and verify URLs | DID URLs | msg.didUrlVerified |
| 4 | Generate credential IDs and check registries | DID | msg.vcId |
| 5 | Issue Verifiable Credentials | VC IDs | msg.vcSigned[] |
| 6 | Create Verifiable Presentation | Signed VCs | msg.vp |
{
"session": { "id": "uuid", "timestamp": "ISO" },
"recordDetails": {
"organization": {
"name": "Example GmbH",
"domain": "example.com",
"vatID": "DE123456789"
}
},
"certificateChain": "-----BEGIN CERTIFICATE-----...",
"privJwk": { "kty": "RSA", "n": "...", "e": "AQAB", "d": "..." }
}{
"did": "did:web:example.com",
"chainFile": "https://example.com/.well-known/chain.json",
"vcId": "urn:uuid:abc123",
"vcSigned": [{ "type": "LRN", "jwt": "..." }],
"vp": { "type": "VerifiablePresentation", "proof": { "jwt": "..." } }
}# Core Config
ORCE_PORT=1880
UI_PUBLIC_URL=/partnerOnboarding
ALLOWED_ORIGINS=*
# MongoDB
MONGODB_URI=mongodb+srv://<user>:<password>@<host>/<db>
# Security
JWT_AI_KEY=
# External Services
WIZARD_URL=https://federation.example.org/wizard
COMPLIANCE_URL=https://federation.example.org/compliance
REGISTRY_URL=https://federation.example.org/registry
NOTARY_URL=https://federation.example.org/notary
OCM_URL=https://federation.example.org/ocm
CAT_URL=https://federation.example.org/catalogue
TSA_URL=https://federation.example.org/tsa| Task | Command |
|---|---|
| Start | docker compose up -d |
| Stop | docker compose down |
| Logs | docker logs -f orce |
| Backup | Export flow (JSON) or snapshot /data |
| Restore | Menu → Import → Paste JSON |
| Update | Replace flows.full.json → Redeploy |
| Monitor | Check /health endpoint |
| Category | Description |
|---|---|
| Project | Reference FAP – Partner Onboarding |
| Platform | ORCE (Orchestration Engine) |
| Implementation | Flow-based application (6-step orchestration) |
| Domain | Federated Ecosystem Onboarding |
| Integrations | Wizard, Compliance, Registry, Notary, OCM, CAT, TSA |
| Deployment | Manual import or Docker Compose auto-import |
| Security | Encrypted credentials, .env isolation, TLS |
| Deliverables | Flow, documentation, scripts |
| License | MIT / Eclipse Public License 2.0 |