suomi.fi-tunnistus (Finland only)
Capability introduction and rationale
This document shows how to sign-in to an external application or service using Finnish governmental strong identification “suomi.fi-tunnistus”. This user directory has the following general capabilities:
- Electronic citizen identification with Bank ID, Mobile ID, and
governmental ID card.
- This identification is eIDAS compliant with substantial or high level of assurance (LoA).
- Sign-in to a service, where Trivore ID acts as a trust gateway between the service, and suomi.fi-tunnistus.
- Electronically sign a contract, or a document via suomi.fi-tunnistus electronic citizen identification.
This use case is common when service has to know who is signing in, and using the service. Official and legal uses by municipalities, cities, and ministries are common.
There is an alternate version for enterprise use by web shops, and related needs.
Execution steps overview
There are several steps to do before this authentication is possible.
- Desired state needs to be planned by reviewing business requirements. Map those to technical details.
- Namespace needs to be created or an existing one needs to be selected.
- User directory of type “suomi.fi-tunnistus” needs to be created for this selected namespace.
- External service needs to “attach” to Trivore ID by utilising OpenID Dynamic Configuration, OIDC Authentication, and Userinfo data endpoint.
Execution steps in detail
Reviewing business requirements, and creating or selecting a namespace is beyond the scope of this document.
Benefits
Deploying this sign-in method creates and maintains user accounts with official and legal strong identity in Trivore ID. It is created via chaining from the official population registry master data held by DVV for Finland.
Usage and possibilities of this kind of user account is diverse, and beyond the scope of this document.
Use case variations
There are more than one identified use case for this Trivore ID capability.
Permanent user accounts with traditional sign-in
This is the most common use case, which is used by CRMs, transaction services, web shop, and similar longer term processes.
User accounts are authenticated and identified once, and a password is additionally defined for the user account. Users may later sign in both with username+password combination, and via suomi.fi-tunnistus.
Trivore ID built-in multi-factor authentication may be enabled or enforced for extra layer of security.
Permanent user accounts with suomi.fi-tunnistus sign-in
This is very common use case used by municipalities. Rationale is to enforce strong multi-factor sign-in. It is not the most user-friendly, but some processes are designed to use it, and Trivore ID supports it.
User accounts are permanent, but most of the time there is no password defined at all, and no username+password sign-in is possible.
Trivore ID built-in multi-factor authentication may be enabled or enforced for extra layer of security.
Authentication gateway usage
In some cases it is not necessary to store the user accounts for a long time. The external service process may, for example, only require the user account data for example up to 24h. In this kind of use case, the user account is automatically removed.
Configure Trivore ID
First, select User Directories from main menu as shown below and click button Add directory.
You will be asked to select directory type. Select Suomi.fi.
Core settings and User information
Suomi.fi uses same core settings as other SAML based user directories. See
Most user information attribute mappings should use their sensible default values for Suomi.fi directories.
Linking users with Suomi.fi directories is disabled by default. If you want to use Suomi.fi directory for sign-in purposes (instead of strong identification only), linking should be enabled. Suomi.fi does not provide any convenient attribute for Link ID but possible choices include personal identify code (HETU) and electronic identification number (SATU, aka. FINUID, Finnish Unique Identification Number).
Use salted hash based encryption for Link ID especially if you use personal identity code for Link ID as it is sensitive information and should be stored with encryption.
Attribute names for personal identity code are either
urn:oid:1.2.246.21or
http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier.
Suomi.fi directories do not provide any convenient username fields either. Random username policy is preferred.