• Strong Authentication (Suomi.fi)
  • TL;DR
  • The Process at a Glance
  • Implementation Process
    • Applying for a Production License (2+ weeks)
    • Implementation of the Test Environment (1+ week)
      • When the Test Environment is Operational
    • Implementation of the Production Environment (1 week)
  • When Might/Should Strong Authentication be Used?
  • When Might/Should Strong Authentication Not be Used?
  • Technical Details
  • European-wide eIDAS Authentication

Strong Authentication (Suomi.fi)

TL;DR

An application can be connected to bank identification using the DVV’s national service. Technically straightforward SAML2.0 authentication. Note the significant challenge factor from administrative/legal intricacies; allocate weeks or months of calendar time. Coordinate carefully with the University of Helsinki’s user administration. What is Suomi.fi?

Suomi.fi identification is a common authentication service for public administration, also known colloquially as “bank identification.” Joining and using the service is free. It is provided by the Population Register Centre. The service is gradually expanding into European-wide EIDAS authentication.

Secure identification to public administration e-services

At the University of Helsinki, it is possible to use Suomi.fi authentication if the application meets its requirements. Learn more about the University of Helsinki’s centralized user authentication: Centralized User Authentication Options (does not yet specifically include information about Suomi.fi).

The Process at a Glance

• First, read the technical intro
  • Essentially similar SAML 2.0 authentication as the University’s own Shibboleth authentication
  • The application must internally handle different identification methods, because for example, Suomi.fi might provide only a name and personal identity code, while Shibboleth credentials also include group memberships, but not personal identity code, etc.
  • You can fetch different extents of user data (narrow/medium/broad)
• Understand and internalize the implementation steps: https://palveluhallinta.suomi.fi/en/pages/identification/implementation/implementation-steps
  • The University is already registered as an organization in Suomi.fi, so there is no need for a new organizational registration phase for new services
  • You need to apply for a usage license for a new service (1-2 weeks)
  • Metadata for new services must be provided separately for the test and production environments (1 week)
• Implementation requires, among other things:
  • An officially signed CA certificate
  • An official privacy policy for the service (the same one that must be created for GDPR reasons anyway)
  • Designated responsible persons & service addresses
  • Additionally, metadata for the test environment also requires a plain language name and purpose of the service in three languages
• Expect a time-consuming administrative process:
  • The test environment is promptly provided by the DVV, but moving to production involves quite precise administrative intricacies and can take several weeks of calendar time
  • The longest individual process: electronic application for usage license from the DVV through the University’s User Management Group (for example, Jukka Karvonen from the User Administration Group and Sami Nikander from the Solution Consulting Group know about this) - START THIS PROCESS BEFORE TESTING!
  • Ensure that the application for usage license explicitly states the legal basis for why authentication is needed

Below, the process is described in more detail.

Implementation Process

Understand and internalize the implementation steps.

• The University is already registered as an organization in Suomi.fi, so there is no need for further organizational registration steps for new services
• A usage license must be requested for a new service
• Metadata for new services must be provided separately for the test and production environments

Applying for a Production License (2+ weeks)

NOTE: Initiate this process well in advance, even before setting up the test environment!

The University has its own organizational account in Suomi.fi, linked to several different services. A separate usage license must be applied for from the DVV for each different production service. For example, password reset service has required its own license, FIMM’s genetic research consent its own, and HR’s labor contract data delivery its own. Only in exceptional cases might it be easier if the new service is sufficiently within the scope of an existing one and responsible persons, etc. are the same.

Make the usage license application electronically to the DVV:

• Electronic form in Suomi.fi service management, access is limited to the University’s user administration (e.g., Jukka Karvonen) and a few others in Tikess (e.g., Sami Nikander)
  • Note: service terms are accepted electronically and the form filler must have the authority to accept service terms on behalf of the University of Helsinki.
    • According to current interpretation and practice, this requires that a person with signature authority from the responsible organization branch at the University authorizes (e.g., via email) the form filler to approve the conditions and terms of usage on behalf of the University:
      • Suomi.fi Services Usage License: https://palveluhallinta.suomi.fi/storage/cms.files/S75EjtipM_jfZPBs.pdf
      • Suomi.fi identification terms of use: https://palveluhallinta.suomi.fi/storage/cms.files/UIldjvnmyRor2DM8.pdf
• The form is comprehensive, and filling it out likely involves iteration with the client.
  • For information on the content of the form, see the sample PDF
  • The form contains dozens of tricky questions, answers to some of which can be laborious. A lot of GDPR-related content (usage basis: administrative task, legitimate interest, etc.), which can be found almost verbatim in the privacy statement. It’s advisable to draft the privacy statement in advance.
• Processing the application takes time at the DVV, likely at least a week. Apparently, applications are processed in batches weekly, not daily.
• Only when the application is approved, does DVV grant permission for the implementation of the production service.

Implementation of the Test Environment (1+ week)

Implementation is quite straightforward, as it does not require a separate usage license. Instructions

A SAML2.0 metadata description is required, describing the application’s login configuration.

• Metadata description
• Sample file example
• Request the University’s User Management Group to provide the metadata file to the DVV in electronic service management. Test side metadata is updated at the DVV about once a week.

Metadata content production requires, among other things:

• Service display name (max. 50 characters) and description (max. 255 characters). Must be provided in three languages, but the DVV doesn’t particularly care even if all language versions are in Finnish. However, the University is interested at least by the time of production environment deployment, so it’s advisable to refine it in advance for the test environment
• Contact information for contacts (at least the technical role, additionally roles like support, administrative are desirable). The test environment is not particularly fussy about contacts, but these also need precision in production, so it’s worth thinking about in advance.
• A self-signed certificate
• Link to the privacy policy (but it’s unlikely to be scrutinized much, so in an emergency, a link to the University’s privacy statements homepage, https://www.helsinki.fi/en/university/privacy-statements, might suffice)

When the Test Environment is Operational

Once the test environment is operational and connected to your application, it can be accessed using commonly known Suomi.fi test credentials, in essence without authentication! Keep this in mind in your application’s test environment and limit access as necessary by other means (e.g., only from the internal network). Open test login to the world lets anyone in!?

Suomi.fi support article Test-tools in the e-identification test environment includes a list of test IDs/test personal identity codes with different attributes. The article also lists details of test users for banks (OP, Säästöpankki/Handelsbanken, Aktia), and at least previously the fake user “Nordea Demo” (personal identity code 210281-9988) from Nordea worked as well.

Implementation of the Production Environment (1 week)

A SAML2.0 metadata file is needed, as in the test environment (see above). Additionally required:

• Usage license granted by the DVV, see instructions above
• An officially signed certificate from a certificate authority (CA)
  • You can order the certificate through the University’s experts via the service address ca@helsinki.fi. Allow time for certificate delivery.
  • Certificate request can follow the model of any existing certificate data, e.g., a production server’s https certificate (same certificate, however, will not work)
  • Suomi.fi identification does not require an up-to-date certificate so the certificate doesn’t need to be renewed annually when it expires unless the service implementation requires it.
• Metadata must, of course, include a link to the final privacy policy, final contact details, etc.

Request the University’s User Management Group to provide the metadata file to the Population Register Centre in electronic service management. Production environment metadata updates also occur at the DVV about once a week.

When Might/Should Strong Authentication be Used?

When access to the system is required for users outside the University / Haka network who still need to be reliably identified.

Examples:

• Accurate example (in production): Human Resources services are preparing a new employee’s employment contract. The prospective employee can log in with bank credentials to the service portal to provide, among other things, their bank account details, even though they do not yet have an AD account or a personnel number in SAP.
• Accurate example (in production): When registering for Open University courses, external users must be reliably identified because academic credits are awarded for course achievements. Haka users can use their own university’s credentials for authentication, but others are offered Suomi.fi authentication as an option.

When Might/Should Strong Authentication Not be Used?

If there is a need to identify staff or students of the University of Helsinki. For universities, the use of Suomi.fi identification internally is restricted to certain situations, such as recovering a forgotten password. Internal users are primarily identified using centralized user authentication, which also allows for multi-factor authentication.

If external users do not have the possibility for strong authentication in Suomi.fi even via general European authentication methods, i.e., if a significant portion of external users is from outside Europe. From Europe, at least Germany, Estonia, Spain, Italy are part of the eIDAS authentication network (see below), but authentication outside these countries is more limited.

If user attributes are absolutely required that are only available within the University, and the application does not have the possibility to combine this data, for example, based on the personal identity code. European users receive a unique identifier, which, however, is not in the same format as the Finnish personal identity code (see below)

If users also have an AD account, which is primarily desired for use in logging in, and the application does not have the possibility to logically combine bank login, for example, based on the personal identity code to the AD account. Usually, it is not a good idea to allow users to create two separate identities within the application (one linked to the AD account, the other linked to bank credentials).

Examples:

• In the Research Collegium’s Core Fellowship application process, all peer reviewers are professors from around the world, so Suomi.fi would not provide access to the application system except for a few (Italians, Spaniards, etc.); support for external reviewers must be built in some other way.

• The user’s role in the application is determined by the IDM group grp-foobar-admin, and Suomi.fi user data cannot be linked to group data (the application does not have access, for example, to the user’s personal identity code)

Technical Details

Your application must be able to handle logins coming through different channels in different ways. While the University’s internal Shibboleth authentication delivers, for example, group attributes, Suomi.fi, of course, does not contain such information. Thus, it must be able to handle Suomi.fi credentials and Shibboleth credentials in different ways and not be paralyzed, for example, by the absence of group data.

The technical authentication event is SAML2 authentication. If possible, it is advisable to use the Shibboleth SP application, which has been found to best implement different situations. This can also easily implement various authentication methods, such as the University’s internal Shibboleth, national Haka, and Suomi.fi identification within the same service. The user information received by the service depends on the method of authentication.

The user will only receive certain attributes depending on the scope defined in the usage license application:

• Narrow: Personal identity code, surname, first names, given name, death information
• Medium: In addition to the above, home municipality, permanent domestic address, temporary domestic address, domestic mailing address, permanent foreign address, mother tongue information (Finnish/Swedish/Sami/other classification), language of service, information on security prohibition, and email address
• Broad: In addition to the above, mother tongue (language code), information on whether Finnish citizenship

European-wide eIDAS Authentication

European-wide authentication (eIDAS) enables secure use of public administration services across Europe beyond national borders. For EU countries, the adoption of European-wide authentication is mandatory, but a few non-EU EEA countries are also adopting it. All EU countries have been required to accept eIDAS authentication since autumn 2018, so the technical readiness exists, and the pace of transition depends on how quickly different countries join. New countries are added to the authentication options as they are added to Suomi.fi authentication.

eIDAS authentication in Suomi.fi currently (spring 2024) operates with identification instruments from the following countries:

• Austria
• Belgium
• Bulgaria
• Croatia
• Cyprus
• Czech Republic
• Denmark
• Estonia
• Germany
• Iceland
• Ireland
• Italy
• Latvia
• Lithuania
• Luxembourg
• Malta
• Netherlands
• Norway
• Poland
• Portugal
• Slovakia
• Slovenia
• Spain
• Sweden
• United Kingdom

In addition to the aforementioned, most EU countries have already given formal notification of joining (see the EU’s page for Approved Countries and Their Identification Instruments), but the practical implementation schedule for these countries is still open.

Support materials from the Digital and Population Data Services Agency:

• FAQ: eIDAS regulation: frequently asked questions about cross-border identification
• Attributes Conveyed from eIDAS Authenticated User (22.1.2020)
• Effects of the eIDAS-identification to the e-Services using Suomi.fi-Identification (26.2.2021)

Notices on the subject:

• 27.3.2018: https://uutiskirjeet.dvv.fi/news/suomi.fi-services/eidas-authentication-promotes-mobility-and-authority-transactions-across-borders.html
• 3.2.2020: https://uutiskirjeet.dvv.fi/news/suomi.fi-services/finland’s-eidas-support-expands-coming-identification-instruments-from-estonia-and-italy.html