Users will no longer be able to log into Suomi.fi via e-identification on old terminals and browser versions after 5 June

Strong identification in Suomi.fi e-Identification will no longer be possible with certain old devices after 5 June. It will no longer be possible to use strong identification with old devices or internet browsers as they pose information security risks.

 Operating systems/browsers the use of which will be blocked in Suomi.fi e-Identification will the transition to TLS 1.2:

  • Android 2.3.7
  • Android 4.0.4
  • Android 4.1.1
  • Android 4.2.2
  • Android 4.3
  • IE 7 / Vista
  • IE 10 / Win Phone 8.0
  • IE 8-10 / Win 7
  • Safari 6.0.4 / OS X 10.8.4
  • Safari 5.1.9 / OS X 10.6.8
  • Java 7u25
  • Baidu Jan 2015
  • OpenSSL 0.9.8y

There are very few devices or operating systems to which this change applies in use in Finland. Those who use the devices or systems in question will be notified of the change in the Suomi.fi user interface.

Read the Finnish Transport and Communications Agency Traficom’s press release for more information: Old terminal equipment will not support strong electronic identification after the new year

Inquiries

tunnistus-kayttoonotot@vrk.fi

The certificates used for signing SAML messages will be replaced in the production environment on March 7th, 2019

The certificates used for signing Suomi.fi e-Identification SAML messages are changing because the current certificates are expiring. Changing the certificate requires changes to the e-services that use Suomi.fi e-Identification. If you do not make the change, e-identification will not work in your e-service. Ensure with your service provider or some other corresponding party that the change is made.

Changing certificates in the production environment

The new certificate for the production environment will be taken into use on Thursday, 7 March 2019 at 12 noon. The changing of the signature certificate for the production environment means that customer services must take new metadata into use. The metadata containing the new certificates has been published on 13 February at the address below.

Customer services have two options for the implementation of the new certificate for the production environment.

  1. The use of transitional metadata

If your customer service supports the simultaneous use of two certificates, you can use the transitional metadata. In this way, the implementation of the new signature certificate can be flexibly carried out beforehand. Using the transitional metadata, Suomi.fi e-Identification works with both the current signature certificate and the new certificate to be taken into use on 7 March 2019. The certificate which contains both the old and the new metadata can be downloaded here: https://tunnistus.suomi.fi/static/metadata/idp-metadata.xml

  1. Implementing the new metadata directly

If your customer service does not support the simultaneous use of two certificates, the new metadata must be implemented in your customer service at the same time as it is changed in Suomi.fi e-Identification, on 7 March 2019 and 12 noon. The certificate which only contains the new metadata can be downloaded here: https://tunnistus.suomi.fi/static/metadata/idp-metadata-secondary.xml

If you observe any problems in your customer service because of the change, please get in touch at tunnistus-kayttoonotot@vrk.fi.

Changing certificates in the test environment

The certificate has been replaced in the customer test environment. If you haven’t implemented the changes already in the test environment, do the following immediately:

  1. Take into use the new Suomi.fi e-Identification test environment double-certificate metadata as soon as possible and check that it works normally in your test service. The new metadata can be downloaded at https://testi.apro.tunnistus.fi/static/metadata/idp-metadata.xml
  2. If it emerges within the tests that the customer service is not able to use the double-certificate metadata, a secondary single-certificate metadata must be implemented. This metadata only has the new certificate. This metadata has been taken into use on this day as the signature certificate has been replaced in the test environment. The secondary metadata has been published at https://testi.apro.tunnistus.fi/static/metadata/idp-metadata-secondary.xml.

Timetable for change of certificate

  • 13 February 2019 – Publication of metadata containing new certificates for customer production environment
  • 7 March 2019 – Customer production environment certificate is changed

 

Kind regards,

Population Register Centre

Production use of the Finnish eIDAS node to start on Wednesday 6 February 2019 – processing of German eIDAS identification system users through the Suomi.fi e-Identification system will begin

The Finnish eIDAS node will be taken into use in early February. The production use will begin on Wednesday 6 February 2019.

The node is used to relay citizens from other EU countries who want to use Finnish public administration e-services with Suomi.fi e-Identification. The node’s identification process will first support the German identification system.

The Population Register Centre already completed its work on the Finnish eIDAS node in September. However, bringing the node into operation was delayed due to a data security risk discovered in the German identification solution. Last autumn, the Population Register Centre worked together with other EU countries to find a solution to eliminate the risk. Thanks to a solution developed recently, the node can finally be opened for production use.

It should be noted that the eIDAS regulation obligates all public sector actors to ensure compliance with the requirements of the regulation. It also obligates public sector actors to accept all EU citizens with eIDAS-notified tokens to use their services.  Providing e-services for customers with a German eIDAS-notified token is obligatory starting from Wednesday 6 February 2019.

For all e-services that are not yet able to process eIDAS users, the Population Register Centre offers a service request form developed for Suomi.fi e-Identification. The Population Register Centre will open the form for use only after the national node begins its operations. To familiarise yourself in more detail with how to enable the form, read the following article under Service Management: Enabling the eIDAS form (in Finnish).

In addition to Germany, also Italy, Estonia, Spain, Croatia and Luxembourg have notified their eIDAS tokens already. The processing of eIDAS identification system users from the above-mentioned countries through the Suomi.fi e-Identification system is scheduled to begin in autumn 2019.

Additional information:

tunnistus-kayttoonotot@vrk.fi

Finnish eIDAS node complete – adoption of German eIDAS identification postponed

The Population Register Centre has completed the development of the Finnish eIDAS node. The node is used to relay citizens from other EU countries who want to use online Finnish public administration services that utilise the Suomi.fi e-identification system.

In the initial phase, the node’s identification process supports the German identification system. However, a data security flaw has been discovered in the German identification solution, and due to this, the processing of German eIDAS identification system users through the Finnish node has been postponed.

The Population Register Centre will begin relaying users who have been identified using the eIDAS system only after the German identification solution’s data security risk has been fixed. The introduction of the eIDAS form in the Population Register Centre’s online services will be similarly postponed. The Population Register Centre will open the form for use only after the national node begins its operations.

The Population Register Centre will issue a separate press release once the German eIDAS identification system can be taken into use.

 

Additional information:

tunnistus-kayttoonotot@vrk.fi

eIDAS identification will be possible in Suomi.fi e-Identification from 19 September 2018 – See the instructions for enabling the form solution provided by the Population Register Centre

As its statutory duty, the Population Register Centre will implement an eIDAS node enabling eIDAS identification for public sector actors.

The eIDAS regulation obligates all public sector actors to ensure compliance with the requirements of the regulation. It also obligates them to accept EU citizens with an eIDAS-notified token to use the services.

For e-services which are not able to implement support for eIDAS-identified users by the deadline, the Population Register Centre offers a service request form implemented for Suomi.fi e-Identification. The form is offered as a temporary solution to allow the e-services time to solve the processing of elDAS-identified users. The continuation of the temporary service will be reviewed in February 2019.

The service request form will be presented to users after they have identified themselves if they have selected eIDAS identification. Users can write their request and contact details in the form which will be forwarded to the e-service in a standard form email.

If a customer organisation of Suomi.fi e-Identification does not consider the eIDAS regulation to be applicable to a specific e-service, it should contact the Population Register Centre so that the necessary technical changes can be implemented.

To enable the service request form, the terms of use must be accepted in Suomi.fi Service Management and the form settings must be defined in the e-service metadata. To familiarise yourself in more detail with how to enable the form, read the following article in Service Management: Enabling the eIDAS form (in Finnish).

Please note that to enable the use of the form by the end of September, the terms of use must be accepted and the metadata submitted to the Population Register Centre by 14 September 2018.

Schedule for the change
6 August. The eIDAS test period begins. The Population Register Centre adds the necessary eIDAS changes to the metadata of all services in the test environment. The eIDAS functionality can be tested under Identification in the customer test environment.

5 September. The definition of eIDAS assurance levels in metadata becomes obligatory.
14 September. The customer organisation must submit the metadata containing the form specifications to the Population Register Centre by this date to enable the use of the form during September.

19 September. eIDAS identification will be possible in Suomi.fi e-Identification. The option for eIDAS identification will be displayed for all e-services.
29 September. The national interoperable node must have been implemented according to the eIDAS regulation. Public sector actors must accept in their services the use another Member State’s tokens when their assurance level corresponds to that of the Finnish tokens.

 

Additional information

tunnistus-kayttoonotot@vrk.fi

The elDAS contact form soon available

(Lue artikkeli suomeksi Palveluhallinnasta täältä: http://palveluhallinta.suomi.fi/fi/tuki/artikkelit/5b766039a767e8002bb7fe2d)

The Population Register Centre is establishing the elDAS node as part of its statutory tasks. In the first phase, a token issued in Germany and linked with the personal identity card will be supported. Tokens approved for use in other EU countries will become available at a later stage.

The elDAS identification will become available as an identification option for e-services using Suomi.fi e-Identification on 19 September 2018.

The most important difference between elDAS-identified users and users of Finnish tokens is that no Population Information System data on elDAS-identified users or their personal identity codes can be transmitted in this process. The following attributes are transmitted on elDAS-identified users: first name, surname, date of birth and unique personal identifier (PID).

Population Register Centre has a temporary solution for organisations that are unable to identify eIDAS-identified users with these transmitted attributes this autumn. For these organisations, the Population Register Centre has a form on which they can enter their queries and contact details. The contents of the form are transmitted to the e-services by email. The form will help to provide end users with a better and a more useful service experience.

Your organisation must accept the terms and conditions of use before using the form. The terms and conditions of use become available for approval on 5 September, and from the same date, you can also add the form specifications to metadata.

You can find the instructions and the changes required in the e-services in this article.

The form is offered as a temporary solution so that the e-services can solve the problem of processing elDAS-identified users. The continuation of the temporary service will be reviewed in February 2019.

Contact form functions

The progress of identification when using a form

When using a form, the users will see identification as one of the alternatives on the page for selecting a token and can identify themselves with a token from their country as normal. However, after identification, the Suomi.fi e-Identification directs the user to a contact form instead of a data transfer page. The user can submit a contact request and provide their contact information on the form. After sending or cancelling the message, Suomi.fi e-Identification event is concluded and the user is not redirected to the e-service.

Submitting a message

As a user submits a contact request, the message is submitted by e-mail from the Suomi.fi identification to the e-mail address incorporated in the metadata of the e-service. To avoid unnecessary messages, the e-mail address of the e-service to which the message is sent is not presented to the user and messages cannot be submitted without identification.

The data content entered into the form by the user as well as information about the used e-service is included in the message. This means that no personal data attributes submitted from the user’s token to Suomi.fi e-Identification or other data related to the identification event is transmitted.

The sent message is not stored in the Identification feature. If submitting the form fails, e.g. due to a temporary network disruption, the message cannot be restored and it cannot be later resubmitted. The content of the message is also not stored in log data, and it is therefore not possible to determine what information has been sent later.

The form of the message

The title of the sent e-mail includes the text “[Suomi.fi identification] eIDAS contact request for service  XXX”, where XXX is the displayName and entityId of the service. The messages can be forwarded based on their titles. Messages sent from a test environment have the following title: “[Suomi.fi identification TEST] eIDAS contact request for service XXX”.

Activating the form

To activate the eIDAS contact form, e-services must take the following measures presented below in further detail:

  1. Accept the terms and conditions of use in Service Management
  2. Specify the form for use in the e-service metadata

Accepting the terms and conditions

In connection to introducing the eIDAS contact form, the organisation must accept the terms and conditions of use of the contact form under Service Management. The organisation is responsible for accepting the terms and conditions of use with the consent of a signatory from the organisation. The information on accepting the terms and conditions of use is stored in the Service Management feature, after which all of the organisation’s e-services will be able to activate the eIDAS contact form. The form is implemented separately for each e-service and environment (see the following section), as a result of which the organisation may have services accepting eIDAS users and services using the eIDAS contact form.

The Accept the Terms and Conditions function is visible to logged-in users in Service Management in the Dashboard view and the administrative view of e-Identification.

Specifying the eIDAS form in metadata

A condition for using the form is that the elDAS identification assurance levels have been specified in the e-Service metadata and no elDAS identification assurance levels have been excluded based on specific identification requests. More information on the specifications of the elDAS assurance levels is available in the article describing the impacts of eIDAS identification on e-services using Suomi.fi e-Identification.

The activation of the form is specified in metadata with two new attributes. The attributes ‘EidasSupport’ and ‘EidasContactAddress’ are entered in the ‘EntityAttributes’ field as described below.

Specifying the EidasSupport attribute

An EidasSupport attribute with the value ‘form’ in the e-service metadata notifies Identification that the user should be directed to the contact form after identification.

If no EidasSupport attribute is specified, the default value ‘full’ will be applied, which refers to full eIDAS support. In this case, eIDAS-identified users are directed to the e-service as normal.

Specifying a contact address for the EIDAS form

When using the form alternative for the EidasSupport attribute, the e-service must also specify an e-mail address to which messages sent via the form are submitted. The address is specified with the new ‘EidasContactAddress’ attribute. The attribute must be specified whenever the EidasSupport attribute value is ‘form’.

Deactivating the form

When an e-service is ready to accommodate eIDAS-identified users, the form can be deactivated by updating the service metadata by removing the aforementioned ‘EidasSupport’ and ‘EidasContactAddress’ attributes from the metadata. In this case, the default values will be restored, which the Suomi.fi e-Identification will use to redirect eIDAS-identified users to the e-service via a data transfer page similarly as with users who have used Finnish tokens for identification.

The impacts of eIDAS identification on e-services using Suomi.fi e-Identification

Starting from 29 September, public administration services must accept the use of e-services with eIDAS notified tokens. The Population Register Centre will implement the node for eIDAS identification and assist e-services with the introduction of eIDAS identification through Suomi.fi e-Identification. This message summarises the timetable for the introduction of eIDAS and describes its technical impacts on the e-services using Suomi.fi e-Identification.

Changes to metadata

The changes to the metadata will be carried out on behalf of the e-services as a one-off measure in August. After that, the e-service itself will have to make sure that eIDAS is taken into account in the metadata in connection with updates as described below.

eIDAS assurance levels to be listed in metadata

Along with the introduction of eIDAS, the eIDAS assurance levels as well as the permitted assurance levels of the Finnish trust network must be listed in the metadata of the e-services. At the beginning of August, the eIDAS assurance levels high and substantial will automatically be added to the metadata of the e-services. They correspond to the high and substantial assurance levels in the definition of the trust network.

Additional information is available in the article E-service metadata.

Attributes transmitted on the user

The user’s Finnish personal identity code or information on the user contained in the Population Information System cannot be transmitted in connection with eIDAS identification. The available attributes are first names, surname, date of birth and the unique PID identifier. These attributes must be added to the metadata so that they can be transmitted to the e-service. The Population Register Centre will automatically add these attributes to the metadata of all e-services at the beginning of August. In future, however, e-services must themselves add the eIDAS attributes they require if changes are made to the metadata.

Additional information on the attributes is available in the article Attributes transmitted on an elDAS-identified user.

Exchange of forms in metadata

The Population Register Centre is investigating an option in which a contact form would be offered to eIDAS-identified users of e-services directly in Suomi.fi e-Identification.  This would facilitate the integration work of e-services. This option will be confirmed in August and information on its technical details, such as indicating the form option in the metadata, will be communicated once the matter has been confirmed.

The interface will also undergo changes

eIDAS identification will cause some changes also to the SAML2 interface of Suomi.fi e-Identification.  Additional information is available in the article Technical interface description under Service Management.

The eIDAS assurance levels to be listed in identification requests if tokens or assurance levels are restricted

If the e-service restricts the accepted tokens or assurance levels on an identification request-specific basis, the eIDAS assurance levels as well as the assurance levels of the Finnish trust network must in future be listed in the requests. If the identifiers of the eIDAS assurance levels are not added to the requests, the eIDAS identification option will be excluded as non-compliant with the eIDAS regulation.

Identification response

In future, the levels of authentication transmitted in an identification response will also include eIDAS assurance levels (high or substantial) when the user has selected eIDAS identification.

E-services may have to make changes

The most important difference between elDAS-identified users and users of Finnish tokens is that no Population Information System data on elDAS-identified users or their personal identity codes can be transmitted in this process. This may require a large number of changes to be made in e-services.

Unless the e-service restricts the tokens and the assurance levels on an identification request-specific basis, no measures will be required for the introduction of eIDAS identification complying with the regulation as such. If restrictions are in use, the e-service must itself take care of updating the requests so that the obligation in the eIDAS regulation will be fulfilled. Below you will find the instructions for checking this in the customer testing environment.

Changes can be tested starting from the beginning of August.

The eIDAS test token will be updated to a more recent version in the customer testing environment at the beginning of August when the test period begins. The test token will correspond to eIDAS identification in production as much as possible:

  • the option for eIDAS identification will be displayed when the eIDAS assurance levels have been defined in the metadata
  • the eIDAS assurance level will be the level of authentication returned to the e-service

When the test period starts in August, the Population Register Centre will have added the eIDAS assurance levels to the metadata of all e-services. The eIDAS identification option should then appear on the token selection page under Identification in the customer testing environment. eIDAS identification can be seen as a button under the Finnish tokens. If no eIDAS option is displayed, eIDAS is likely to have been excluded from the identification requests. The eIDAS assurance levels must in that case be added to the identification requests according to the instructions in the section Identification request – Accepted tokens under Technical interface description.

Different countries can be selected on the country selection page of eIDAS identification in the same way as in the previous test token. The personal data returned are examples of what kind of personal data can be transmitted in eIDAS identification events. The transmitted attributes comply with the metadata description.

Timetable

6 August The eIDAS test period begins. The Population Register Centre adds the eIDAS assurance levels and personal data attributes to the metadata of the e-services. The eIDAS functionality can be tested in the customer testing environment under Identification.

5 September. The definition of eIDAS assurance levels in metadata becomes obligatory

19 September The introduction of eIDAS in production in Suomi.fi e-Identification. eIDAS identification will be possible in Suomi.fi e-Identification

29 September The national interoperable node must have been implemented. Public administration must accept in its services the use another Member State’s tokens when their assurance level corresponds to that of the Finnish tokens.