The elDAS contact form soon available

(Lue artikkeli suomeksi Palveluhallinnasta täältä:

The Population Register Centre is establishing the elDAS node as part of its statutory tasks. In the first phase, a token issued in Germany and linked with the personal identity card will be supported. Tokens approved for use in other EU countries will become available at a later stage.

The elDAS identification will become available as an identification option for e-services using e-Identification on 19 September 2018.

The most important difference between elDAS-identified users and users of Finnish tokens is that no Population Information System data on elDAS-identified users or their personal identity codes can be transmitted in this process. The following attributes are transmitted on elDAS-identified users: first name, surname, date of birth and unique personal identifier (PID).

Population Register Centre has a temporary solution for organisations that are unable to identify eIDAS-identified users with these transmitted attributes this autumn. For these organisations, the Population Register Centre has a form on which they can enter their queries and contact details. The contents of the form are transmitted to the e-services by email. The form will help to provide end users with a better and a more useful service experience.

Your organisation must accept the terms and conditions of use before using the form. The terms and conditions of use become available for approval on 5 September, and from the same date, you can also add the form specifications to metadata.

You can find the instructions and the changes required in the e-services in this article.

The form is offered as a temporary solution so that the e-services can solve the problem of processing elDAS-identified users. The continuation of the temporary service will be reviewed in February 2019.

Contact form functions

The progress of identification when using a form

When using a form, the users will see identification as one of the alternatives on the page for selecting a token and can identify themselves with a token from their country as normal. However, after identification, the e-Identification directs the user to a contact form instead of a data transfer page. The user can submit a contact request and provide their contact information on the form. After sending or cancelling the message, e-Identification event is concluded and the user is not redirected to the e-service.

Submitting a message

As a user submits a contact request, the message is submitted by e-mail from the identification to the e-mail address incorporated in the metadata of the e-service. To avoid unnecessary messages, the e-mail address of the e-service to which the message is sent is not presented to the user and messages cannot be submitted without identification.

The data content entered into the form by the user as well as information about the used e-service is included in the message. This means that no personal data attributes submitted from the user’s token to e-Identification or other data related to the identification event is transmitted.

The sent message is not stored in the Identification feature. If submitting the form fails, e.g. due to a temporary network disruption, the message cannot be restored and it cannot be later resubmitted. The content of the message is also not stored in log data, and it is therefore not possible to determine what information has been sent later.

The form of the message

The title of the sent e-mail includes the text “[ identification] eIDAS contact request for service  XXX”, where XXX is the displayName and entityId of the service. The messages can be forwarded based on their titles. Messages sent from a test environment have the following title: “[ identification TEST] eIDAS contact request for service XXX”.

Activating the form

To activate the eIDAS contact form, e-services must take the following measures presented below in further detail:

  1. Accept the terms and conditions of use in Service Management
  2. Specify the form for use in the e-service metadata

Accepting the terms and conditions

In connection to introducing the eIDAS contact form, the organisation must accept the terms and conditions of use of the contact form under Service Management. The organisation is responsible for accepting the terms and conditions of use with the consent of a signatory from the organisation. The information on accepting the terms and conditions of use is stored in the Service Management feature, after which all of the organisation’s e-services will be able to activate the eIDAS contact form. The form is implemented separately for each e-service and environment (see the following section), as a result of which the organisation may have services accepting eIDAS users and services using the eIDAS contact form.

The Accept the Terms and Conditions function is visible to logged-in users in Service Management in the Dashboard view and the administrative view of e-Identification.

Specifying the eIDAS form in metadata

A condition for using the form is that the elDAS identification assurance levels have been specified in the e-Service metadata and no elDAS identification assurance levels have been excluded based on specific identification requests. More information on the specifications of the elDAS assurance levels is available in the article describing the impacts of eIDAS identification on e-services using e-Identification.

The activation of the form is specified in metadata with two new attributes. The attributes ‘EidasSupport’ and ‘EidasContactAddress’ are entered in the ‘EntityAttributes’ field as described below.

Specifying the EidasSupport attribute

An EidasSupport attribute with the value ‘form’ in the e-service metadata notifies Identification that the user should be directed to the contact form after identification.

If no EidasSupport attribute is specified, the default value ‘full’ will be applied, which refers to full eIDAS support. In this case, eIDAS-identified users are directed to the e-service as normal.

Specifying a contact address for the EIDAS form

When using the form alternative for the EidasSupport attribute, the e-service must also specify an e-mail address to which messages sent via the form are submitted. The address is specified with the new ‘EidasContactAddress’ attribute. The attribute must be specified whenever the EidasSupport attribute value is ‘form’.

Deactivating the form

When an e-service is ready to accommodate eIDAS-identified users, the form can be deactivated by updating the service metadata by removing the aforementioned ‘EidasSupport’ and ‘EidasContactAddress’ attributes from the metadata. In this case, the default values will be restored, which the e-Identification will use to redirect eIDAS-identified users to the e-service via a data transfer page similarly as with users who have used Finnish tokens for identification.