The impacts of eIDAS identification on e-services using Suomi.fi e-Identification

Starting from 29 September, public administration services must accept the use of e-services with eIDAS notified tokens. The Population Register Centre will implement the node for eIDAS identification and assist e-services with the introduction of eIDAS identification through Suomi.fi e-Identification. This message summarises the timetable for the introduction of eIDAS and describes its technical impacts on the e-services using Suomi.fi e-Identification.

Changes to metadata

The changes to the metadata will be carried out on behalf of the e-services as a one-off measure in August. After that, the e-service itself will have to make sure that eIDAS is taken into account in the metadata in connection with updates as described below.

eIDAS assurance levels to be listed in metadata

Along with the introduction of eIDAS, the eIDAS assurance levels as well as the permitted assurance levels of the Finnish trust network must be listed in the metadata of the e-services. At the beginning of August, the eIDAS assurance levels high and substantial will automatically be added to the metadata of the e-services. They correspond to the high and substantial assurance levels in the definition of the trust network.

Additional information is available in the article E-service metadata.

Attributes transmitted on the user

The user’s Finnish personal identity code or information on the user contained in the Population Information System cannot be transmitted in connection with eIDAS identification. The available attributes are first names, surname, date of birth and the unique PID identifier. These attributes must be added to the metadata so that they can be transmitted to the e-service. The Population Register Centre will automatically add these attributes to the metadata of all e-services at the beginning of August. In future, however, e-services must themselves add the eIDAS attributes they require if changes are made to the metadata.

Additional information on the attributes is available in the article Attributes transmitted on an elDAS-identified user.

Exchange of forms in metadata

The Population Register Centre is investigating an option in which a contact form would be offered to eIDAS-identified users of e-services directly in Suomi.fi e-Identification.  This would facilitate the integration work of e-services. This option will be confirmed in August and information on its technical details, such as indicating the form option in the metadata, will be communicated once the matter has been confirmed.

The interface will also undergo changes

eIDAS identification will cause some changes also to the SAML2 interface of Suomi.fi e-Identification.  Additional information is available in the article Technical interface description under Service Management.

The eIDAS assurance levels to be listed in identification requests if tokens or assurance levels are restricted

If the e-service restricts the accepted tokens or assurance levels on an identification request-specific basis, the eIDAS assurance levels as well as the assurance levels of the Finnish trust network must in future be listed in the requests. If the identifiers of the eIDAS assurance levels are not added to the requests, the eIDAS identification option will be excluded as non-compliant with the eIDAS regulation.

Identification response

In future, the levels of authentication transmitted in an identification response will also include eIDAS assurance levels (high or substantial) when the user has selected eIDAS identification.

E-services may have to make changes

The most important difference between elDAS-identified users and users of Finnish tokens is that no Population Information System data on elDAS-identified users or their personal identity codes can be transmitted in this process. This may require a large number of changes to be made in e-services.

Unless the e-service restricts the tokens and the assurance levels on an identification request-specific basis, no measures will be required for the introduction of eIDAS identification complying with the regulation as such. If restrictions are in use, the e-service must itself take care of updating the requests so that the obligation in the eIDAS regulation will be fulfilled. Below you will find the instructions for checking this in the customer testing environment.

Changes can be tested starting from the beginning of August.

The eIDAS test token will be updated to a more recent version in the customer testing environment at the beginning of August when the test period begins. The test token will correspond to eIDAS identification in production as much as possible:

  • the option for eIDAS identification will be displayed when the eIDAS assurance levels have been defined in the metadata
  • the eIDAS assurance level will be the level of authentication returned to the e-service

When the test period starts in August, the Population Register Centre will have added the eIDAS assurance levels to the metadata of all e-services. The eIDAS identification option should then appear on the token selection page under Identification in the customer testing environment. eIDAS identification can be seen as a button under the Finnish tokens. If no eIDAS option is displayed, eIDAS is likely to have been excluded from the identification requests. The eIDAS assurance levels must in that case be added to the identification requests according to the instructions in the section Identification request – Accepted tokens under Technical interface description.

Different countries can be selected on the country selection page of eIDAS identification in the same way as in the previous test token. The personal data returned are examples of what kind of personal data can be transmitted in eIDAS identification events. The transmitted attributes comply with the metadata description.

Timetable

6 August The eIDAS test period begins. The Population Register Centre adds the eIDAS assurance levels and personal data attributes to the metadata of the e-services. The eIDAS functionality can be tested in the customer testing environment under Identification.

5 September. The definition of eIDAS assurance levels in metadata becomes obligatory

19 September The introduction of eIDAS in production in Suomi.fi e-Identification. eIDAS identification will be possible in Suomi.fi e-Identification

29 September The national interoperable node must have been implemented. Public administration must accept in its services the use another Member State’s tokens when their assurance level corresponds to that of the Finnish tokens.