Technical setup
Checklist
- Please note that the connection requires knowledge of the SAML 2.0 standard and may require modifications in the connected system.
- Testing only needs to be carried out once, either by the client organisation or the supplier. Agree on which party will carry out the testing and ensure that both organisations are aware of their role.
- The organization needs an account for Service Management, as well as user rights for the Identification Management Interface, before the transaction service can be registered. (Registration can be done at: https://palveluhallinta.suomi.fi/en/rekisteroityminen)
- From the idp metadata of Suomi.fie-Identification: the metadata contains two certificates, one of which is either about to be used or has expired, and the other one that is valid. The service should be able to handle the certificates hierarchically so that a certificate change does not cause a disruption in the service. The certificate in use changes approximately every two years.
- Metadata can also be installed by the vendor. However, the service always requires a data permit (for production use), regardless of whether the service has its "own" metadata or if it's a shared platform with only one common metadata
How to implement the technical setup of the Identification Service:
1. Join the test environment
Test the service in the test environment before registering the production environment. In the test environment, you can:
Test the service in the test environment before deploying it to your production environment. In the test environment, you can:
- prepare for the setup of the e-Identification service
- survey the changes needed in your service
- test the implementation of your service.
Test the following messages:
- sending an identification request
- receiving an identification response
- sending a logout request
- receiving a logout request
- receiving a logout response
- sending a logout response.
Please also take the special features of eIDAS-identified users into account:
- Identification is not carried out as a single sign-on session
- User data is not retrieved from the Population Information System
- User information includes first name, last name, PID and date of birth.
Read the detailed instructions on joining the test environment.
2. Move to production
After testing, you can move to production.
Upload the production metadata to Service Management through the Identification management interface at least one week before the desired production implementation date.
Finalize the trust relationship using the production IdP metadata (https://tunnistus.suomi.fi/static/metadata/idp-metadata.xml).
You can upload the metadata when
- you have successfully completed every test case in the client test environment
- your service has been granted an access license
- your organisation has accepted the terms and conditions of use of Suomi.fi e-Identification.
Please note the following regarding production metadata:
- Remove the test identification tool (…110.999)
- Use only certificates issued by official CAs
- Verify contact information and remove/correct non-functional addresses