Technical description
Suomi.fi e-Identification offers the e-service the data of a person identified by an identification token. The service verifies these data by comparing them with the information in the Population Information System. If the person has been identified using a strong authentication method and the identification token has returned the personal identity code or the unique electronic identifier, the service will also supplement the data with information from the Population Information System according to the needs of the e-service.
Accepting the terms and conditions of use (in Finnish) is a precondition for using Suomi.fi e-Identification. The trust relationship between the e-service and Suomi.fi e-Identification is set up by exchanging the services’ metadata files in XML format.
Suomi.fi e-Identification is based on the SAML standard. All identification tokens are available through one technical interface, which in turn is publicly available online.
A trust relationship is set up between the e-service and Suomi.fi e-Identification by using metadata compliant with the SAML 2.0 standard. All telecommunication and online traffic involving SAML messages or related user data are protected by using an HTTPS protocol. In addition, the identity of all parties is verified and message integrity is ensured in compliance with the SAML 2.0 standard.
Joining Suomi.fi e-Identification does not require the use of the security server of Suomi.fi Data Exchange Layer as all traffic between the e-service and the Suomi.fi e-Identification takes place through the end-user’s browser. Service use does not require any firewall ports to be opened.
Because Suomi.fi e-Identification creates a single sign-on session between the e-services connected to it, the e-service will also have to support single logout functionalities. In practice, six use cases must be implemented in the e-service:
- sending an identification request
- receiving an identification response
- sending a logout request
- receiving a logout request
- receiving a logout response
- sending a logout response.
Only HTTP Redirect- and HTTP POST Binding are supported for sending and receiving SAML messages. See the PDF document "Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0" for more informationOpens in a new window..