FranceConnect

Page contents

• About FranceConnect
• Contact Signicat for more information
• Key features
  • Level of Assurance
• Use cases
  • Digital onboarding
  • Authentication
  • Logout
  • Digital signing
• How to onboard to FranceConnect
  • Alternative A: Signicat helps with the registration
  • Alternative B: Register manually on your own

About FranceConnect

FranceConnect is a public eID scheme for France. It is a hub for a number of identity providers in France. A shortlist of available identity providers is listed below:

• Telcos (Mobile Connect et moi (opens new window))
• Government services (impots.gouv.fr (opens new window))
• Health insurance provider (ameli.fr (opens new window))
• The post office (opens new window)

You must set up an agreement with FranceConnect

Neither Signicat nor anyone else can act as a broker in FranceConnect. Instead, Signicat conducts the flow on behalf of the service provider, using their credentials. This means that as a service provider, the customer must set up an agreement directly with FranceConnect. Only French companies can enter into such an agreement. For more information on how to enter an agreement, see How to onboard to FranceConnect.

Signicat has no direct contractual relationship with FranceConnect. This has certain technical implications:

• You (the service provider) are the owner of your FranceConnect client(s) (Signicat does not own it).
• You must manage the client configuration directly through FranceConnect's management portal: https://partenaires.franceconnect.gouv.fr/login
• To be able to test or use FranceConnect, you must establish your own client with FranceConnect first (for more information, see How to onboard to FranceConnect).

Contact Signicat for more information

This page gives you a high-level introduction to FranceConnect, how to onboard and get started with the integration. If you need more information, please contact Signicat (opens new window).

Key features

The following FranceConnect features are supported through Signicat:

• Digital onboarding
• Authentication
• Logout
• Digital signing

Level of Assurance

Identity providers in FranceConnect mainly support eIDAS "Low" Level of Assurance (LoA). From January 2021, two identity providers (Mobile Connect et Moi and La Poste) now also offer eIDAS "Substantial" LoA.

Use cases

Notes about usage:

• FranceConnect cannot be used in an iframe, since some identity providers do not allow it.
• FranceConnect does not support forced re-authentication. As long as the user has an active session and has not been logged out, the user will not be prompted for re-authentication.
• FranceConnect requires that users are logged out within 15 minutes after a login. For more details, see the Logout section.

A typical login flow for FranceConnect consists of the following main steps.

1. The user selects the identity provider.
2. The user provides their login credentials.
3. The user confirms that they will share their details with the service provider.

These login steps are the same regardless of what the use-case is.

Here is an example with screen images:

Digital onboarding

You can use FranceConnect to retrieve claims about the end-user, for example for digital onboarding purposes. With this flow, Signicat automatically logs out the user after a successful authentication.

Here is a sample response for a successful identification (OIDC):

{
"sub": "9bddb35a0bf7846b8b29e8c94015630aced57f8d1d1ff474005594fe165da0a5v1",
"birthdate": "1962-08-24",
"family_name": "DUBOIS",
"given_name": "Angela Claire Louise",
"gender": "female",
"email": "example@example.com",
"fc.birthcountry": "99100",
"fc.birthplace": "75107",
"fc.acr": "eidas1",
"fc.idp": "FC",
"fc.issuer": "https://fcp.integ01.dev-franceconnect.fr",
"fc.preferredUsername": "exampleUsername",
"fc.idToken": "eyJ0eXAiOiJKV1QiLCJhbGci(...)",
"signicat.issuer_friendly_name": "FC",
"signicat.friendly_name": "FranceConnect (FC)",
"signicat.security_level": 2,
}

Authentication

You can use FranceConnect to log in returning users to your service. The only user-specific claim returned is the unique identifier for that user.

Here is an example response of a successful login:

{
"sub": "9bddb35a0bf7846b8b29e8c94015630aced57f8d1d1ff474005594fe165da0a5v1",
"fc.acr": "eidas1",
"fc.idp": "FC",
"fc.issuer": "https://fcp.integ01.dev-franceconnect.fr",
"fc.idToken": "eyJ0eXAiOiJKV1QiLCJhbGci(...)",
"signicat.issuer_friendly_name": "FC",
"signicat.friendly_name": "FranceConnect (FC)",
"signicat.security_level": 2
}

Logout

Logout within 15 minutes

FranceConnect requires users to be logged out within 15 minutes after login, so logout must be used in conjunction with login.

A logout can be triggered either by the end-user (how this is handled is up to the service provider) or by the service provider. To do this, the service provider must save the value of the fc.idToken attribute included in the response from the login. This value must then be passed as a prefilled parameter id_token_hint. You set this up in the request to Signicat's FranceConnect Logout method.

For OIDC, you set this up as follows:

login_hint=id_token_hint-VALUE

See also the parameter descriptions in Authentication.

For SAML2, you set this up as follows:

<signicat:Prefilled xmlns:signicat="urn:signicat" Parameter="id_token_hint">VALUE<signicat:Prefilled>

See also Specifying prefilled information.

Optionally, the service provider can also prefill a state attribute in the same way as for id_token_hint. This is an opaque value that can be used to maintain the state between the Logout request and the callback to the service provider's post-logout redirect URI. The post-logout redirect URI is the location that the end-user is redirected to after a successful logout (typically a landing page on the service provider's domain). You must supply this redirect URI to Signicat in advance.

Digital signing

FranceConnect can be used for digital signatures using Signicat's Sign API. With this flow, Signicat automatically logs out the user after a successful authentication.

How to onboard to FranceConnect

To get started with FranceConnect, you must apply for authorisation and establish an agreement directly with FranceConnect via the FranceConnect partner portal (opens new window).

Signicat can help you with the registration (see alternative A below).

Alternative A: Signicat helps with the registration

1. Log in to the FranceConnect partner portal (opens new window).
2. Go to Editer le FS > Gérer les accés and enter your onboarding manager's email.
3. Your Signicat onboarding manager should now have access as a collaborator and can complete the rest of the registration for you.

Alternative B: Register manually on your own

You can also register on your own in the FranceConnect partner portal (opens new window). If you choose to do so, make sure that all values are entered correctly in the form.

Register for Preproduction

1. Log in to the FranceConnect partner portal (opens new window).

2. Go to Editer le FS.

3. Make note of the Client ID (Identifiant client) and Client Secret (Clé secréte) since you must supply these to Signicat later.

4. Fill in the Edition du Fournisseur de Service form. Make sure that both the URLs de callback and URLs de redirection de déconnexion are filled in with Signicat's preproduction redirect URI. This will be one of the following:

• https://preprod.signicat.com/std/redirect

• https://eu01.preprod.signicat.com/std/redirect

  If you are unsure which one applies for you, contact your onboarding manager.

5. Fill in the rest of the fields about you as service provider.
6. Inform Signicat of your Client ID and Client Secret from step 3. Signicat will let you know when your preproduction setup is ready for testing, after which you can proceed to register for production (see the next section).

Register for Production

1. Log in to the FranceConnect partner portal (opens new window).

2. Go to Mettre mon FS en production.

3. Fill in the Configurer mon service en production form. Ensure the URLs de callback de connexion and URLs de callback de déconnexion fields are filled in with Signicat's production redirect URI. This will be one of the following:

-https://id.signicat.com/std/redirect

-https://eu01.signicat.com/std/redirect

If you are unsure which one applies for you, contact your onboarding manager.

If the URI used is https://id.signicat.com/std/redirect, Plage d'adresses IP du serveur MUST have the value 79.171.83.176 If the URI used is https://eu01.signicat.com/std/redirect, Plage d'adresses IP du serveur MUST have the value 79.171.83.180

Numéro de téléphone pour envoi de la clé secréte client par SMS must have a French mobile phone number.

4. Fill in the rest of the fields about you as the service provider. You can ignore the Configuration pour l'accés aux statistiques field.

After the request is accepted, you will receive your production Client ID and Client Secret from FranceConnect.

Note the application processing time

The application process with FranceConnect takes around 10-15 days.