# Samleikin

Samleikin is the national eID of the Faroe Islands. It was launched in autumn 2020.

Samleikin is governed by the tax and financial agency, Gjaldstovan (opens new window), and is part of the digital services of the Faroe Islands developed under the national digitalisation programme, Talgildu (opens new window).

Samleikin can be issued to anyone listed in the Faroese population register and having a Faroese P-tal (national ID number). The Faroe Islands is an autonomous territory within Denmark. Although most inhabitants are Danish citizens, a Faroese inhabitant does not possess a Danish national ID number (CPR number) unless the person additionally fulfils the requirements for registration in the Danish population register.

Samleikin is available as a mobile app (preferred solution) or as a USB key. Samleikin does not have built-in functionality for signing.

# Key features

The integration enables Signicat customers to offer services to residents of the Faroe Islands using the Faroese eID Samleikin. Signicat's integration of Samleikin offers the following features:

# Authentication

When Samleikin is selected as authentication method, either by configuration or by user selection, Signicat redirects to the Samleikin IdP, which presents the user authentication dialogue necessary to activate the user's Samleikin app.

# Use case

In the following scenario, a Faroese resident logs into a website of a service provider. The service provider wants to authenticate this user:

  • Signicat redirects the user to the Samleikin Login web form (see image slider below).
  • The user enters the p-tal (Faroese national ID number) and selects the login method to use, either a previously configured mobile app (the usual case) or a USB key.
  • When using the mobile app, Samleikin displays a random picture of the Faroe Islands and sends a notification to the user’s mobile app.
  • The user clicks on the notification and is presented with the same picture.
  • The user confirms the login on the mobile if the pictures are the same on both devices.
  • After confirming that the pictures match, the user enters their personal PIN number (this PIN was created during the initial setup of the mobile app).
  • If the PIN number is correct, a Login successful screen is displayed on the mobile. Signicat returns the result of the authentication to the service provider.

Here is an example flow of how the authentication may look with a test user:

Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide

# Electronic signing

Samleikin does not support native signing. However, Signicat's integration with Samleikin allows you to use Signicat's authentication-based signing. This signing method provides Advanced Electronic Signature according to the EU eIDAS (opens new window) regulation.

# Use case

In this scenario, the service provider requires the user to sign a document (or several documents):

  • The service provider sends a signing request to Signicat.
  • The user is either redirected from the service to Signicat Sign (synchronous signing) or alerted that a signing request is waiting (asynchronous signing) at a specific link.
  • The user accesses the sign request, opens the document(s) to sign, consents to sign.
  • Signicat redirects to Samleikin for authentication. The authentication follows the same flow as shown in the above image slider, starting with the Login screen.
  • Upon successful authentication, the signing process is completed and the signed document is returned to the service provider.

The authentication-based signing can be illustrated as follows:

click-to-zoom

# Single sign-on and single logout

Signicat does not provide single sign-on and single logout services when using Samleikin. The user must authenticate every time Signicat redirects to Samleikin, also in the case where the user has an existing session resulting from a previous Samleikin authentication.

# Information returned from the service

The following identity profiles are defined (see Samleikin Attribute Specification (opens new window)):

  • Pseudonymous identity: Provides no attributes, except for an opaque, persistent identifier (unique-id) that can be used to identify a returning user without revealing the actual identity.
  • Natural person identity without civic registration number (p-tal): Consists of unique-id, surname, given name, and display name. See more details in the below subsections.
  • Age only: Consists of unique-id and the date of birth in the YYYY-MM-DD format.
  • Natural person identity with civic registration number: Consists of, at least, unique-id, national-id (the Faroese National Identity Number or p-tal), surname, given name, and display name.

Additionally, the Samleikin integration can also include the country of citizenship of the authenticated user.

Here are some common descriptions of some key attributes (see also Result example with a full list of attributes):

  • unique-id: The unique identifier is defined as an opaque, persistent and targeted identifier, meaning its value is unique for the combination of IdP (Samleikin) and relying party. This is created dynamically every time the user authenticates, using persistent information. Its syntax is a 32-byte, randomly generated string.
  • name: While surname (sn) and first name (givenName) are the officially registered names of the user, the display name is defined as "a name in any preferred presentation format". Usually, it will be the concatenation of first name and surname but it can also be the name commonly used by the user, which could be different.
  • p-tal: The national identity number or p-tal, when present, is encoded as a 9-digit number.

# Security level

The Faroe Islands has its own assurance level framework based on eIDAS (opens new window) assurance levels. Samleikin is at the Faroese level "substantial".

# Faroese language support

Faroese is the official language of the islands and is used throughout both government and private sector. For the government, the second language is English or Danish. As part of Signicat's support for Samleikin, the Faroese language is added to Signicat's platform.

# How to integrate with Samleikin through Signicat

The integration is done via the same API as Signicat's other ID methods. For more information, see Getting started with authentication. Through the single point of integration, you will get access to Signicat's wide portfolio of integrated ID methods.

Tip: Before you set up the service, look at the attribute sets specified in the Samleikin Attribute Specification (opens new window) and choose one of the sets that fit your needs for user information. When you contact Signicat to set up the service, remember to indicate which attribute set you would like to request. Also, keep in mind that countryOfCitizenship can be requested independently of which attribute set is chosen.

# Example attributes returned by Samleikin

Attribute name Attribute value
subject.name VJ3HJJFDFEYF6TFD6CVGMJWAD7T6YMT7
subject.format urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
subject.nameQualifier https://innrita.staging.samleiki.fo/idp/shibboleth
authentication.method urn:signicat:names:SAML:2.0:ac:Samleikin
authentication.instant Thu Nov 19 09:56:42 CET 2020
signicat.friendly-name Samleikin
signicat.service-name <customer name>
signicat.method-name samleikin
signicat.unique-id VJ3HJJFDFEYF6TFD6CVGMJWAD7T6YMT7
signicat.security-level 3
signicat.national-id 120554026
signicat.nationality FO
signicat.plain-name Ansa Rasmussen
signicat.issuer-friendly-name [Innrita til Samleikan, Samleikin Authentication]
samleikin.personalIdentityNumber 120554026
samleikin.displayName Ansa Rasmussen
samleikin.countryOfCitizenship Danmark
samleikin.givenName Ansa
samleikin.sn Rasmussen

# Example OpenID Connect response

An example of how to use the access token to return a JSON response containing the end-user’s information:

# UserInfo request:
curl -XGET "https://preprod.signicat.com/oidc/userinfo" -H "Authorization: Bearer ACCESS_TOKEN"
# UserInfo response:
{
	"family_name": "Rasmussen",
	"given_name": "Ansa",
	"name": "Ansa Rasmussen",
	"nationality": "FO",
	"signicat.national_id": "120554026",
	"sub": "VJ3HJJFDFEYF6TFD6CVGMJWAD7T6YMT7",
	"subject.nameid.namequalifier": "Samleikin"
}

# Example SAML2 assertion

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="ID4771sdudsfheo30ugjqtg58jcmz1q52c40sfi9z543840uz9n6" IssueInstant="2020-12-02T10:42:26.839Z" Version="2.0">
<saml2:Issuer>https://test.signicat.com/std</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="Samleikin">VJ3HJJFDFEYF6TFD6CVGMJWAD7T6YMT7</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="ID4g39x0va19qsr7q9rd77u928vab88qnc0w0bf76cwdydnk18af" NotOnOrAfter="2020-12-02T10:42:56.839Z" Recipient="https://id.signicat.com/"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2020-12-02T10:42:26.839Z" NotOnOrAfter="2020-12-02T10:42:56.839Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://toolboxnode.net</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2020-12-02T10:42:25.161Z" SessionIndex="68rmm72jra8q72m6b26oykpj7vj6ej7d8vkj1nu16t16zsqwkj">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:signicat:SAML:2.0:ac:custom:samleikin</saml2:AuthnContextClassRef>
<saml2:AuthnContextDeclRef>urn:signicat:SAML:2.0:ac:ref:service:samleikin</saml2:AuthnContextDeclRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="samleikin.personal-identity-number" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">120554026</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="samleikin.sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Rasmussen</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Rasmussen</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="samleikin.country-of-citizenship" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Danmark</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="national-identity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">120554026</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="samleikin.display-name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Ansa Rasmussen</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="samleikin.given-name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Ansa</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="given-name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Ansa</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="national-identity-country" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">FO</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="common-name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Ansa Rasmussen</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>

# Test information

Signicat's test environment preprod.signicat.com is available 24×7, and may be used during your development and test phase. You also need to contact Samleikin to get a test account and to be able to install the mobile app needed for authentication.

# Other information

See Samleikin (opens new window) home page.

Last updated: 3/1/2021, 12:00:45 AM