About Finnish Online Bank Identification (TUPAS)
Online Bank Identification (TUPAS) is an identification method provided by several Finnish banks within the framework of Finnish Trust Network (FTN). Its main purpose is to serve as a strong identification method. Online Bank Identification allows businesses and organizations that provide Internet services to authenticate their customers with bank identification credentials issued by the Finnish online banks offering the service. The Finnish Trust Network (FTN) regulation came into force in May 2017. As a result, third-party prices have been significantly lowered and the process of signing agreements with banks has been simplified, as only one agreement is needed for all the banks that are part of this network.
Please note that technical TUPAS protocol will no longer be considered suitable for a strong identity method’s API after 2019-09-30. Banks will start using new technical protocols (SAML2 or OIDC) for online identification before that date.
In the online bank identification service, a bank authenticates a customer by a strong authentication method. The identification credentials issued by the service can also be used for signing documents electronically if so agreed by the customer and the service provider.
Each bank authenticates their customers with the same bank-specific identifiers that the customer uses in the bank’s own services. The following banks are members of the Finnish Trust Network:
- OP Bank Group
- Danske Bank
- Säästöpankki (Savings Bank)
- POP Bank
- Bank of Åland
There also exists a mobile implementation called Mobiilivarmenne, which uses SIM-Toolkit technology. Unlike the Finnish online banks, Mobiilivarmenne utilizes roaming info, so if you are a customer of one of the mobile providers, you can log in to all of them. The following mobile providers supply Mobiilivarmenne:
This is a process description for establishing a merchant application with Finnish TUPAS.
The process describes the interaction between the Customer, the TUPAS Banks and Signicat Operations when developing and establishing a Web application, using TUPAS. The process contains descriptions of all the players tasks.
The process is described using steps, where each step has a natural end state. The descriptions are mainly superior and without technical details.
Signicat may, if the Customer expresses the desire for it, make some of the steps on behalf of the Customer.
- Customer signs agreement with Signicat AS
- Customer performs technical integration with Id.Signicat
- Signicat configures the TUPAS service for test
- Customer performs acceptance test of solution in test environment
- Signicat configures the TUPAS service for production
- Customer performs acceptance test of solution in production environment
At least one of the following functions are available and successful in the Customers web application, using the Signicat services:
- Secure identification of Internet users, using TUPAS.
- Digital signing of documents, using TUPAS.
The Customer signs an agreement with Signicat AS. This agreement specifies:
- the SLA between the Customer and Signicat AS
- the number of ID-methods (authentication, signing, verification, etc)
- the number of ID-solutions (TUPAS, Swedish BankID, etc)
- the number of graphical profiles the Customer needs
- any additional items deemed necessary
This step takes place between the Customer and each of the TUPAS Banks.
The Customer (service provider) must enter into a contract regarding TUPAS Banks-certification service with all of the banks whose services are to be used. A separate contract must be made with each bank.
In each contract several parameters must be agreed:
- Service Provider ID: merchant id or an identifier that uniquely identifies the Customer.
- Mac key version: this identifies the secret service provider specific key.
- Type of end-user identifier in the certificate: personal identity number, business ID, etc.
- Format of end-user identifier in the certificate (may be plain text, encrypted, ..)
The Mac key, a secret service provider specific key used to secure communication, will be sent to the Customer from each bank (step 6).
3. Customer performs technical integration with Id.Signicat
After the agreements are signed, the Customer performs technical integration with Id.Signicat. This includes:
- Installation and programming with the Signicat client kit
- Testing the integration
Technical integration can be performed with Signicat’s common TUPAS service.
Once the contract has been signed, the bank delivers the bank-specific Service Provider ID and pass phrase to the Customer. The data is delivered to the service provider through a bank-specific procedure, either electronically or in paper format.
Customer forwards this information to Signicat.
Important tasks in this step:
- Signicat receives configuration data for each Tupas bank from the Customer.
- Signicat sets up a configuration consisting of all the TUPAS banks that the Customer have agreement with.
- Signicat installs customer specific graphical profiles.
Important tasks in this step:
- Customer integrates/configures the web application with own Tupas service in test environment.
- Customer performs acceptance test in test environment. The test must cover each of the Tupas banks. The bank-specific data used in the testing phase is available with the service descriptions of each bank.
TUPAS requires each bank to implement its own test-service. However, not all banks have done this. The table here shows information about the test users of the banks with available test-services.
The Customer receives the Mac key and the Service Provider ID from each bank. This information must be sent in a safe way to Signicat.
Signicat receives the secret parameters for each Tupas Bank from the Customer, and creates a configuration in the production environment for the Customer.
The Customer integrates with the TUPAS configuration in Signicat’s production environment, and performs the acceptance test. The test must cover each of the Tupas banks. This test must be performed with real Tupas users.
This page contains relevant info when setting up a customer specific production environment with TUPAS.
Testing your TUPAS production secret keys
When you have your own TUPAS configuration on Id.Signicat, you should test your Tupas secret keys for production. The test must be carried out by authenticating real users, or signing documents on your configuration for production.
Typical login and signature screenshots
1. Select TUPAS Bank
The first step contains a list of the possible TUPAS banks the Customer has an agreement with. The Customer can select between one of two predefined layouts when setting up the service, or opt to style the bank selection themselves. Select one of the banks in the list, f.eks LähiTapiola.
2. Select language
Some of the TUPAS banks do not support English text. If this is the case, the end-user must specify which language to use.
3. Identify yourself on TUPAS bank identification service
After bank and language is selected, the end-user will be redirected to the selected TUPAS Banks identification service.
4. Enter service providers web application
After successful identification by the TUPAS banks identification service, the end-user will be redirected to the service providers protected web pages.
Each TUPAS-bank offers a TUPAS service for testing purposes. All these test services, for all TUPAS banks, are available from Signicat’s test environment.
In some bank’s test services it is possible to use real TUPAS users for testing, but most of the banks provide only one common test user for testing these TUPAS services. The table below contains information about the testusers of the different TUPAS banks.
Signicat may not order or create customer specific test users for TUPAS. The number of test users are probably not sufficient for most merchants. This could be compensated by carrying outacceptance tests in production, with real Tupas users.
|Bank||Name||National identification number||Username||Password||OTP|
|Nordea 1)||TESTAA PORTAALIA||210281-9988||prefilled||prefilled|
|Bank of Åland||DEMO ANNA||010170-960F||12345678||12345||Any 4 digits|
|Aktia 1)||TERO TESTAAJA||010170-999R||12345678||123456||1234|
|Danske Bank||Offer no test users, but possible to use real Tupas users from Sampo also in test environment|
- Nordea’s and Aktia’s test services only use the correct language in the first page of the login-sequence. The following pages will always be written in Finnish.
- The test services of Handelsbanken, Säästöpankki, POP pankki, and OmaSP show login pages in both Finnish and Swedish, but the following pages are always in Finnish.
Configuration specific for each service provider
The table shows the parameters we need to provide from each of the banks the new web application should be integrated with.
|Eng. term in TUPAS doc||Also known as||Description||Corr. technical name|
|Service provider||Customer id,
|Identifies the service provider for the bank||A01Y_RCVID|
|Key version||Primary key version||Identifies the key||A01Y_KEYVERS|
|Key||Shared secret, security key,
|Secret key used to secure communication||n/a|
|Certificate request type||Which certificate type to request from the bank. This must
match at least one of the identifier types provided by the bank
(should be listed in the agreement with the bank).
|A01Y_IDTYPE (cert. request type)
B02K_CUSTTYPE (returned identifier type)
Source: Banking Association in Finland: Banks TUPAS Certification Services for Service Providers.
|Bank||Support tel.||Support||Support e-mail||Website homepage|
|Handelsbanken||010 444 2545||08:00 – 17:email@example.com||http://www.handelsbanken.fi/|
|Nordea||+358 200 67220 (Swedish)
+358 0200 67230 (English)
0200 67210 (Finnish)
|08:00 – 18:00||Solo.firstname.lastname@example.org||http://www.nordea.fi/|
|OP Bank group||0100 0500 (Finnish)
|Danske Bank||0106 6060 (private)
0600 122 12 (corporate)
|08:00 – 17:email@example.com||http://www.sampopankki.fi/|
|Saving Banks and
|Bank of Åland||0204 292920 (Finnish)
0204 292910 (Swedish)
|08:40 – 16:firstname.lastname@example.org||http://www.alandsbanken.fi/|
|S-bank||010 76 email@example.com||http://www.s-pankki.fi|
|Nooa Säästöpankki Oyfirstname.lastname@example.org|
TUPAS concept details
- The user browses the service provider. At some point he tries to access a protected resource, which will result in a need for authentication.
- The service provider produces an authentication request. This is then shown to the user, which will be asked to choose from a list of banks.
- After the user has chosen his bank, the authentication request is sent to the bank together with the user. The bank must then verify the request.
- If the request is valid the user will be asked to authenticate.
- The user authenticates.
- The bank creates a TUPAS certificate and asks the user to approve this before sending it to the service provider.
- The approved certificate is sent to the service provider, which must validate it before granting the user access.
- If the TUPAS certificate is valid, the user is granted access to the protected resource.
Information about TUPAS: Banks TUPAS Certification Service V22, 6 February 2007
Finnish Bankers Association: http://www.finanssiala.fi/en