Finnish TUPAS

About Finnish Online Bank Identification (TUPAS)

Online Bank Identification (TUPAS) is an identification method provided by several Finnish banks within the framework of Finnish Trust Network (FTN). Its main purpose is to serve as a strong identification method. Online Bank Identification allows businesses and organizations that provide Internet services to authenticate their customers with bank identification credentials issued by the Finnish online banks offering the service. The Finnish Trust Network (FTN) regulation came into force in May 2017. As a result, third-party prices have been significantly lowered and the process of signing agreements with banks has been simplified, as only one agreement is needed for all the banks that are part of this network.

Please note that technical TUPAS protocol will no longer be considered suitable for a strong identity method’s API after 2019-09-30. Banks will start using new technical protocols (SAML2 or OIDC) for online identification before that date.

In the online bank identification service, a bank authenticates a customer by a strong authentication method. The identification credentials issued by the service can also be used for signing documents electronically if so agreed by the customer and the service provider.

Each bank authenticates their customers with the same bank-specific identifiers that the customer uses in the bank’s own services. The following banks are members of the Finnish Trust Network:

  • Handelsbanken
  • Nordea
  • OP Bank Group
  • Danske Bank
  • Aktia
  • Säästöpankki (Savings Bank)
  • POP Bank
  • Bank of Åland
  • S-Bank
  • OmaSP

There also exists a mobile implementation called Mobiilivarmenne, which uses SIM-Toolkit technology. Unlike the Finnish online banks, Mobiilivarmenne utilizes roaming info, so if you are a customer of one of the mobile providers, you can log in to all of them. The following mobile providers supply Mobiilivarmenne:

  • Elisa
  • DNA
  • TeliaSonera

Establishment

This is a process description for establishing a merchant application with Finnish TUPAS.

The process describes the interaction between the Customer, the TUPAS Banks and Signicat Operations when developing and establishing a Web application, using TUPAS. The process contains descriptions of all the players tasks.

The process is described using steps, where each step has a natural end state. The descriptions are mainly superior and without technical details.

Signicat may, if the Customer expresses the desire for it, make some of the steps on behalf of the Customer.

Process overview:

  1. Customer signs agreement with Signicat AS
  2. Customer performs technical integration with Id.Signicat
  3. Signicat configures the TUPAS service for test
  4. Customer performs acceptance test of solution in test environment
  5. Signicat configures the TUPAS service for production
  6. Customer performs acceptance test of solution in production environment

End condition

At least one of the following functions are available and successful in the Customers web application, using the Signicat services:

  • Secure identification of Internet users, using TUPAS.
  • Digital signing of documents, using TUPAS.

Process

1. Customer signs agreement with Signicat AS

The Customer signs an agreement with Signicat AS. This agreement specifies:

  • the SLA between the Customer and Signicat AS
  • the number of ID-methods (authentication, signing, verification, etc)
  • the number of ID-solutions (TUPAS, Swedish BankID, etc)
  • the number of graphical profiles the Customer needs
  • any additional items deemed necessary
2. Customer signs contract with each TUPAS bank

This step takes place between the Customer and each of the TUPAS Banks.

The Customer (service provider) must enter into a contract regarding TUPAS Banks-certification service with all of the banks whose services are to be used. A separate contract must be made with each bank.

In each contract several parameters must be agreed:

  • Service Provider ID: merchant id or an identifier that uniquely identifies the Customer.
  • Mac key version: this identifies the secret service provider specific key.
  • Type of end-user identifier in the certificate: personal identity number, business ID, etc.
  • Format of end-user identifier in the certificate (may be plain text, encrypted, ..)

The Mac key, a secret service provider specific key used to secure communication, will be sent to the Customer from each bank (step 6).

3. Customer performs technical integration with Id.Signicat

After the agreements are signed, the Customer performs technical integration with Id.Signicat. This includes:

  • Installation and programming with the Signicat client kit
  • Testing the integration

Technical integration can be performed with Signicat’s common TUPAS service.

4. Customer receives configuration parameters from each Tupas bank

Once the contract has been signed, the bank delivers the bank-specific Service Provider ID and pass phrase to the Customer. The data is delivered to the service provider through a bank-specific procedure, either electronically or in paper format.

Customer forwards this information to Signicat.

5. Signicat configures the TUPAS service for test

Important tasks in this step:

  • Signicat receives configuration data for each Tupas bank from the Customer.
  • Signicat sets up a configuration consisting of all the TUPAS banks that the Customer have agreement with.
  • Signicat installs customer specific graphical profiles.
6. Customer performs acceptance test of solution in test environment

Important tasks in this step:

  • Customer integrates/configures the web application with own Tupas service in test environment.
  • Customer performs acceptance test in test environment. The test must cover each of the Tupas banks. The bank-specific data used in the testing phase is available with the service descriptions of each bank.

TUPAS requires each bank to implement its own test-service. However, not all banks have done this. The table here shows information about the test users of the banks with available test-services.

7. Customer receives secret parameters from the Banks

The Customer receives the Mac key and the Service Provider ID from each bank. This information must be sent in a safe way to Signicat.

8. Signicat configures the TUPAS service for production

Signicat receives the secret parameters for each Tupas Bank from the Customer, and creates a configuration in the production environment for the Customer.

9. Customer performs acceptance test of solution in production environment

The Customer integrates with the TUPAS configuration in Signicat’s production environment, and performs the acceptance test. The test must cover each of the Tupas banks. This test must be performed with real Tupas users.

Production environment

This page contains relevant info when setting up a customer specific production environment with TUPAS.

Testing your TUPAS production secret keys

When you have your own TUPAS configuration on Id.Signicat, you should test your Tupas secret keys for production. The test must be carried out by authenticating real users, or signing documents on your configuration for production.

Typical login and signature screenshots

Login session

1. Select TUPAS Bank

The first step contains a list of the possible TUPAS banks the Customer has an agreement with. The Customer can select between one of two predefined layouts when setting up the service, or opt to style the bank selection themselves. Select one of the banks in the list, f.eks LähiTapiola.

 

2. Select language

Some of the TUPAS banks do not support English text. If this is the case, the end-user must specify which language to use.

3. Identify yourself on TUPAS bank identification service

After bank and language is selected, the end-user will be redirected to the selected TUPAS Banks identification service.

4. Enter service providers web application

After successful identification by the TUPAS banks identification service, the end-user will be redirected to the service providers protected web pages.

TUPAS/WSD signatures

Signature-Policy-TUPAS-WSD-1.1

WitnessedSignedDocumentFormat-1.0

Test environment

Each TUPAS-bank offers a TUPAS service for testing purposes. All these test services, for all TUPAS banks, are available from Signicat’s test environment.

In some bank’s test services it is possible to use real TUPAS users for testing, but most of the banks provide only one common test user for testing these TUPAS services. The table below contains information about the testusers of the different TUPAS banks.

Signicat may not order or create customer specific test users for TUPAS. The number of test users are probably not sufficient for most merchants. This could be compensated by carrying outacceptance tests in production, with real Tupas users.

Bank Name National identification number Username Password OTP
Nordea 1) TESTAA PORTAALIA 210281-9988 prefilled prefilled
Bank of Åland DEMO ANNA 010170-960F 12345678 12345 Any 4 digits
Aktia 1) TERO TESTAAJA 010170-999R 12345678 123456 1234
Handelsbanken
Säästöpankki
POP pankki
OmaSP 2)
Teemu Testaaja 010101-123N 11111111 123456 123456
Handelsbanken
Säästöpankki
POP pankki
OmaSP 2)
Teemu Testaaja_se 010101-123N 22222222 123456 123456
Osuuspankki TESTI ANNA 081181-9984 123456 7890 1234
LähiTapiola TESTI TAPIO 010170-960F 12345678 123TAP 9999
S-Pankki MEIKÄLÄINEN MAIJA 010170-960F 12345678 123456 1234
Danske Bank Offer no test users, but possible to use real Tupas users from Sampo also in test environment

Remarks:

  1. Nordea’s and Aktia’s test services only use the correct language in the first page of the login-sequence. The following pages will always be written in Finnish.
  2. The test services of Handelsbanken, Säästöpankki, POP pankki, and OmaSP show login pages in both Finnish and Swedish, but the following pages are always in Finnish.

Configuration specific for each service provider

The table shows the parameters we need to provide from each of the banks the new web application should be integrated with.

Eng. term in TUPAS doc Also known as Description Corr. technical name
Service provider Customer id,
Service id
Identifies the service provider for the bank A01Y_RCVID
Key version Primary key version Identifies the key A01Y_KEYVERS
Key Shared secret, security key,
MAC key
Secret key used to secure communication n/a
Certificate request type Which certificate type to request from the bank. This must
match at least one of the identifier types provided by the bank
(should be listed in the agreement with the bank).
A01Y_IDTYPE (cert. request type)
B02K_CUSTTYPE (returned identifier type)

TUPAS support

Source: Banking Association in Finland: Banks TUPAS Certification Services for Service Providers.

Bank Support tel. Support Support e-mail Website homepage
Handelsbanken 010 444 2545 08:00 – 17:00 finhelp@handelsbanken.fi http://www.handelsbanken.fi/
Nordea +358 200 67220 (Swedish)

+358 0200 67230 (English)

0200 67210 (Finnish)

08:00 – 18:00 Solo.tori@nordea.fi http://www.nordea.fi/
OP Bank group 0100 0500 (Finnish)
0100 9051
verkkopainikkeet@op.fi https://www.op.fi/
Danske Bank 0106 6060 (private)
0600 122 12 (corporate)
08:00 – 17:00 varmennepalvelu@danskebank.fi http://www.sampopankki.fi/
Saving Banks and
COOP banks
0100 4052 info@samlink.fi http://www.samlink.fi/
Bank of Åland 0204 292920 (Finnish)
0204 292910 (Swedish)
08:40 – 16:30 contactcenter@alandsbanken.fi http://www.alandsbanken.fi/
S-bank 010 76 5810 e-palvelut@sok.fi http://www.s-pankki.fi
Nooa Säästöpankki Oy mlselvitys@samlink.fi

TUPAS concept details

  1. The user browses the service provider. At some point he tries to access a protected resource, which will result in a need for authentication.
  2. The service provider produces an authentication request. This is then shown to the user, which will be asked to choose from a list of banks.
  3. After the user has chosen his bank, the authentication request is sent to the bank together with the user. The bank must then verify the request.
  4. If the request is valid the user will be asked to authenticate.
  5. The user authenticates.
  6. The bank creates a TUPAS certificate and asks the user to approve this before sending it to the service provider.
  7. The approved certificate is sent to the service provider, which must validate it before granting the user access.
  8. If the TUPAS certificate is valid, the user is granted access to the protected resource.

Other sources

Information about TUPAS: Banks TUPAS Certification Service V22, 6 February 2007

Finnish Bankers Association: http://www.finanssiala.fi/en