About Finnish Online Bank Identification (TUPAS)
Online Bank Identification (TUPAS) is an identification method provided by several Finnish banks within the framework of Finnish Trust Network (FTN). Its main purpose is to serve as a strong identification method. Online Bank Identification allows businesses and organizations that provide Internet services to authenticate their customers with bank identification credentials issued by the Finnish online banks offering the service. The Finnish Trust Network (FTN) regulation came into force in May 2017. As a result, third-party prices have been significantly lowered and the process of signing agreements with banks has been simplified, as only one agreement is needed for all the banks that are part of this network.
Please note that technical TUPAS protocol will no longer be considered suitable for a strong identity method’s API after 2019-09-30. Banks will start using new technical protocols (SAML2 or OIDC) for online identification before that date.
In the online bank identification service, a bank authenticates a customer by a strong authentication method. The identification credentials issued by the service can also be used for signing documents electronically if so agreed by the customer and the service provider.
Each bank authenticates their customers with the same bank-specific identifiers that the customer uses in the bank’s own services. The following banks are members of the Finnish Trust Network:
- OP Bank Group
- Danske Bank
- Säästöpankki (Savings Bank)
- POP Bank
- Bank of Åland
There also exists a mobile implementation called Mobiilivarmenne, which uses SIM-Toolkit technology. Unlike the Finnish online banks, Mobiilivarmenne utilizes roaming info, so if you are a customer of one of the mobile providers, you can log in to all of them. The following mobile providers supply Mobiilivarmenne:
This is a process description for establishing a merchant application with Finnish TUPAS.
The process describes the interaction between the Customer, the TUPAS Banks and Signicat Operations when developing and establishing a Web application, using TUPAS. The process contains descriptions of all the players tasks.
The process is described using steps, where each step has a natural end state. The descriptions are mainly superior and without technical details.
Signicat may, if the Customer expresses the desire for it, make some of the steps on behalf of the Customer.
- Customer signs agreement with Signicat AS
- Customer performs technical integration with Id.Signicat
- Signicat configures the TUPAS service for test
- Customer performs acceptance test of solution in test environment
- Signicat configures the TUPAS service for production
- Customer performs acceptance test of solution in production environment
At least one of the following functions are available and successful in the Customers web application, using the Signicat services:
- Secure identification of Internet users, using TUPAS.
- Digital signing of documents, using TUPAS.
The Customer signs an agreement with Signicat AS. This agreement specifies:
- the SLA between the Customer and Signicat AS
- the number of ID-methods (authentication, signing, verification, etc)
- the number of ID-solutions (TUPAS, Swedish BankID, etc)
- the number of graphical profiles the Customer needs
- any additional items deemed necessary
2. Customer performs technical integration with Id.Signicat
After the agreements are signed, the Customer performs technical integration with Id.Signicat. This includes:
- Installation and programming with the Signicat client kit
- Testing the integration
Technical integration can be performed with Signicat’s common TUPAS service.
In this step, Signicat installs customer specific graphical profiles.
Important tasks in this step:
- Customer integrates/configures the web application with own Tupas service in test environment.
- Customer performs acceptance test in test environment. The test must cover each of the Tupas banks. The bank-specific data used in the testing phase is available with the service descriptions of each bank.
TUPAS requires each bank to implement its own test-service. However, not all banks have done this. The table here shows information about the test users of the banks with available test-services.
Signicat creates the configuration in the production environment for the Customer.
The Customer integrates with the TUPAS configuration in Signicat’s production environment, and performs the acceptance test. The test must cover each of the Tupas banks. This test must be performed with real Tupas users.
This page contains relevant info when setting up a customer specific production environment with TUPAS.
Testing your TUPAS production secret keys
When you have your own TUPAS configuration on Id.Signicat, you should test your Tupas secret keys for production. The test must be carried out by authenticating real users, or signing documents on your configuration for production.
Typical login and signature screenshots
1. Select TUPAS Bank
The first step contains a list of the possible TUPAS banks the Customer has an agreement with. The Customer can select between one of two predefined layouts when setting up the service, or opt to style the bank selection themselves. Select one of the banks in the list, e.g. Nordea.
2. Select language
Some of the TUPAS banks do not support English text. If this is the case, the end-user must specify which language to use.
3. Identify yourself on TUPAS bank identification service
After bank and language is selected, the end-user will be redirected to the selected TUPAS Banks identification service.
4. Enter service providers web application
After successful identification by the TUPAS banks identification service, the end-user will be redirected to the service providers protected web pages.
Each TUPAS-bank offers a TUPAS service for testing purposes. All these test services, for all TUPAS banks, are available from Signicat’s test environment.
In some bank’s test services it is possible to use real TUPAS users for testing, but most of the banks provide only one common test user for testing these TUPAS services. The table below contains information about the testusers of the different TUPAS banks.
Signicat may not order or create customer specific test users for TUPAS. The number of test users are probably not sufficient for most merchants. This could be compensated by carrying outacceptance tests in production, with real Tupas users.
|Bank||Name||National identification number||Username||Password||OTP|
|Nordea 1)||TESTAA PORTAALIA||210281-9988||prefilled||prefilled|
|Bank of Åland||DEMO ANNA||010170-960F||12345678||12345||Any 4 digits|
|Aktia 1)||TERO TESTAAJA||010170-999R||12345678||123456||1234|
|Danske Bank||Offer no test users, but possible to use real Tupas users from Sampo also in test environment|
- Nordea’s and Aktia’s test services only use the correct language in the first page of the login-sequence. The following pages will always be written in Finnish.
- The test services of Handelsbanken, Säästöpankki, POP pankki, and OmaSP show login pages in both Finnish and Swedish, but the following pages are always in Finnish.
Configuration specific for each service provider
The table shows the parameters we need to provide from each of the banks the new web application should be integrated with.
|Eng. term in TUPAS doc||Also known as||Description||Corr. technical name|
|Service provider||Customer id,
|Identifies the service provider for the bank||A01Y_RCVID|
|Key version||Primary key version||Identifies the key||A01Y_KEYVERS|
|Key||Shared secret, security key,
|Secret key used to secure communication||n/a|
|Certificate request type||Which certificate type to request from the bank. This must
match at least one of the identifier types provided by the bank
(should be listed in the agreement with the bank).
|A01Y_IDTYPE (cert. request type)
B02K_CUSTTYPE (returned identifier type)
Source: Banking Association in Finland: Banks TUPAS Certification Services for Service Providers.
|Bank||Support tel.||Support||Support e-mail||Website homepage|
|Handelsbanken||010 444 2545||08:00 – 17:firstname.lastname@example.org||http://www.handelsbanken.fi/|
|Nordea||+358 200 67220 (Swedish)
+358 0200 67230 (English)
0200 67210 (Finnish)
|08:00 – 18:00||Solo.email@example.com||http://www.nordea.fi/|
|OP Bank group||0100 0500 (Finnish)
|Danske Bank||0106 6060 (private)
0600 122 12 (corporate)
|08:00 – 17:firstname.lastname@example.org||http://www.sampopankki.fi/|
|Saving Banks and
|Bank of Åland||0204 292920 (Finnish)
0204 292910 (Swedish)
|08:40 – 16:email@example.com||http://www.alandsbanken.fi/|
|S-bank||010 76 firstname.lastname@example.org||http://www.s-pankki.fi|
|Nooa Säästöpankki Oyemail@example.com|
TUPAS concept details
- The user browses the service provider. At some point he tries to access a protected resource, which will result in a need for authentication.
- The service provider produces an authentication request. This is then shown to the user, which will be asked to choose from a list of banks.
- After the user has chosen his bank, the authentication request is sent to the bank together with the user. The bank must then verify the request.
- If the request is valid the user will be asked to authenticate.
- The user authenticates.
- The bank creates a TUPAS certificate and asks the user to approve this before sending it to the service provider.
- The approved certificate is sent to the service provider, which must validate it before granting the user access.
- If the TUPAS certificate is valid, the user is granted access to the protected resource.
Information about TUPAS: Banks TUPAS Certification Service V22, 6 February 2007
Finnish Bankers Association: http://www.finanssiala.fi/en