FranceConnect

About FranceConnect

FranceConnect is a public eID scheme for France. It is a hub for a number of identity providers in France. A shortlist of available identity providers is listed below:

Note: Neither Signicat nor anyone else can act as a broker in FranceConnect. Instead, Signicat conducts the flow on behalf of the service provider, using their credentials. This means that as a service provider, the customer must set up an agreement directly with FranceConnect. Only French companies can enter into such an agreement. For more information on how to enter an agreement, see How to get started with FranceConnect.

Signicat has no direct contractual relationship with FranceConnect. This has certain technical implications:

  • As the service provider, the customer is the owner of their FranceConnect client(s).
  • Some client configuration must be managed by the service provider directly through FranceConnect’s management portal.
  • All FranceConnect clients are owned by service providers, not by Signicat. This means you cannot test or use FranceConnect without establishing your own client with FranceConnect first (for more information, see Onboarding to FranceConnect).

You can manage your France Connect clients on the FranceConnect partner portal.

Contact Signicat for more information

This page gives you a high-level introduction to FranceConnect, how to onboard and get started with the integration. If you need more information, please contact Signicat.

Key features

The following FranceConnect features are supported through Signicat

Identity providers in FranceConnect only support eIDAS Level of Assurance “Low”. In January 2021, two identity providers (Mobile Connect et Moi and La Poste) will be certified to offer eIDAS Level of Assurance “Substantial”.

FranceConnect use cases

From the user’s perspective, please note the following:

  • FranceConnect can not be used in an iframe, since some identity providers do not allow it.
  • FranceConnect does not support forced re-authentication. As long as the user has an active session and has not been logged out, the user will not be prompted for re-authentication.
  • FranceConnect requires that users are logged out within 15 minutes after login. This is covered further in the specific subsections for the different use cases.

This section contains screenshots of a typical login for FranceConnect. These steps are the same regardless of use-case type (authentication, onboarding, signing).

  1. The user selects the identity provider.
  2. The user provides their login credentials.
  3. The user confirms that they will share their details with the service provider.

Tip: Click on the image below to start the photo slider.

Authentication (Login)

You can use FranceConnect to log in a user to your service. The only user-specific claim returned is the unique identifier for that user. Note: FranceConnect requires users to be logged out within 15 minutes after login, so login must be used in conjunction with logout.

Here is a sample response for a successful authentication (OIDC):

{
"sub": "9bddb35a0bf7846b8b29e8c94015630aced57f8d1d1ff474005594fe165da0a5v1",
"fc.acr": "eidas1",
"fc.idp": "FC",
"fc.issuer": "https://fcp.integ01.dev-franceconnect.fr",
"fc.idToken": "eyJ0eXAiOiJKV1QiLCJhbGci(...)",
"signicat.issuer_friendly_name": "FC",
"signicat.friendly_name": "FranceConnect (FC)",
"signicat.security_level": 2
}

Logout

A logout can be triggered either by the end-user (how this is handled is up to the service provider) or by the service provider. In any case, the service provider is obligated by FranceConnect to trigger a logout within 15 minutes after login. In order to do this, the service provider must save the value of the ‘fc.idToken’ attribute included in the response from the Login.
This value must then be passed as a prefilled parameter by the service provider in their request to Signicat’s FranceConnect Logout method.

For OIDC, this would be passed as:

login_hint=id_token_hint-VALUE

Note: Despite the prefilled parameter named id_token_hint, it should not be passed as id_token_hint=VALUE. Please, use the format described above.
For more details about login_hint, see Endpoints.

For SAML2 it would be passed as:

<signicat:Prefilled xmlns:signicat="urn:signicat" Parameter="id_token_hint">VALUE<signicat:Prefilled>

For more details, see Specifying prefilled information.

Optionally, the service provider can also prefill a state attribute in the same way as for id_token_hint. This is an opaque value that can be used to maintain the state between the logout request and the callback to the service provider’s post-logout redirect URI. The post-logout redirect URI is the location that the end-user is redirected to upon a successful logout (typically a landing page on the service provider’s domain) and must be supplied by the service provider to Signicat in advance.

Digital onboarding

You can use FranceConnect to retrieve claims about the end-user, for example for digital onboarding purposes. With this flow, Signicat takes care of automatically logging out the user immediately upon successful authentication.

Here is a sample response for a successful identification (OIDC):

{
"sub": "9bddb35a0bf7846b8b29e8c94015630aced57f8d1d1ff474005594fe165da0a5v1",
"birthdate": "1962-08-24",
"family_name": "DUBOIS",
"given_name": "Angela Claire Louise",
"gender": "female",
"email": "example@example.com",
"fc.birthcountry": "99100",
"fc.birthplace": "75107",
"fc.acr": "eidas1",
"fc.idp": "FC",
"fc.issuer": "https://fcp.integ01.dev-franceconnect.fr",
"fc.preferredUsername": "exampleUsername",
"fc.idToken": "eyJ0eXAiOiJKV1QiLCJhbGci(...)",
"signicat.issuer_friendly_name": "FC",
"signicat.friendly_name": "FranceConnect (FC)",
"signicat.security_level": 2,
}

Digital signing

FranceConnect can be used for digital signatures using the Signicat’s Sign API. With this flow, Signicat takes care of automatically logging out the user immediately upon successful authentication.

How to get started with FranceConnect

To get started with FranceConnect, you must register the correct information to the FranceConnect partner portal, and also supply certain information to Signicat.

Onboarding to FranceConnect

To start using FranceConnect you must apply for authorisation and establish an agreement directly with FranceConnect.

Alternative A: Using Signicat as a collaborator
  1. Log in to the FranceConnect partner portal:
  2. Go to Editer le FS > Gérer les accés and enter your onboarding manager’s email.
  3. Your Signicat onboarding manager should now have access as a collaborator and can complete the rest of the registration for you.
Altnernative B: Manual registration

If you do not wish to have Signicat as a collaborator, you can also register yourself manually. If you choose to do so, make sure that all values are entered correctly in the form.

Preproduction:

  • Login to the FranceConnect partner portal.
  • Go to Editer le FS.
  • Make note of the Client ID (Identifiant client) and Client Secret (Clé secréte) since you must supply these to Signicat later.
  • Fill in the Edition du Fournisseur de Service form. Make sure that both the URLs de callback and URLs de redirection de déconnexion are filled in with Signicat’s preproduction redirect URI. This will be one of the following:
    • https://preprod.signicat.com/std/redirect
    • https://eu01.preprod.signicat.com/std/redirect

If you are unsure which one applies for you, contact your onboarding manager.

  • Fill in the rest of the fields as they apply to your service provider.
  • Inform Signicat of your Client ID and Client Secret from step 3. Signicat will let you know when your preproduction setup is ready for testing, after which you can proceed to register for production.

Production:

Ensure the URLs de callback de connexion and URLs de callback de déconnexion fields are filled in with Signicat’s production redirect URI. This will be one of the following:

    • https://id.signicat.com/std/redirect
    • https://eu01.signicat.com/std/redirect

If you are unsure which one applies for you, contact your onboarding manager.

If the URI used is https://id.signicat.com/std/redirect, Plage d’adresses IP du serveur MUST have the value 79.171.83.176.

If the URI used is https://eu01.signicat.com/std/redirect, Plage d’adresses IP du serveur MUST have the value 79.171.83.180.

Numéro de téléphone pour envoi de la clé secréte client par SMS must have a French mobile phone number.

  • Fill in the rest of the fields as they apply for your service provider. You can ignore the Configuration pour l’accés aux statistiques field.

After the request is accepted you will receive your production Client ID and Client Secret from FranceConnect.

Note: The process takes around 10-15 days.

Onboarding to Signicat

Please, contact your Signicat onboarding manager to get assistance with onboarding to Signicat.