Initial preparations

Prerequisites

Before you can start integrating with Signicat's implementation of FTN in production, be aware of the following prerequisites.

Access to FTN

Before you can create a production account, you need to configure FTN access with an onboarding manager. To get help with this, please contact us.

Define the service provider name

When enabling access, your onboarding manager will ask you what service provider name you prefer to be displayed for your end-users before and during the authentication.

We recommend using a short name to avoid a line break.

You can also specify your service provider name:

• On the FTN configuration page in the Dashboard.
• In the protocol request, using the ftn_sp_name parameter. For how to set this up for the different protocols, see Integration with OIDC and Integration with Authentication REST API.

If the service provider name is not defined in neither of the above mentioned ways, your organisation name from the Dashboard will be displayed by default.

Security requirements from Traficom

Traficom requires the following security measures for FTN authentication:

• You must sign the authentication requests.
• You must use full Message-Level Encryption (MLE).

Message Level Encryption (MLE)

Due to requirements from Traficom, you must use Full Message-Level Encryption (MLE) for authentication with FTN.

There are two different ways to achieve this. The first is required and the second is only required in certain circumstances:

1. Receiving encrypted responses from Signicat (required)
2. Sending encrypted requests to Signicat (optional)

Important

If you are sending personally identifiable information (PII) as part of your request, you must also send encrypted requests.

For more details on how to set this up, see the general protocol descriptions:

• OIDC: Advanced security considerations.
• SAML 2.0: Advanced URL configuration fields
• Authentication REST API: Encrypted responses from Signicat

Authentication request signing

Due to requirements from Traficom, you must sign the authentication requests when setting up FTN with the OIDC protocol.

For details on how to do this, see the Encryption/signing of the request object section.

Initial setup in Dashboard

Once you have received the needed access to the FTN service, you can add a production account, connect a domain to the account and add FTN to the Dashboard.

Create a production account

To create the production account from the Signicat Dashboard:

1. Go to Signicat Dashboard > Organisation management.
2. Click Add Account.
3. Enter the name of your account under Account Name.
4. Tick the Production account type.
5. Click Create to create the new account.

Set up domain

When you have created a production account, you can add a domain to this account.

1. In the Signicat Dashboard, navigate to Settings > Domain management. If you are a member of multiple accounts, make sure you are in the correct account by checking the account name in the top left of the screen.
2. Select Add domain.
3. To add a standard (Signicat) domain, enter the name of your subdomain in the Domain name field.
4. Select Add domain to create the new domain.

For more setup options, see domains in the Dashboard setup section.

Add FTN to the Dashboard

1. In the Signicat Dashboard, navigate to Products > eID Hub > eIDs.
2. Select + Add new in the top right.
3. Choose the eID from the list. Add any required configuration, then select Add.
4. Now, review that the eID is available and set to "Active" in the eIDs list.

Select a protocol

To establish a connection between Signicat's FTN implementation and your application, you need to use a standard authentication protocol.

Supported authentication protocols

Signicat supports the standard OpenID Connect (OIDC) and SAML 2.0 protocols. In addition, we offer our bespoke Signicat Authentication REST API.

The protocol you choose depends your goals and preferences. The Authentication REST API provides flexibility and an easy setup. Otherwise, we recommend OIDC, since SAML 2.0 is much more complex to implement and usually requires a federation agent. OIDC is an industry standard with managed user sessions, unlike the Authentication REST API.

To learn more about these authentication protocols, see the Signicat eID Hub documentation.

Next steps

Continue the integration with your chosen authentication protocol:

Integration with OIDC

Integrate with FTN using OpenID Connect

Integration with REST API

Integrate with FTN using Signicat Authentication REST API

Integration with SAML 2.0

See the general eID Hub documentation