Initial preparations

Prerequisites

Before you can start integrating with Signicat's implementation of FTN in production, be aware of the following prerequisites.

Access to FTN

Once you sign your contract with Signicat, you are automatically sent an invitation to the production account with FTN enabled. If you do not receive an invitation, then please contact us at onboarding@signicat.com.

Define the service provider name

By default, the organisation name specified in your contract is set as the service provider name, which is displayed for your end-users before and during an authentication.

Update the service provider name

If you wish to update the service provider name to something else, then you can use either of the alternative methods shown below. However, the updated name should not differ greatly from the official organisation name.

Naming requirements

When providing the service provider name, you must ensure that it meets the following requirements:

• It cannot exceed the maximum length of 64 characters.
• It cannot contain special characters such as < > = ; # ^ % |.

Our recommendation

We recommend that you use a short name so that you avoid a line break.

Alternative methods

It is also possible for you to specify the service provider name using either of the following methods:

• On the Finnish Trust Network configuration page in the Signicat Dashboard.
• In the protocol request, using the ftn_sp_name parameter. To learn how to set this up for the different protocols, see Integration with OIDC and Integration with Authentication REST API.

Security requirements from Traficom

Traficom requires the following security measures for FTN authentication:

• You must sign the authentication requests.
• You must use full Message-Level Encryption (MLE).

Message Level Encryption (MLE)

Due to requirements from Traficom, you must use Full Message-Level Encryption (MLE) for authentication with FTN.

There are two different ways to achieve this. The first is required and the second is only required in certain circumstances:

1. Receiving encrypted responses from Signicat (required)
2. Sending encrypted requests to Signicat (optional)

Important

If you are sending personally identifiable information (PII) as part of your request, you must also send encrypted requests.

For more details on how to set this up, see the general protocol descriptions:

• OIDC: Advanced security considerations.
• SAML 2.0: Advanced URL configuration fields
• Authentication REST API: Encrypted responses from Signicat

Authentication request signing

Due to requirements from Traficom, you must sign the authentication requests when setting up FTN with the OIDC protocol.

For details on how to do this, see the Encryption/signing of the request object section.

PAR as an alternative

The Pushed Authorization Requests (PAR) extension is accepted as an alternative to signing the authentication request. For more details about PAR, see the Pushed Authorization Requests (PAR) section.

Initial setup in Dashboard

Once you have received the needed access to the FTN service, you can add a production account, connect a domain to the account and add FTN to the Dashboard.

Create a production account

To create the production account from the Signicat Dashboard:

1. Go to Signicat Dashboard > Organisation management.
2. Click Add Account.
3. Enter the name of your account under Account Name.
4. Tick the Production account type.
5. Click Create to create the new account.

Set up domain

When you have created a production account, you can add a domain to this account.

1. In the Signicat Dashboard, navigate to Settings > Domain management. If you are a member of multiple accounts, make sure you are in the correct account by checking the account name in the top left of the screen.
2. Select Add domain.
3. To add a standard (Signicat) domain, enter the name of your subdomain in the Domain name field.
4. Select Add domain to create the new domain.

For more setup options, see domains in the Dashboard setup section.

Add FTN to the Dashboard

1. In the Signicat Dashboard, navigate to Products > eID Hub > eIDs.
2. Select + Add new in the top right.
3. Choose the eID from the list. Add any required configuration, then select Add.
4. Now, review that the eID is available and set to "Active" in the eIDs list.

Select a protocol

To establish a connection between Signicat's FTN implementation and your application, you need to use a standard authentication protocol.

Supported authentication protocols

Signicat supports the standard OpenID Connect (OIDC) and SAML 2.0 protocols. In addition, we offer our bespoke Signicat Authentication REST API.

The protocol you choose depends your goals and preferences. The Authentication REST API provides flexibility and an easy setup. Otherwise, we recommend OIDC, since SAML 2.0 is much more complex to implement and usually requires a federation agent. OIDC is an industry standard with managed user sessions, unlike the Authentication REST API.

To learn more about these authentication protocols, see the Signicat eID Hub documentation.

Next steps

Continue the integration with your chosen authentication protocol:

Integration with OIDC

Integrate with FTN using OpenID Connect

Integration with REST API

Integrate with FTN using Signicat Authentication REST API

Integration with SAML 2.0

See the general eID Hub documentation