Finnish Trust Network - eIDs - Criipto Verify Documentation
Criipto
  1. eIDs
  2. Finnish Trust Network

The New FTN Security Requirements

The Finnish government is introducing new requirements to increase the level of security and privacy of FTN authentication. The requirements are described in Recommendation 213/2023 S Finnish Trust Network OpenID Connect Profile and include:

  1. Private Key JWT client authentication
  2. Authentication request signing
  3. Encrypted token and userinfo responses
  4. Statically configured JWK sets for signing and encryption

Client applications must be able to fulfill the new requirements to continue offering FTN logins – regardless of the provider chosen for FTN integration.

As we're finalizing the technical changes on our side, you can start configuring your FTN integration to meet the new requirements. If you need any help or guidance, don't hesitate to reach out.

1. Private Key JWT client authentication

Your application must use private_key_jwt client authentication instead of client_secret to authenticate to Criipto.

Follow this guide to configure Private Key JWT authentication. Note that you must use Statically configured JWK sets.

The PKCE extension for securing authorization code flow is also highly recommended. You don't have to change your client authentication implementation if using PKCE. See OpenID Connect best security practices for more information.

2. Authentication request signing

Your application must sign authorize requests to Criipto and send them as Request Objects (also known as JWT-secured Authorization Requests or JARs).

The technical guide to configuring this change is coming soon.

3. Encrypted token and userinfo responses

Criipto will apply JSON Web Encryption (JWE) to secure token and userinfo responses we send to client applications. Your application must be able to receive these.

The technical guide to configuring this change is coming soon.

4. Statically configured JWK sets for signing and encryption

You can add your static JWKS (JSON Web Key Set) by going to your Criipto Application > OpenID Connect > Client JWKS. More information on this requirement is coming soon.

JWT/Token examples

The level of assurance for all Finnish authenticators is: Substantial

BankID

{
"identityscheme": "fitupas",
Overall eID used to authenticate
"nameidentifier": "788eb5abb2f84c0994a4d359f416f7ca",
Legacy format of 'sub'
"sub": "{788eb5ab-b2f8-4c09-94a4-d359f416f7ca}",
Persistent pseudonym. Uniquely identifies an eID user (per Criipto Verify tenant)
"name": "_19cfbd642c4a82b08613b841caf0e153c5956c14",
Display name (when available for the user), or sub value received from FTN provider.
"country": "FI",
"given_name": "Väinö",
An OpenID Connect standard claim
"family_name": "Tunnistus",
An OpenID Connect standard claim
"birthdate": "1970-07-07",
"satu": "",
Finnish Unique Identification Number
"hetu": "070770-905D"
Finnish SSN
}

Mobillivarmenne

Same as BankID, except the satu property will have a value as well.

Test users

A set list of test users for the different banks are given below. Sometimes the test credentials will be shown also on the actual login page at the bank.

Aktia

Käyttäjätunnus: 12345678
Salasana: 123456
Turvaluku: 1234
Turvaluku 2: 1234

Danske Bank

Must use your own customer credentials. No real cash is withdrawn from your bank account.

Handelsbanken

Käyttäjätunnus: 11111111
Salasana: 123456
Turvaluku: 123456
Turvaluku 2: 123456

LähiTapiola

Käyttäjätunnus: 12345678
Salasana: any numbers
Tunnusluku: any four numbers
Tunnusluku 2: any four numbers

Nordea

Tunnus: 123456
Salasana: 1234
Vahvistustunnus: any four numbers

OP / Osuuspankki

Käyttäjätunnus: 123456
Salasana: 7890
Avainluku: any four numbers

POP Bank Käyttäjätunnus: 11111111
Salasana: 123456
Turvaluku: 123456
Turvaluku 2: 123456

S-Bank

Käyttäjätunnus: 12345678
Salasana: any numbers
Tunnusluku: any four numbers
Tunnusluku 2: any four numbers

Savings bank

Käyttäjätunnus: 11111111
Salasana: 123456
Turvaluku: 123456
Turvaluku 2: 123456

Ålandsbanken

Käyttäjätunnus: 12345678
Salasana: any numbers
Tunnusluku: any four numbers
Tunnusluku 2: any four numbers

Oma Säästöpankki

Käyttäjätunnus: 11111111 / 22222222
Salasana: 123456
Turvaluku: 123456
Turvaluku 2: 123456

Ordering a production agreement

Prerequisites for getting access to the Finnish Trust Network

There are no formal prerequisites to be allowed to accept FTN logins in your application. But as described below you must fill out the necessary End Customer Agreement.

The filled out agreement will be reviewed by Telia Finland.

Access to the Finnish Trust Network, FTN, (BankID and the Mobile Certificate, Mobiilivarmenne) is provided by Telia Finland. In order to start using FTN you must accept the terms from Telia.

You need to download the End Customer Agreement (PDF), fill it out, and then return a signed copy to support@criipto.com.

When sending the signed copy, you must also provide your Criipto Production Domain as set up on your tenant at dashboard.criipto.com/domains

Other relevant documents in this context are the service description and the general terms from Telia Finland.

Once you have sent the signed End Customer Agreement we will enable production access for you tenant.