eIDs
Learn more about Finnish Trust Network token contents, how to create test users and how to gain access to production.
The Finnish government is introducing new requirements to increase the level of security and privacy of FTN authentication. The requirements are described in Recommendation 213/2023 S Finnish Trust Network OpenID Connect Profile and include:
Client applications must be able to fulfill the new requirements to continue offering FTN logins – regardless of the provider chosen for FTN integration.
As we're finalizing the technical changes on our side, you can start configuring your FTN integration to meet the new requirements. If you need any help or guidance, don't hesitate to reach out.
1. Private Key JWT client authentication
Your application must use private_key_jwt
client authentication instead of client_secret
to authenticate to Criipto.
Follow this guide to configure Private Key JWT authentication. Note that you must use Statically configured JWK sets.
The PKCE extension for securing authorization code flow is also highly recommended. You don't have to change your client authentication implementation if using PKCE. See OpenID Connect best security practices for more information.
2. Authentication request signing
Your application must sign authorize requests to Criipto and send them as Request Objects (also known as JWT-secured Authorization Requests or JARs).
The technical guide to configuring this change is coming soon.
3. Encrypted token and userinfo responses
Criipto will apply JSON Web Encryption (JWE) to secure token
and userinfo
responses we send to client applications. Your application must be able to receive these.
The technical guide to configuring this change is coming soon.
4. Statically configured JWK sets for signing and encryption
You can add your static JWKS (JSON Web Key Set) by going to your Criipto Application > OpenID Connect
> Client JWKS
. More information on this requirement is coming soon.
The level of assurance for all Finnish authenticators is: Substantial
Same as BankID, except the satu
property will have a value as well.
A set list of test users for the different banks are given below. Sometimes the test credentials will be shown also on the actual login page at the bank.
Käyttäjätunnus: 12345678
Salasana: 123456
Turvaluku: 1234
Turvaluku 2: 1234
Must use your own customer credentials. No real cash is withdrawn from your bank account.
Käyttäjätunnus: 11111111
Salasana: 123456
Turvaluku: 123456
Turvaluku 2: 123456
Käyttäjätunnus: 12345678
Salasana: any numbers
Tunnusluku: any four numbers
Tunnusluku 2: any four numbers
Tunnus: 123456
Salasana: 1234
Vahvistustunnus: any four numbers
Käyttäjätunnus: 123456
Salasana: 7890
Avainluku: any four numbers
POP Bank
Käyttäjätunnus: 11111111
Salasana: 123456
Turvaluku: 123456
Turvaluku 2: 123456
Käyttäjätunnus: 12345678
Salasana: any numbers
Tunnusluku: any four numbers
Tunnusluku 2: any four numbers
Käyttäjätunnus: 11111111
Salasana: 123456
Turvaluku: 123456
Turvaluku 2: 123456
Käyttäjätunnus: 12345678
Salasana: any numbers
Tunnusluku: any four numbers
Tunnusluku 2: any four numbers
Käyttäjätunnus: 11111111
/ 22222222
Salasana: 123456
Turvaluku: 123456
Turvaluku 2: 123456
Prerequisites for getting access to the Finnish Trust Network
There are no formal prerequisites to be allowed to accept FTN logins in your application. But as described below you must fill out the necessary End Customer Agreement.
The filled out agreement will be reviewed by Telia Finland.
Access to the Finnish Trust Network, FTN, (BankID and the Mobile Certificate, Mobiilivarmenne) is provided by Telia Finland. In order to start using FTN you must accept the terms from Telia.
You need to download the End Customer Agreement (PDF), fill it out, and then return a signed copy to support@criipto.com.
When sending the signed copy, you must also provide your Criipto Production Domain as set up on your tenant at dashboard.criipto.com/domains
Other relevant documents in this context are the service description and the general terms from Telia Finland.
Once you have sent the signed End Customer Agreement we will enable production access for you tenant.