Versions Compared

Old Version 1

changes.mady.by.user Kari Mattsson

Saved on

compared with

New Version Current

changes.mady.by.user Anssi Kivinen (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Permalink: https://doc.oneportal.fi/x/CQDU

This document  details the methodology of onePortal Trivore Identity Service (TIS) strong identification. As the concept of Strong Identification is not globally exactly and uniformly defined, it is important to describe onePortal TIS behaviour. We emphasise the API in this document.

In general, Strong Identification can be conducted using several methods, with varying degrees of strength. The organization utilising onePortal TIS decides the policies and requirements pertaining to Strong Identification to implement these methods accordingly. These organisational requirements are constructed according to the business needs of the organisation. As onePortal TIS is multi-tenant platform, these requirements may vary between tenants.

The following table highlights the Strong Identification methods used by onePortalTIS. The Resource column contains the REST endpoint where data on Strong Identification is available. The Method / Source column details the Strong Identification methods supported by that endpoint. Column Data contains information on which kind of data is available on each Resource. Please note, the OpenAPI documentation contains updated and full information for developers.

ResourceMethod / SourceData
​/user​/{userId}​​Supports multiple identification methods. This includes In Person, governmental identification methods, Management API.Data-segment in JSON containing information on the latest executed Strong Identification plus few extra attributes like when first Strong Identification was executed and how many Strong Identification history entries there are.
​/user​/{userId}​/strongidentification

Supports multiple identification methods. This includes In Person, govermental governmental identification methods, Management API.

Independent endpoint with fsull full set of data available for Strong Identification. This endpoint always returns the latest strong identification for the user as JSON.
​/user​/{userId}​/strongidentification/history​Supports Supports multiple identification methods. This includes In Person, govermental governmental identification methods, Management API.Data-segment in JSON containing information on the latest executed Strong Identification plus few extra attributes like when first Strong Identification was executed and how many times Strong Identification has been doneStrong Identification history endpoint, where all of the user's strong identifications can be retrieved as JSON.
​/user​/{userId}​/strongidentification/history/{id}Supports multiple identification methods. This includes In Person, governmental identification methods, Management API.Strong Identification history endpoint, where a single strong identification for the given user can be retrieved as JSON.
/user​/{userId}​/legalSupports only govermental governmental identification methods.Contains only the Personal Identity Code attribute and value in JSON, no other related metadata.

...

LoA is a broad concept not described here in detail. It basically describes the trustworthiness of executed Strong Identification, or any identification for that matter. Normal identification is considered to be LoA 1, and a strong one at least LoA 2. LoA is also applicable for authorisation, a.k.a. sign-in.

Identification methods

In Person (directly on

...

the Web UI)

In-Person identification is an external, strong method of identification. Typically an approved external source like customer care performs the identification. Identification is executed based on physical documentation (password, identity card, drivers license, etc.) and the information is entered forwarded by customer service to the API.

Available LoA is 2.

...

Governmental Identification Methods

Official goverment government supported identification methods (in Finland the "suomi.fi-tunnistus" service) are a stronger method of identification. Depending on the legal and procedural requirements of the organization's govermental governmental resources, this utilizes an external digital identification interface.

CountryRegionMethodRemarks
Finlandsuomi.fi-tunnistusThe most authoritative method available in Finland. Available LoAs are 2 and 3. LoA 2 is the default and LoA 3 is a special use case only.
Finlandsuomi-fi-valtuudetSubordinate method to suomi.fi-tunnistus, and thus equally reliable. Always requires it. Considered to be separate method because it is technically different and the use cases are different.
EUeIDASCurrently considered to be the same as suomi.fi-tunnistus, as it uses the same work flows and APIs.

Management API (either automated or separate WebUIWeb UI)

onePortal TIS Management API methods involve direct http-calls HTTP requests to provide identification data according to onePortal TIS documentation.

It is possible to use similar WebUI Web UI to the one available in onePortal TIS directly. That WebUI Web UI shall be identified as Management API as identification method.

...