Permalink: https://doc.oneportal.fi/x/CQDU
This document details the methodology of onePortal strong identification. As the concept of Strong Identification is not globally exactly and uniformly defined, it is important to describe onePortal behaviour. We emphasise the API in this document.
In general, Strong Identification can be conducted using several methods, with varying degrees of strength. The organization utilising onePortal decides the policies and requirements pertaining to Strong Identification to implement these methods accordingly. These organisational requirements are constructed according to the business needs of the organisation. As onePortal is multi-tenant platform, these requirements may vary between tenants.
The following table highlights the Strong Identification methods used by onePortal. The Resource column contains the REST endpoint where data on Strong Identification is available. The Method / Source column details the Strong Identification methods supported by that endpoint. Column Data contains information on which kind of data is available on each Resource. Please note, the OpenAPI documentation contains updated and full information for developers.
Resource | Method / Source | Data |
---|---|---|
/user/{userId}/strongidentification | Supports multiple identification methods. This includes In Person, govermental identification methods, Management API. | Independent endpoint with fsull set of data available for Strong Identification. |
/user/{userId} | Supports multiple identification methods. This includes In Person, govermental identification methods, Management API. | Data-segment in JSON containing information on the latest executed Strong Identification plus few extra attributes like when first Strong Identification was executed and how many times Strong Identification has been done. |
/user/{userId}/legal | Supports only govermental identification methods. | Contains only the Personal Identity Code attribute and value in JSON, no other related metadata. |
LoA, Level of Assurance
LoA is a broad concept not described here in detail. It basically describes the trustworthiness of executed Strong Identification, or any identification for that matter. Normal identification is considered to be LoA 1, and a strong one at least LoA 2. LoA is also applicable for authorisation, a.k.a. sign-in.
Identification methods
In Person (directly on onePortal WebUI)
In-Person identification is an external, strong method of identification. Typically an approved external source like customer care performs the identification. Identification is executed based on physical documentation (password, identity card, drivers license, etc.) and the information is entered forwarded by customer service to the API.
Available LoA is 2.
Govermental Identification Methods
Official goverment supported identification methods (in Finland the "suomi.fi-tunnistus" service) are a stronger method of identification. Depending on the legal and procedural requirements of the organization's govermental resources, this utilizes an external digital identification interface.
Country | Method | Remarks |
---|---|---|
Finland | suomi.fi-tunnistus | The most authoritative method available in Finland. Available LoAs are 2 and 3. LoA 2 is the default and LoA 3 is a special use case only. |
Finland | suomi-fi-valtuudet | Subordinate method to suomi.fi-tunnistus, and thus equally reliable. Always requires it. Considered to be separate method because it is technically different and the use cases are different. |
EU | eIDAS | Currently considered to be the same as suomi.fi-tunnistus, as it uses the same work flows and APIs. |
Management API (either automated or separate WebUI)
onePortal Management API methods involve direct http-calls to provide identification data according to onePortal documentation.
It is possible to use similar WebUI to the one available in onePortal directly. That WebUI shall be identified as Management API as identification method.
Available LoAs are 1 and 2. By default these identifications are considered to be LoA 1.