Tupas Endpoint
/uas/tupas
...
Application
- Create new agent application of type "TUPAS IDP" for each connected service
- Write a name for the agentapplication
Choose agent application type "TUPAS IDP"
Expand title Show image
- When the agent application is created, click "Activate" to activate the agentapplication
- SSO creates a client_id and secret for the service (as in OAuth2). You will be prompted too to save a JSON file containing the client_id and secret. The client_id and secret should be communicated securely to the connecting service in a secure and encrypted manner. The secret is stored in an encrypted format and cannot be retrieved after this activation step.
- The JSON file contains application metadata containing the value for the TUPAS idp grant_type ("http://globalsign.com/iam/sso/oauth2/grant-type/tupas"), client_id and secret. Remove the client_id and secret from the metadata and add the return URLs t
Grant_type http://globalsign.com/iam/sso/oauth2/grant-type/tupas
is mandatory for the agent application to work.Example Metadata generated:
Code Block language text theme RDark {"grant_types":["http://globalsign.com/iam/sso/oauth2/grant-type/tupas"],"client_id":"f9f80086-a307-4f28-8b23-ae6c2acf5537","client_secret":"5vBaXCN0QgS4KCo7hPXjzw-fZFl6R6wU"}
Sample generated metadata when activating the agentapplication:
Expand title Show image
- The client_id and secret are needed for the service using this TUPAS identity provider.
- TUPAS authentication request field A01Y_RCVID must contain the client_id
- Service needs to use the "secret" as the authentication key to calculate the MAC code.
- Secret is used by both SSO and the calling application to create the MAC (A01Y_MAC,B02K_MAC) for the request and response, and to verify the integrity of the response as described in the documents/links mentioned above.
Fill the agent application metadata by clicking "Upload". You can upload metadata from a file or paste metadata into the text field. The format is similar to an OAuth2 agentapplication. An example metadata format looks like this:
Code Block language text theme RDark {"grant_types":["http://globalsign.com/iam/sso/oauth2/grant-type/tupas"],"redirect_uris":["https://customer.com/app1/tupas/return","https://customer.com/app1/tupas/cancel","https://customer.com/app1/tupas/reject"]}
- Notice that redirect_uris must contain the authentication request field A01Y_RETLINK, A01Y_CANLINK and A01Y_REJLINK values. In other words, each of the URLs where the system will forward a succesful request, a canceled event and a rejected event.
- Do not paste the client_id or secret into this this field.
You can use client_name and agent_logo fields to set the application name and logo shown in the SSO login screen.
Expand title Show image
Authentication Methods
Next step is to choose the authentication method for the agentapplication. Below we choose to use ubilogin password method for authentication.
Authorization Policy
...
- Authorization policy name B02K_CUSTNAME should contain customer's name
- Authorization policy name B02K_CUSTID should contain customer's person id (henkilötunnus)
- Map the authorization policy to the agentapplication
- If these are not set. SSO TUPAS IDP will response with code 00 (no requested information was found)
Redirect URI Validation Policy
...
If the TUPAS client connection requires a dynamically generated return URL, the permitted format of this URL can be specified in the field "Redirect URI validation policy". If this field is blank, an exact match is required. Leave this field blank unless required.
See page page Manage Applications of SSO Management documentation for more information on "Redirect URI validation policy".
...
- Request:
- TUPAS endpoint is UAS_URL + tupas, e,g, login.example.com/uas/tupas
- A01Y_ALG must be "03", SHA-256
- A01Y_IDTYPE must be "12" – Ubisecure SSO supports plain text personal identity code
- Response:
- Bank number parameter as part of TUPAS response field B02K_TIMESTMP is always "999".
- A01Y_KEYVERS is always "002"
- B02K_ALG is always "03"
- B02K_KEYVERS is always "0001"
- B02K_CUSTTYPE is:
- 01 if OK
- 00 if no requested information on the customer was found – SSO will send users ldap-name (B02K_CUSTNAME) and no user person id (B02K_CUSTID)
- If you receive this error, you should first check the authorization policies are configured as described above
- B02K_USERID and B02K_USERNAME are empty as SSO does not handle corporate customers
Example TUPAS IDP
...
Application Metadata:
From the example below you can see the redirect_uris that contain the URLs that are allowed for the TUPAS requests for this agent. Metadata example contains also the human readable agent name and logo url – those are available to be configured as for OAuth2 agents applications (Please check Ubisecure SSO OAuth 2.0 Configuration Guide) but are not mandatory.
...
Example one sets only the valid return URLs.
Code Block | ||||
---|---|---|---|---|
| ||||
{"redirect_uris":["https://example.com/return","https://example.com/return/","https://example.com/cancel"],"grant_types":["http://globalsign.com/iam/sso/oauth2/grant-type/tupas"]} |
...
This example sets the name of the service and has a service logo localized in both English and Finnish.
Code Block | ||||
---|---|---|---|---|
| ||||
{"redirect_uris":["https://example.com/return","https://example.com/return/","https://example.com/cancel"],"client_name":"Bank of Finland", "client_name#fi":"Suomen pankki", "logo_uri":"https://server.fi/ logo.png","logo_uri#fi":"https://server.fi/logo_FI.png","grant_types" :["http://globalsign.com/iam/sso/oauth2/grant-type/tupas"]} |
...
Steps for key rollover:
- Create a new agent application that matches the configuration of the existing agentapplication
- Send the new agentapplication's client_id and secret to the connected service administrator
- Once the new agent application configuration is used, disable the old agentapplication