Configuration of TUPAS authentication method - SSO
- Tomi Pelttari
methods-tupas.ldif configuration file
TIP: From Ubisecure SSO Server version 6.0.1 on, this file will be created automatically to directory c:\Ubisecure\ldap (Windows environment) or /usr/local/ubisecure/ldap (Linux environment) when Ubisecure SSO Server is installed as instructed in the SSO Installation Guide. In that case the dn value is configured automatically during installation to match the current settings. If you create the file manually by using the configuration listing below, you need to replace the LDAP dn values with the correct settings. By default this is set to dc=localhost in the listing below; if your Ubisecure SSO Server's address would be uas.example.com, you would need to replace this with dc=uas,dc=example,dc=com.
# Note! This file is utf-8 encoded # Tupas 2, Nordea dn: cn=tupas.nordea.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost changetype: add cn: tupas.nordea.1 objectClass: top objectClass: ubiloginAuthMethod ubiloginAuthMethodType: Tupas 2 ubiloginClassname: com.ubisecure.auth.login.Tupas2LoginModule ubiloginConfString: alg 01 ubiloginConfString: idtype 02 ubiloginConfString: keyvers 0001 ubiloginConfString: langcode FI ubiloginConfString: macKey1 LEHTI ubiloginConfString: rcvid 87654321 ubiloginConfString: url https://solo3.nordea.fi/cgi-bin/SOLO3011 ubiloginConfString: vers 0002 ubiloginEnabled: FALSE ubiloginTitle: Nordea # Tupas 2, OKO dn: cn=tupas.op.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost changetype: add cn: tupas.op.1 objectClass: top objectClass: ubiloginAuthMethod ubiloginAuthMethodType: Tupas 2 ubiloginClassname: com.ubisecure.auth.login.Tupas2LoginModule ubiloginConfString: alg 01 ubiloginConfString: idtype 02 ubiloginConfString: keyvers 0001 ubiloginConfString: langcode FI ubiloginConfString: macKey1 Esittelykauppiaansalainentunnus ubiloginConfString: rcvid Esittelymyyja ubiloginConfString: url https://kultaraha.op.fi/cgi-bin/krcgi ubiloginConfString: vers 0003 ubiloginEnabled: FALSE ubiloginTitle: OP # Tupas 2, Aktia dn: cn=tupas.aktia.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost changetype: add cn: tupas.aktia.1 objectClass: top objectClass: ubiloginAuthMethod ubiloginAuthMethodType: Tupas 2 ubiloginClassname: com.ubisecure.auth.login.Tupas2LoginModule ubiloginConfString: alg 03 ubiloginConfString: idtype 03 ubiloginConfString: keyvers 0001 ubiloginConfString: langcode FI ubiloginConfString: macKey1 1234567890123456789012345678901234567890123456789012345678901234 ubiloginConfString: rcvid 4444444444444 ubiloginConfString: url https://auth.aktia.fi/tupastest ubiloginConfString: vers 0003 ubiloginEnabled: FALSE ubiloginTitle: Aktia # Tupas 2, Danske dn: cn=tupas.danske.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost changetype: add cn: tupas.danske.1 objectClass: top objectClass: ubiloginAuthMethod ubiloginAuthMethodType: Tupas 2 ubiloginClassname: com.ubisecure.auth.login.Tupas2LoginModule ubiloginConfString: alg 01 ubiloginConfString: idtype 02 ubiloginConfString: keyvers 0001 ubiloginConfString: langcode FI ubiloginConfString: macKey1 testi ubiloginConfString: rcvid 000000000000 ubiloginConfString: url https://verkkopankki.danskebank.fi/SP/tupaha/TupahaApp ubiloginConfString: vers 0003 ubiloginEnabled: FALSE ubiloginTitle: Danske # Tupas 2, POP dn: cn=tupas.pop.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost changetype: add cn: tupas.pop.1 objectClass: top objectClass: ubiloginAuthMethod ubiloginAuthMethodType: Tupas 2 ubiloginClassname: com.ubisecure.auth.login.Tupas2LoginModule ubiloginConfString: alg 03 ubiloginConfString: idtype 02 ubiloginConfString: keyvers 0001 ubiloginConfString: langcode FI ubiloginConfString: macKey1 11111111111111111111 ubiloginConfString: rcvid 1111111111111 ubiloginConfString: url https://tupas.pop.samlink.fi ubiloginConfString: vers 0002 ubiloginEnabled: FALSE ubiloginTitle: POP # Tupas 2, SP dn: cn=sp.pop.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost changetype: add cn: sp.pop.1 objectClass: top objectClass: ubiloginAuthMethod ubiloginAuthMethodType: Tupas 2 ubiloginClassname: com.ubisecure.auth.login.Tupas2LoginModule ubiloginConfString: alg 03 ubiloginConfString: idtype 02 ubiloginConfString: keyvers 0001 ubiloginConfString: langcode FI ubiloginConfString: macKey1 11111111111111111111 ubiloginConfString: rcvid 1111111111111 ubiloginConfString: url https://tupas.sp.samlink.fi ubiloginConfString: vers 0002 ubiloginEnabled: FALSE ubiloginTitle: SP # Tupas 2, Ã…landsbanken dn: cn=tupas.alandsbanken.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost changetype: add cn: tupas.alandsbanken.1 objectClass: top objectClass: ubiloginAuthMethod ubiloginAuthMethodType: Tupas 2 ubiloginClassname: com.ubisecure.auth.login.Tupas2LoginModule ubiloginConfString: alg 01 ubiloginConfString: idtype 02 ubiloginConfString: keyvers 0001 ubiloginConfString: langcode FI ubiloginConfString: macKey1 PAPAGAJA ubiloginConfString: rcvid AABTUPASID ubiloginConfString: url https://online.alandsbanken.fi/aab/ebank/auth/initLogin.do ubiloginConfString: vers 0002 ubiloginEnabled: FALSE ubiloginTitle:: Alandsbanken # Tupas 2, Tapiola dn: cn=tupas.tapiola.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost changetype: add cn: tupas.tapiola.1 objectClass: top objectClass: ubiloginAuthMethod ubiloginAuthMethodType: Tupas 2 ubiloginClassname: com.ubisecure.auth.login.Tupas2LoginModule ubiloginConfString: alg 03 ubiloginConfString: idtype 02 ubiloginConfString: keyvers 0001 ubiloginConfString: langcode FI ubiloginConfString: macKey1 PAPAKAIJU ubiloginConfString: rcvid TAPTUPASID ubiloginConfString: url https://pankki.tapiola.fi/service/identify ubiloginConfString: vers 0002 ubiloginEnabled: FALSE ubiloginTitle: Tapiola # Tupas 2, Handelsbanken dn: cn=tupas.handelsbanken.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost changetype: add cn: tupas.handelsbanken.1 objectClass: top objectClass: ubiloginAuthMethod ubiloginAuthMethodType: Tupas 2 ubiloginClassname: com.ubisecure.auth.login.Tupas2LoginModule ubiloginConfString: alg 01 ubiloginConfString: idtype 02 ubiloginConfString: keyvers 0001 ubiloginConfString: langcode FI ubiloginConfString: macKey1 11111111111111111111 ubiloginConfString: rcvid 1111111111111 ubiloginConfString: url https://tunnistepalvelu.samlink.fi/TupasTunnistus/SHBtupas.html ubiloginConfString: vers 0002 ubiloginEnabled: FALSE ubiloginTitle: Handelsbanken # Tupas 2, S-Pankki dn: cn=tupas.spankki.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost changetype: add cn: tupas.spankki.1 objectClass: top objectClass: ubiloginAuthMethod ubiloginAuthMethodType: Tupas 2 ubiloginClassname: com.ubisecure.auth.login.Tupas2LoginModule ubiloginConfString: alg 01 ubiloginConfString: idtype 02 ubiloginConfString: keyvers 0001 ubiloginConfString: langcode FI ubiloginConfString: macKey1 SPANKKI ubiloginConfString: rcvid SPANKKITUPAS ubiloginConfString: url https://online.s-pankki.fi/ebank/auth/initLogin.do ubiloginConfString: vers 0002 ubiloginEnabled: FALSE ubiloginTitle: S-Pankki # Tupas 2, Elisa dn: cn=tupas.elisa.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost changetype: add cn: tupas.elisa.1 objectClass: top objectClass: ubiloginAuthMethod ubiloginAuthMethodType: Tupas 2 ubiloginClassname: com.ubisecure.auth.login.Tupas2LoginModule ubiloginConfString: alg 03 ubiloginConfString: idtype 12 ubiloginConfString: keyvers 0001 ubiloginConfString: langcode FI ubiloginConfString: macKey1 eZXBX9asky5rhSaN9n8Xx79RvVHTMBur ubiloginConfString: rcvid Elisa testi ubiloginConfString: url https://mtupaspreprod.elisa.fi/tunnistus/signature.cmd ubiloginConfString: vers 0001 ubiloginEnabled: FALSE ubiloginTitle: Elisa # Tupas 2, Test # For use with Ubilogin TUPAS Emulator dn: cn=tupas.test.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost changetype: add cn: tupas.test.1 objectClass: top objectClass: ubiloginAuthMethod ubiloginAuthMethodType: Tupas 2 ubiloginClassname: com.ubisecure.auth.login.Tupas2LoginModule ubiloginConfString: alg 01 ubiloginConfString: idtype 02 ubiloginConfString: keyvers 0001 ubiloginConfString: langcode FI ubiloginConfString: macKey1 LEHTI ubiloginConfString: rcvid 87654321 ubiloginConfString: url http://localhost:8080/tupasemulator/ ubiloginConfString: vers 0002 ubiloginEnabled: FALSE ubiloginTitle: Tupas Test
Public Test Servers Using custtypes Value 08
At the time of writing, S-Pankki uses custtypes value 08 to indicate that the customer personal number (henkilötunnus) is for testing purposes only. S-Pankki test service operates differently than the production service. Ubisecure SSO Server version 5.0.7 and earlier do not support custtypes value 08, and as a result cannot use S-Pankki test service.
Ubisecure SSO Server version 5.1 and above support the use of S-Pankki test service.
The issue has been communicated to S-Pankki.
custtypes Value 08 Functionality Change From TUPAS 2.2 On
Ubisecure SSO Server version 5.1 and above support TUPAS 2.2 configurations.
TUPAS 2.2 support enables receiving both a business ID (y-tunnus) and personal number (henkilötunnus). This functionality can be enabled by using a custtypes value 08 to indicate that both business ID and personal number will be sent, and adding line tupasversion=2.2 to the configuration string of the TUPAS method (this indicates that the supported TUPAS version is 2.2 or greater, and can thus be used in Ubisecure SSO Servers supporting newer TUPAS versions as well). However, this feature is not currently supported by all banks.
Please contact Ubisecure Support for the latest information regarding bank compatibility and configuration for receiving both a business ID and personal number using TUPAS.
TUPAS 2.3 Support and SHA-256 Algorithm
Ubisecure SSO Server version 6.1.1 and above support TUPAS 2.3 configurations.
TUPAS 2.3 support enables the use of SHA-256 algorithm for MAC calculation (generates 64-character MAC, i.e, provides better security). Weaker MD5 and SHA-1 algorithms are no longer supported. In Ubisecure Management, this algorithm is configured with the alg field of the TUPAS 2 Configuration settings view (value 03 sets SHA-256 algorithm to use).
The transition period for this change is from 1st of April 2011 to 31st of December 2011.