TUPAS authentication method attributes - SSO

Owned by ubisebastian
2021-01-19
2 min read

TUPAS method attributes are accessible when a user has successfully been identified at a bank's TUPAS authentication service. The TUPAS Response will be translated to the attributes listed in the table below, which can be referred to in Method Attribute Mapping tables or Authorization Policy attribute definitions. For more details about Method Attribute Mappings and Authorization Policy, refer to page Manage authorization policies - SSO.

NOTE: The authentication method attributes have a slightly different key name in Ubisecure SSO Server from the name used in TUPAS certificate. When used in Ubisecure SSO Server (as a method: prefix in method attribution mapping or authorization policy), remove the B02K_ part from all listed data names.

The following table describes the contents of the TUPAS certificate:

Field

Name of data

Length

Obligatory
X = required always; R = required at request only.

Comment

1. Version

B02K_VERS

4

X

Version number of the certificate, bank specific. E.g., "0002".

2. Certificate Information

B02K_TIMESTAMP

23

X

Timestamp formed by the bank's system, in which NNN is the bank's number. Form is NNNyyyymmddhhmmssxxxxxx
Bank numbers: Bank of Åland = 600, Handelsbanken = 310, Nordea Bank Finland = 200, OP Bank Group = 500, S-Bank = 390, Danske Bank = 800, Savings banks (Säästöpankit) and local co-op banks = 400, Tapiola Bank = 360.

3. Certificate Number

B02K_IDNBR

10

X

Identifier the bank has assigned to the certificate.

4. Request Identifier

B02K_STAMP

20

X

The identification request's identifier, which is picked from the request's data field 7 (A01Y_STAMP).

5. Customer

B02K_CUSTNAME

-40

X

Name of the identified person or company from the bank's database.

6. Key Version

B02K_KEYVERS

4

X

The version information of the MAC authentication key.

7. Algorithm

B02K_ALG

2

X

Code of the MAC algorithm. 01 = MD5, 02 = SHA-1, 03 = SHA-256.

8. Identifier

B02K_CUSTID

-64

X

The customer's identifier, which can be either an encrypted identifier or a plaintext customer code, depending on the contents of the A01Y_IDTYPE field in the identification request.

9. Identifier Type

B02K_CUSTTYPE

2

X

Identifier type.
In Ubisecure SSO Server, if this has value 02, then id.type will be set to literal value "hetu", and id.ref will be set to have value <authentication_method_name>+<CUSTID>.
In Ubisecure SSO Server, if this has value 03, then id.type will be set to literal value "yrtunnus", and id.ref will be set to have value <authentication_method_name>+<CUSTID>.
For full details, please refer to Appendix 2 in FFI's TUPAS Identification Service for Service Providers.

10. User ID

B02K_USERID

-64

R

Corporate customer's personal identity code or encrypted identifier.
In Ubisecure SSO Server, the corresponding USERID key is used only when TUPAS 2.2 is in use, it is omitted when TUPAS 2.3 is in use.

11. User Name

B02K_USERNAME

-40

R

Corporate customer's name.
In Ubisecure SSO Server, the corresponding USERNAME key is used only when TUPAS 2.2 is in use, it is omitted when TUPAS 2.3 is in use.

12. Control Field

B02K_MAC

32-64

X

The Tupas certificate's MAC (Message Authentication Code).

TUPAS Certificate Contents

Ubisecure Privacy Policy & Cookie Statement