TUPAS authentication method attributes

TUPAS method attributes are accessible when a user has successfully been identified at a bank's TUPAS authentication service. The TUPAS Response will be translated to the attributes listed in the table below, which can be referred to in Method Attribute Mapping tables or Authorization Policy attribute definitions. For more details about Method Attribute Mappings and Authorization Policy, refer to page Manage authorization policies.

NOTE: The authentication method attributes have a slightly different key name in Ubisecure SSO Server from the name used in TUPAS certificate. When used in Ubisecure SSO Server (as a method: prefix in method attribution mapping or authorization policy), remove the B02K_ part from all listed data names.

The following table describes the contents of the TUPAS certificate:

Field	Name of data	Length	Obligatory X = required always; R = required at request only.	Comment
1. Version	B02K_VERS	4	X	Version number of the certificate, bank specific. E.g., "0002".
2. Certificate Information	B02K_TIMESTAMP	23	X	Timestamp formed by the bank's system, in which NNN is the bank's number. Form is NNNyyyymmddhhmmssxxxxxx Bank numbers: Bank of Åland = 600, Handelsbanken = 310, Nordea Bank Finland = 200, OP Bank Group = 500, S-Bank = 390, Danske Bank = 800, Savings banks (Säästöpankit) and local co-op banks = 400, Tapiola Bank = 360.
3. Certificate Number	B02K_IDNBR	10	X	Identifier the bank has assigned to the certificate.
4. Request Identifier	B02K_STAMP	20	X	The identification request's identifier, which is picked from the request's data field 7 (A01Y_STAMP).
5. Customer	B02K_CUSTNAME	-40	X	Name of the identified person or company from the bank's database.
6. Key Version	B02K_KEYVERS	4	X	The version information of the MAC authentication key.
7. Algorithm	B02K_ALG	2	X	Code of the MAC algorithm. 01 = MD5, 02 = SHA-1, 03 = SHA-256.
8. Identifier	B02K_CUSTID	-64	X	The customer's identifier, which can be either an encrypted identifier or a plaintext customer code, depending on the contents of the A01Y_IDTYPE field in the identification request.
9. Identifier Type	B02K_CUSTTYPE	2	X	Identifier type. In Ubisecure SSO Server, if this has value 02, then id.type will be set to literal value "hetu", and id.ref will be set to have value <authentication_method_name>+<CUSTID>. In Ubisecure SSO Server, if this has value 03, then id.type will be set to literal value "yrtunnus", and id.ref will be set to have value <authentication_method_name>+<CUSTID>. For full details, please refer to Appendix 2 in FFI's TUPAS Identification Service for Service Providers.
10. User ID	B02K_USERID	-64	R	Corporate customer's personal identity code or encrypted identifier. In Ubisecure SSO Server, the corresponding USERID key is used only when TUPAS 2.2 is in use, it is omitted when TUPAS 2.3 is in use.
11. User Name	B02K_USERNAME	-40	R	Corporate customer's name. In Ubisecure SSO Server, the corresponding USERNAME key is used only when TUPAS 2.2 is in use, it is omitted when TUPAS 2.3 is in use.
12. Control Field	B02K_MAC	32-64	X	The Tupas certificate's MAC (Message Authentication Code).

TUPAS Certificate Contents