Configure Telia Finnish Trust Network (OpenID Connect) authentication method
When you need to integrate your application to Finnish Trust Network using Telia Tunnistus (Telia Identification Broker Service), from your identity platform perspective, Telia Tunnistus is an OpenID Connect method. Follow the step by step guide below.
Step by Step
Create OpenID Connect Method
Create an OpenID Connect method. You can do it through SSO Management UI from version 8.8.0. For older versions, you must use SSO API to create the method.
On SSO Management UI, go to Global Method Settings tab and Click New Method
Name it oidc.ftn.1 or something similar. Select "OpenID Connect" as Method Type.
Press OK buton (at the bottom) and the method will be created.
Once the method is created, go to OpenID Connect tab.
Under "Authentication Provider" you will see "Provider Metadata:" and an "Upload" button, which will allow you to upload Telia Tunnistus metadata. Click the button and upload the JSON file corresponding to https://tunnistus.telia.fi/uas/oauth2/metadata.json (Obs: https://tunnistus-pp.telia.fi/uas/oauth2/metadata.json for Telia Tunnistus' pre-production environment)
Press OK and you will see that the "Authentication Provider" metadata is now filled in.
Just below you will see "Provider JWKS:" and another "Upload" button, which will allow you to upload Telia Tunnistus JWKS. Make sure you have saved the file as JSON extension, not JWKS. Click the button and upload the JSON file corresponding to https://tunnistus.telia.fi/uas/oauth2/metadata.jwks (Obs: https://tunnistus-pp.telia.fi/uas/oauth2/metadata.jwks for Telia Tunnistus' pre-production environment)
Press OK and now you will see the JWKS field is filled in.
Now, press "Update" at the bottom.
Registration
On the method, go to OpenID Connect tab.
Press Create to create Registration Request. This will generate a JSON file.
Save the file to your workstation.
Send the Registration Request (the JSON file you just saved, e.g. oidc.ftn.1.json) to Telia Tunnistus' operations team.
Once you receive a response from Telia Tunnistus team, come back to OpenID Connect tab and upload the JSON file to the "registration response" field.
Press OK and you will see that the Client Identifier and Client Metadata fields are filled in.
Press Update
Go to "Main" tab, and check Enabled
Press Update
Now the integration is ready.
In some rare cases you will need to edit the registration response.
If you need to do that, copy the contents from "An example client metadata with Ubisecure extensions" on the OpenID Connect authentication method - SSO page and paste it to a text editor.
Edit it according your needs and save it as JSON.
Once edited manually, you must upload the file on the "Client Metadata" field.