Minimizing the time and cost required for the TUPAS transition of strong identification services

The vast majority of Finnish eServices utilizing strong electronic identification are based on the old TUPAS protocol. European Union eIDAS regulation and national legislation (FICORA Regulation 72) demand strong electronic identification to comply stricter information security requirements in the future. A transition time window has been set for the TUPAS protocol and it is due 30th September 2019. After that specific date TUPAS-based bank or mobile certificate identification is no longer allowed to be used as a strong identification method of a person.

Open ID Connect (OIDC) and SAML protocols based on international standards have been accepted to fulfill the new requirements. In practice all eServices utilizing strong identification must adapt to use these new protocols by 1st of November 2019 in their communication to identification or identification broker services.

All the providers of strong electronic identification are a part of the Finnish Trust Network (FTN). The eServices using identication are buying identification services from the Trust Network, typically by using an identification broker service, where all the different identification methods are available via a single contract. However, usage of an identification broker services does not yet solve the challenge related to the discontinuation of the TUPAS protocol since also the communication towards identification broker services must be done using the new accepted protocols.

There are thousands of services based on strong electronic identification in Finland. In all of these the existings TUPAS protocol implementation must be replaced by OIDC or SAML connections. A huge amount of old applications, developed in various different environments using wide range of different languages and tools. A lot of them also being very difficult and expensive to modify. The transition time left is also very short, especially taking into account that a large fraction of the service providers has not yet prepared for the change at all!

The emerging chaos can be completely prevented using a software solution to be installed at the service providers end.

Read more: IDMIG takes care of the TUPAS transition without a need to touch the applications