Configuring Signicat for SSN Authentication

Before enabling SSN authentication with Signicat in Secure Mail, you must first configure Signicat as a third-party provider. This guide outlines the necessary steps.

Configuring the OIDC client

Navigate to your Signicat account and create a new OIDC client. The following values are required as part of the OIDC client configuration:

  • Primary Grant Type: Set to AuthorizationCode.

  • Client Name: Choose a descriptive name you wish.

  • Redirect URI: Enter the following URL, replacing <customer-domain> with your actual domain: https://<customer-domain>/identity-service/api/v1/oidc/callback.

  • Scope: Add the following scopes openid, nin, email, and profile.

  • Secret (or Client Secret): Create a secret. Ensure that the secret is stored securely since it will be required during the configuration process in Secure Mail.

  • Configure Advanced settings:

    1. Security settings:

      • Id Token User data: Set to All.
      • User Info Response Type: Set to SignedAndEncrypted.
      • Content encryption algorithm: Select the A128CBC-HS256 or higher ones.
      • Select Requires Secret and Encrypt ID Tokens.
      • Do not select the following options:
        • Requires Request Object
        • Allows Access Tokens Via Browser
        • Requires Consent
        • Requires PKCE
        • Use Reference Access Tokens

    2. Lifetimes: You can adjust the User SSO lifetime (in seconds), determining how long users remain authenticated without re-entering their SSN credentials.

      • Do not select the following options:
        • Allow offline access
        • Allow refresh token reuse
        • Sliding refresh token expiry

    3. Public Keys: Generate a key pair for encryption, ensuring the Usage is set to Encryption. Save the private key securely in JSON format. You will need to provide this key when configuring in the Admin Center. When generating the key pair, ensure that the validity of the key pair is long enough. The default validity duration created by Signicat might be shorter. Once the key expires, you must create a new one and update the key via Auth Provider Configs in the Admin Center.

      💡 Marking a reminder in your calendar for the expiration date is recommended.

  • Under the URIs section:

    • Do not select the following options:
      • Required Front Channel Logout Session
      • Automatic Redirect to Logout Url

  • Under the Access section:

    • Do not select Force use ACR values.

Auto-generated values by Signicat:

  • Client ID: Will be auto-generated by Signicat. It must be provided when enabling SSN-Auth in the product.
  • Issuer URL: Will be auto-generated by Signicat. It must be provided when enabling SSN-auth in the product. It can be found under the Overview section with the "Issuer URL for client" name.

Configuring ID methods

Click to add ID methods on Signicat's eID Hub. You can enable one or more ID methods. Secure Mail currently supports the following:

  • FTN (Finnish Trust Network)
  • Suomi.fi
  • Norwegian BankID
  • Swedish BankID
  • MitID (Danish digital ID)

Was this page helpful?