Virtu is the identity federation of the Finnish government. Users are able to access federation services using a single user account and password. User identities are provided by the users home organizations.
Virtu structure
Roles
Owner
Virtu identity federation owner is Valtori - Government ICT Centre. Valtori approves all services to Virtu-production.
Operator
CSC - IT Center for Science is the operator for Virtu federation. The operator handles the centralised technical tasks such as Discovery service and Virtu-metadata management. The operator runs a Virtu helpdesk for technical and integration issues regarding Virtu. The operator also runs test Identity and Service providers to help with integrations.
Participants
Home organisation
Virtu home organizations are governmental agencies. These organizations are able bring identity providers to Virtu and provide user accounts to their users for Virtu services.
Services
Valtori approves services to Virtu. Usually services are intended or deployed by the Virtu home organisations.
SAML2 profile
Finnish public sector SAML2 profile that Virtu services must comply is based on the SAML2int profile. All services must implement their SAML2 software per the profile to able to join Virtu.
Attributes
The user attribute schema used in Virtu is defined in Virtu-attribuuttimääritys, ver 1.1 - Only in Finnish.
Identifier
Most commonly used user identifier in Virtu is based on two custom Virtu attributes: virtuLocalId and virtuHomeOrganization. These are sent as two separate attributes as part of the attribute statement. Often these are concatenated at service to form a single attribute called virtuPersonPrincipalName.
Note that identifiers such as email NameId are not supported at all.
Attributes
Attributes are listed in this table. Note that there are both mandatory and Non-mandatory attributes in Virtu.
Certificates (SAML)
Test
Using self signed certificates is allowed on Virtu test environment.
Production
Certificates for services connecting to production Virtu must be signed by the Finnish Digital and Population Data Services Agency (DVV). The requirement applies to SAML2 certificates, not to TLS certificates.
https://dvv.fi/en/service-certificates-for-organisations
We recommend choosing "system signature certificate" in exchange for "normal server certificate" because the first one is valid for two years as the second only for one year.
The CN of the certificate should indicate for what service it is meant to be used. So please add your service name on it.
We strongly recommend to document how to change saml-certificate on the service side. The certificate must be changed once a year or two depending which type of certificate has been chosen.
Discovery service
The service may use provided IdP discovery service if wanted. The address of the discovery service is: https://virtu-ds.csc.fi/DS
Registering service
Services to be added to Virtu are registered using Virtu Resource Registry https://virtus.csc.fi/
You can log in to Virtu Resource Registry with Virtu. If you don't have Virtu-account you can use Eduuni-ID. More info about Eduuni-ID and instructions how to register Eduuni-ID account can be found from here: https://id.eduuni.fi/
Although it is possible to register a new service without logging in to Virtu Resource Registry, we still recommend registering while logged in.
Test
Choose: Add a new Service Provider - and fill the form.
After necessary information is provided click "Approve SP Description". Virtu operator will be notified automatically with an email about the new registered service and will add the new service to Virtu test metadata after review and send instructions about how to use test IdP etc.
Production
Choose: Add a new Service Provider - and fill the form.
After necessary information is provided click "Approve SP Description". After that please send an email to address servicedesk@csc.fi where you mention that the service <Entity ID> should be added to production. Virtu operator will check the new service provider information and if everything looks good asks Virtu owner to approve the service to production.
Take note that production metadata is not published every day. On holiday season there might be even two week gap between publish.
Metadata distribution
Virtu is a full mesh identity federation. This means that all Virtu services are listed in a single metadata file. Services are required to use the metadata file to establish trust to other services.
The metadata file is signed by the Virtu operator. The signature is to be used to verify the integrity of the metadata file.
All changes to Virtu service's metadata must be handled by the operator. The operator publishes the changes to Virtu metadata and the federation services update their trusts based on the metadata.
- Production metadata and signing certificate: Virtu-metadata
- Test metadata and the signing certificate