This is to inform you that we have received an update to Traficom regulation with a new requirement affecting all customers on (Finnish Trust Network) FTN. The new requirement makes the use of signed authentication requests mandatory. The signed authentication requests is also called Signed Request Object in the OIDC specification.
Consequence for IN Groupe: IN Groupe, as a provider of identification broker services, must require customers to use digitally signed authentication requests. The digital signature of authentication request must be verified, and only approved requests shall be accepted and forwarded to provider of the electronic identification means.
Consequence for Customers: Customers not already complying with the obligations of the Traficom regulation must update their service accordingly. Customers must make sure all authentication requests are signed. The signature key must be submitted to IN Groupe to ensure proper configuration. The format of the key must be either i) JWK or ii) URL to JWKS, with KID if required. The update must be in place no later than 31 December 2025.