User authentication

University of Helsinki Single Sign-On

For the University of Helsinki's staff and students, user identification for web services should always be performed using single sign on service (SSO).

The recommended method for SSO is the login.helsinki.fi service, which is based on the Shibboleth IdP product. Both SAML2 and OpenID Connect (OIDC) protocols are supported.

Azure / Entra ID can be used if the service requires specific Azure attributes. Protocols are the same, so almost always when the service requires Azure authentication, login.helsinki.fi can be used.

• Learn more about using the login.helsinki.fi service.

Federated authentication

In addition to the local login at the University of Helsinki (also known as intra-federation), it is also possible to allow users from other domestic and foreign higher education institutions to log into the application by connecting the service to the identity federation.

The login process works in the same way as in the intra-federation, but initially, the user is directed to select the desired organization from a list. After this, the login process is directed to the organization's Identity Provider (IdP) for the user authentication. In the case of University of Helsinki users, this is the login.helsinki.fi service.

• Haka is the national federation of Finnish higher education institutions and research institutes, with almost all Finnish higher education institutions as members.
• eduGAIN is an international federation with over 50 local trust federations as members, enabling login with credentials from over 2500 higher education and research institutions. Services joining eduGAIN can, if desired, limit the organizations whose credentials can be used to log into the application.

Similarly, University of Helsinki users can login to the services connected to Haka or eduGAIN.

• Learn more about federated authentication.

Strong electronic identification

Strong electronic identification is possible with Suomi.fi e-identification service. This allows user identification with Finnish online banking codes, mobile certificates and various other registered identification broker services. eIDAS identification is also supported and allows user identification with the identification methods provided by various EU countries.

Use of Suomi.fi e-identification is only allowed for public administration tasks issued to University of Helsinki by law or regulation, and only for clients (i.e. University staff can't use it to log in to the service). Check exact allowed use cases from the Finlex (5§, 29.6.2016/571).

If you need strong electronic identification for other use cases, please contact authentication services. There are commercial options, like Candour ID service for self-identification with a passport/ID document and phone application.

User information and authorization

Recommended way to manage user permissions is IAM groups. Read more about the IAM groups from the IT-Helpdesk.

User information can be provided by the SSO process, or it can be queried from the user directory (LDAP).

• List of User attributes.
• Learn more about using the LDAP user directory.

Support channels

If you need to ask more information, please contact authentication services.

• Email: atk-autentikointi at helsinki.fi
• Efecte: support group TIKE/Käyttäjähallinto
• HY Teams or Helsinki.fi-Slack: Jukka Karvonen