signicat
      Back to home
      1. Support
      2. Integrations
      3. signicat

      Signicat SCA

      What is SCA – Strong Customer Authentication (SCA)?

      Authentication is the process of verifying an individual’s identity and confirming their intent to act, such as placing an order electronically. Strong Customer Authentication (SCA) is a European regulatory requirement that enhances security. It requires the use of at least two of the following three elements:

      • Knowledge: Something only the user knows (e.g., a password or PIN).
      • Possession: Something only the user possesses (e.g., a mobile phone or a code-generating device).
      • Inherence: Something unique to the user (e.g., biometric data like facial recognition or fingerprint scans).

      How the integration is implemented between Signicat and HeadQ

      HeadQ implements Signicat’s eID Hub product using OpenID Connect (OIDC). You can select which identification methods to use and specify the type of information to receive from the customer during authentication. The integration employs message-level encryption as an additional security layer. In the following steps, we will guide you through setting up the client in Signicat and integrating it with HeadQ.

      Setup your ID methods

      Set up your desired digital identity source. For the integration to work, the source must support the OIDC protocol. In the following example, we have selected the Finnish Trust Network (FTN), which supports all Finnish BankIDs, including the Finnish Mobile ID, Mobiilivarmenne.

      ID methods

      Create OIDC client

      Create the OIDC client. You can use any naming convention you like, but we suggest naming the client in a way that makes it immediately clear that it’s used for the HeadQ integration. Add a URI that provides more information about the client and is displayed on the consent screen.

      Signicat has ready-made client templates, so check those first to see if they suit your use case.

      OIDC client

      Setup the redirect URI

      Under URIs menu, set redirect URI as follows:

      https://store.myheadq.com/venues//oidc/callback

      Replace <storeslug> with your store technical slug. 

      Create a secret

      The secret authenticates the client to the authorization server. After creating it, you won’t be able to view it again, so be sure to copy it before closing the screen.

      Create a secretConfigure scope under Access

      Select the scopes the client is allowed to use. For this FTN example, select the following scopes:

      • openid
      • ftn-extra
      • nin
      • profile

      Create an encryption key and toggle extra security

      The encryption key is used for message-level encryption to provide extra security. It is required for the integration to work. Again, remember to copy the private key before closing the screen, as you won’t be able to view it again.

      Under Advanced > Public keys

      Add a public key or import your own. If you create a key, ensure it does not expire within a few months. The key is used for encryption, so select that usage from the radio buttons.

      From this view, you will need the private key later to set up the integration in HeadQ (OIDC Encryption Private Key).

      Under Advanced > Security

      ID Token user data: All
      User Info Response Type: SignedAndEncrypted
      Content encryption algorithm: A128CBH-HS256

      Toggle the following features on

      • Requires Secret
      • Requires PKCE
      • Encrypt ID Tokens

      Other values should not be toggled on.

      0bL4GGR-I5Create integration to HeadQ

      Navigate to your store settings

      1. Settings
      2. Integrations
      3. Add a new integration
        Signicat integration

      Copy the following information to HeadQ in the corresponding fields

      • Well-known URL for the client
      • Client ID
      • Scopes
      • Secret key
      • OIDC Encryption Private key