FAQ on integration with ESIA

Changes in legislation that begin to operate from the beginning of 2018 and include the most diverse areas of our life activity (the law on messengers, telemedicine, etc.) are united by one thing - the increasing penetration of information services into our lives. It is a natural fact that, as in real life, in order for a person to receive a service, he needs to be identified. In off-line life, the means of authorization is the citizen passport, and in the online sphere, the government has decided to recognize the ESIA as the unified system of identification and authentication.

I would like to talk about her. This is an introductory article, you can say educational program. To meet people who do not yet know that, if necessary, you can use the ESIA in your projects and keep up with the times with the state. And so, what kind of beast is this and how does the government view it.
')
The Ministry of Communications and Mass Media of Russia, within the framework of the e-government infrastructure, has created and is developing the Unified Identification and Authentication System (FGIS ESIA), the purpose of which is to streamline and centralize the processes of registration, identification, authentication and authorization of users.

FGIS ESIA:

1. Provides information systems with a solution to reliably identify users (individuals and legal entities, public authorities).

Reliability is achieved due to the fact that:

• the registration of a person in the ESIA is associated with the verification of criteria that are significant for the identification of the person;
• ESIA protects the information contained in it in accordance with the legislation of the Russian Federation.

2. Is user-oriented and provides opportunities:

• identification and authentication using a single account and a wide range of supported authentication methods when accessing various information systems of public authorities;
• manage their personal data located in the ESIA, and control over their submission to the information systems of public authorities.

The main functionality of ESIA:

• User identification and authentication, including:
  
  • one-time authentication, which gives ESIA users the following advantage: having passed the identification and authentication procedure in the ESIA, the user can refer to any information systems using the ESIA during one session, while re-identification and authentication is not required;
  • support of various authentication methods: by password, by electronic signature, as well as two-factor authentication (by a permanent password and a one-time password sent as an SMS message);
  • support levels of authenticity of user identification (simplified account, standard account, confirmed account).
• maintaining identification data, namely - keeping registers of individuals, legal entities, bodies and organizations, officials of bodies and organizations, and information systems;
• authorization of authorized persons of public authorities when accessing the following functions of the ESIA:
  
  • maintaining a register of government officials in the ESIA;
  • maintaining a directory of authority with respect to the information system and giving users of the ESIA (registered in the ESIA as officials) authority to access the resources of the systems registered in the ESIA;
  • delegation of the above powers to authorized persons of lower state bodies.
• maintenance and provision of information on user credentials with respect to information systems registered in the ESIA.

At present, the system can be connected to the ESIA by any government organization, as well as individual types of commercial organizations: insurance companies, credit organizations (banks), professional participants in the securities market, private pension funds, microfinance and microcredit organizations, and telecom operators.

Legislation is adjusted over time, and with it expands the list of organizations that are allowed to connect to the ESIA.

People who are not familiar with the situation, at the word “state”, immediately imagine communication channels that need to be protected with the help of domestic cryptoalgorithms with all the attendant costs, licenses and equipment. But, no matter how ridiculous it is (or sad), the main platform for identification in the country works with foreign cryptography (and where to go).

Therefore, if you want to use the services of this platform, you can place your resources where it is suitable in our huge country, including our infrastructure Cloud4Y .

What can get a commercial organization from ESIA?

The list of available information depends on:

1. Categories of organizations connecting to the ESIA
2. Used way to connect to the ESIA

The Ministry of Communications and Mass Media limits the list of data available to commercial organizations. Usually allowed to receive only information about the name, passport details (series and number, by whom and when issued), citizenship, as well as a sign of "confirmation" of the account and account identifier in the ESIA.

Government organizations may receive from ESIA a complete set of data about the user and his organizations. This is the following information:

1. personal data (name, gender, date and place of birth, nationality)
2. data of identification documents (SNILS, TIN, general and international passport, birth certificate, driver's license, military ID, OMS policy)
3. contact information (email, mobile and home phone, addresses of registration and residence)
4. information about children (personal data and documents)
5. information about vehicles (number and certificate of registration)
6. information about organizations and individual entrepreneurs (name, OGRN, TIN / KPP, legal form, legal address, contacts, branches, lists of employees, credentials of employees, vehicles of the organization)
7. account data (account identifier in the ESIA, a sign of "confirmation" of the account)

Information is provided to the extent that it is filled in by the user in the ESIA, as well as subject to the user's consent to provide this information.

How to connect?

To connect the site of your organization, you need to go through some fairly simple procedures.



In general, to connect to the ESIA you need:

1. Ensure that your organization can connect its systems to the ESIA.
2. Director of the organization using the web application " Profile ESIA " register the organization in the ESIA.
   
   
   
   
   
3. He also needs to attach the responsible employee to the organization’s account and assign him the right to access the special application, the ESIA technology portal. If the director does not plan to delegate further operations to his employee, then he should still explicitly provide access to the ESIA Technology Portal for himself.
   
   The designated responsible officer of the organization needs using the ESIA Technology Portal web application:
4. Register your system account in ESIA. Mnemonics for the system to come up with, or use the existing mnemonic of the connection point to the SMEV, if the system connected to the ESIA was previously connected to the SMEV.
5. Upload the certificate to the system card.
   
   The responsible employee of the organization needs to:
6. Alternately submit by e-mail applications filled in accordance with the regulations for the use of ESIA software interfaces in a test and industrial environment.
   
   
   
   Developers of the connected system:
7. To refine the system for connecting to the ESIA, independently developing the interaction code with the ESIA in accordance with the current document “ Methodical recommendations on the use of the ESIA ” or use ready-made solutions, there are such benefits in the market.
8. To debug the interaction in the test and industrial environment ESIA.

It should be noted here that from 01/01/2018, interaction via the SAML 2.0 protocol will no longer be allowed (only for operating systems). To connect to the ESIA, you will need to use the OAuth 2.0 / OpenID Connect protocol (both are now available).

User authentication in the system

The recommended user authentication scenario for integration using OpenID Connect 1.0 in its basic form follows the following scenario:

1. The user clicks on the web page of the client system the button "Login through ESIA".
2. The client system forms and sends an authentication request to the ESIA and redirects the user's browser to a special access page.
3. ESIA authenticates the user in one of the available ways. If the user is not yet registered in the ESIA, he can proceed to the registration process.
4. When the user is authenticated, the ESIA informs the user that the client system is requesting data about it for identification and authentication purposes, providing a list of information requested by the client system.
5. If the user gives permission for authentication by the client system, the ESIA issues a special authorization code to the client system.
6. The client system forms a request to the ESIA for obtaining an identification token, including the previously received authorization code in the request.
7. The ESIA verifies the correctness of the request (for example, that the client system is registered with the ESIA) and the authorization code and passes an identification token to the client system.
8. The client system extracts the user ID from the identity token. If the identifier is received, and the token is verified, the client system considers the user authenticated. After receiving the identification token, the client system uses the ESIA REST services to obtain additional data about the user, after receiving the corresponding access token.

Connect or not?

For the operators, in connection with the entry into force of the law on messengers, this issue has been practically resolved.

Recall, in accordance with Federal Law No. 245 “On Amendments to the Federal Law“ On Communications ”dated July 29, 2017, communication operators are obliged to verify the accuracy of information about the subscriber. The law establishes a list of verification methods , one of which is the use of the Unified Portal of State and Municipal Services or the information systems of government agencies if operators have a connection to them through SMEV.

Amendments to the Federal Law “On Telecommunications” come into force on June 1, 2018. Until that time, telecom operators will be able to test the operation of their systems with SMEV and ESIA.


Is the Cheburny getting closer? Official statements about plans to make Internet access possible only through the ESIA have not been found. At the moment, according to official data, about 50 million users (individuals) and about 300,000 organizations are registered with the ESIA.