FAQ on integration with ESIA

Changes in the legislation, starting from the beginning of 2018 and including the most diverse areas of our life (the law on messengers, telemedicine, etc.), are united by one thing - the increasing penetration of information services into our lives. It is a natural fact that, as in real life, for a person to receive any service, he needs to be identified. In offline life, the means of authorization is a citizen’s passport, and in the online sphere, the government decided to recognize ESIA as a single means of identification and authentication.

I would like to talk about her. This is a fact-finding article, you can say educational program. To meet people who do not yet know that if necessary, you can use ESIA in your projects and keep up to date with the state. And so, what kind of animal is it and how is the government considering it.

The Ministry of Communications of Russia within the framework of the e-government infrastructure has created and is developing the Unified Identification and Authentication System (FSIS ESIA), the purpose of which is to streamline and centralize the processes of registration, identification, authentication and authorization of users.

FSIS ESIA:

1. Provides information systems with a solution for the reliable identification of users (individuals and legal entities, public authorities).

Reliability is achieved due to the fact that:

• registration of a person in ESIA is associated with verification of criteria important for identification;
• ESIA provides protection of the information contained in it in accordance with the legislation of the Russian Federation.

2. It is user-oriented and provides features:

• identification and authentication using a single account and a wide range of supported authentication methods when accessing various information systems of public authorities;
• management of their personal data posted in ESIA, and control over their provision to the information systems of public authorities.

The main functionality of ESIA:

• User identification and authentication, including:
  
  • one-time authentication, which gives ESIA users the following advantage: having passed the identification and authentication procedure in ESIA, the user can access any information systems using ESIA within one session, without re-identification and authentication;
  • Support for various authentication methods: with a password, with an electronic signature, as well as two-factor authentication (with a permanent password and a one-time password sent in the form of an SMS message);
  • Support for authentication levels of user identification (simplified account, standard account, verified account).
• maintaining identification data, namely, maintaining registers of individuals, legal entities, bodies and organizations, officials of bodies and organizations and information systems;
• Authorization of authorized persons of public authorities with access to the following ESIA functions:
  
  • maintaining a register of government officials in the ESIA;
  • maintaining a directory of authority with respect to the information system and granting ESIA users (registered as ESIA officials in ESIA) powers to access system resources registered in ESIA;
  • delegation of the above powers to authorized persons of lower state authorities.
• Maintaining and providing information on user credentials in relation to information systems registered in ESIA.

At the moment, any government organization, as well as certain types of commercial organizations can connect the system to ESIA: insurance companies, credit organizations (banks), professional participants in the securities market, non-governmental pension funds, microfinance and microcredit organizations, as well as telecom operators.

The legislation is adjusted over time, and with it the list of organizations that are allowed to join the ESIA is expanding.

People who are not familiar with the situation, at the word "state" immediately imagine the communication channels that need to be protected with the help of domestic cryptographic algorithms with all the associated costs, licenses and equipment. But, no matter how ridiculous it was (or sadly), the main platform for identification in the country is working with foreign cryptography (and where to go).

Therefore, if you want to use the services of this platform, you can place your resources wherever suitable in our vast country, including in our Cloud4Y infrastructure .

What can a commercial organization get from ESIA?

The list of available information depends on:

1. Categories of organizations connecting to ESIA
2. The used method of connection to ESIA

The Ministry of Communications restricts the list of data available to commercial organizations. Usually it is allowed to receive only information about the full name, details of the passport (series and number, by whom and when issued), citizenship, as well as the sign of "confirmation" of the account and the account identifier in ESIA.

Government organizations can receive from ESIA a complete set of data about the user and his organizations. This is the following information:

1. personal data (name, gender, date and place of birth, citizenship)
2. data of identification documents (SNILS, TIN, passport and citizenship, birth certificate, driver’s license, military ID, compulsory medical insurance policy)
3. contact information (email, mobile and home phone, registration and residence addresses)
4. information about children (personal data and documents)
5. information about vehicles (number and certificate of registration)
6. information about organizations and individual entrepreneurs (name, PSRN, TIN / KPP, legal form, legal address, contacts, branches, lists of employees, credentials of employees, vehicles of the organization)
7. account data (account identifier in ESIA, sign of "confirmation" of the account)

Information is provided to the extent that it is filled in by the user in ESIA, as well as subject to the consent of the user to provide this information.

How to connect?

To connect the site of your organization, you need to go through a few fairly simple procedures.



In general terms, to connect to ESIA you need:

1. Make sure your organization can connect its systems to ESIA.
2. Using the ESIA Profile web application, the director of the organization to register the organization in ESIA.
   
   
   
   
   
3. He also needs to attach a responsible employee to the organization’s account and assign him the right of access to a special application - ESIA Technology Portal. If the director does not plan to delegate further operations to his employee, then he must still explicitly give himself access to the ESIA Technology Portal.
   
   The assigned responsible employee of the organization, using the ESIA Technology Portal web application, needs to :
4. Register a system account in ESIA. To invent a mnemonics for the system, or use the existing mnemonics of the connection point to SMEV, if the system connected to ESIA has already been connected to SMEV before.
5. Upload its certificate to the system card.
   
   The responsible employee of the organization needs:
6. Submit alternately by e-mail applications in accordance with the regulations for the use of ESIA software interfaces in a test and industrial environment.
   
   
   
   Pluggable system developers:
7. Improve the system for connecting to ESIA by independently developing a code for interaction with ESIA in accordance with the current document “ Guidelines for the use of ESIA ” or use ready-made solutions, there are such benefits on the market.
8. Debug interaction in the ESIA test and industrial environment.

Here it should be noted that from 01.01.2018, interaction under the SAML 2.0 protocol will no longer be allowed (only for existing systems). To connect to ESIA, you will need to use the OAuth 2.0 / OpenID Connect protocol (both options are now available).

System Authentication

The recommended user authentication scenario for integration over OpenID Connect 1.0 in its basic form occurs according to the following scenario:

1. The user clicks on the "Login through ESIA" button on the web page of the client system.
2. The client system generates and sends an authentication request to ESIA and redirects the user's browser to a special page for providing access.
3. ESIA authenticates the user using one of the available methods. If the user is not yet registered in ESIA, then he can proceed to the registration process.
4. When the user is authenticated, ESIA informs the user that the client system requests data about him for identification and authentication, providing a list of information requested by the client system.
5. If the user gives permission for authentication by the client system, the ESIA issues a special authorization code to the client system.
6. The client system generates a request to the ESIA for an identification token, including the authorization code received earlier in the request.
7. ESIA checks the correctness of the request (for example, that the client system is registered in ESIA) and the authorization code and passes the identification token to the client system.
8. The client system retrieves the user ID from the identity token. If the identifier is received and the token is verified, then the client system considers the user authenticated. After receiving the identification token, the client system uses ESIA REST services to obtain additional data about the user, after receiving the corresponding access token.

Connect or not?

For operators, in connection with the entry into force of the law on messengers, this issue has been practically resolved.

Recall, in accordance with Federal Law No. 245 “On Amendments to the Federal Law“ On Communications ”dated July 29, 2017, telecom operators are required to verify the accuracy of information about the subscriber. The law sets out a list of verification methods , one of which is the use of the Unified portal of state and municipal services or information systems of state bodies if operators have a connection to them through the CMEA.

Amendments to the Federal Law “On Communications” will enter into force on June 1, 2018. Until that time, telecom operators will be able to test the operation of their systems with SMEV and ESIA.


Is cheburnet getting closer? We have not found official statements about plans to make Internet access possible only through ESIA. At the moment, according to official data, about 50 million users (individuals) and about 300,000 organizations are registered in ESIA.