Authentication Vault
You can save the data obtained during end-user authentication in the Signicat Authentication Vault.
The Authentication Vault allows you to store logs and personal data automatically after your end-users authenticate with an ID method. The data is stored securely inside Signicat Digital Evidence Management (DEM) where you can manage and retrieve it using the DEM API.
This page explains how to configure the Authentication Vault and manage your records in the Signicat Dashboard.
How it works
In a typical authentication flow, you connect to an ID method with an authentication protocol. Next, you direct the end-user to the authentication server where they follow the provider's instructions to verify their identity online and share their data. Then, you redirect the end-user back to your service and send a request to retrieve the end-user's personal data.
In the scenario above, you send/receive a series of requests/responses to/from Signicat eID Hub servers. Data is only persisted temporarily for the scope of an authentication session.
With the Authentication Vault, the response from Signicat eID Hub is automatically stored in DEM. That way you can always access it later. Data is saved as records that you can retrieve with the DEM API.
You can configure the Vault to control settings such as obfuscating the national identity number, applying qualified timestamps and limiting storage to certain ID methods. Additionally, you get to decide how long the records should persist in DEM.
Find out how to configure the Authentication Vault in the next section.
The Vault allows you to store records obtained from connections with the following protocols:
- OpenID Connect (OIDC)
- Authentication REST API (only redirect flow)
Note that no data is stored after authentications with SAML 2.0.
Configuration
To configure the Authentication Vault in your account:
- Go to Dashboard > eID Hub.
- In the left sidebar menu, expand Advanced, then select DEM Settings.
DEM settings
In the DEM Settings page, set the following attributes:
Attribute | Description |
---|---|
Status | Toggle the button to enable/disable the DEM settings. |
Time to live (TTL) | Number of units to store the records for. Allowed values are digits. Must be between 2 days and 84 months. |
Unit | Time unit. Choose between "Days" and "Months". |
Selected authentication providers | Choose for which ID method(s) to store data. Select at least one provider. |
Obfuscate NIN | Determines whether to show or obfuscate the national identity number (NIN) of the end-user. If checked, NIN is obfuscated. |
Qualified timestamp | Check to add a Qualified timestamp using Signicat's Qualified Timestamping Authority (QTSA) services. Timestamping data elements binds the data to a proven time and allows you to detect if the data has been modified. |
Click Save to save the configuration and activate the Authentication Vault in your account.
After saving, try a test authentication flow to see the records flow in. To see how an authentication record looks like in DEM continue to the next section.
Note that the configuration in the DEM settings page applies only to the Authentication Vault product. These settings do not affect the global configuration of Digital Evidence Management in your account.
Authentication records
After you activate the Authentication Vault in your account, you can manage the results of end-user authentication in the Signicat Dashboard.
To view your records in DEM, go to Dashboard > Digital Evidence Management.
Example
Imagine that one of your end-users has just authenticated with your application using Norwegian BankID.
In this example, we use a test user:
National ID | OTP | Password |
---|---|---|
29090816894 | otp | qwer1234 |
and the following DEM settings:
- Time to live (TTL)/Unit: 2 Days
- Selected authentication providers: Norwegian BankID
- Obfuscate NIN:
- Qualified timestamp:
After mocking an authentication using the test user with Norwegian BankID, you should see the record appear in the Dashboard > Digital Evidence Management. Select the record and expand the raw data (JSON).
Example raw data from DEM
{
"id": "<RECORD_ID>",
"metadata": {
"searchAttribute": "b1a1f071-8273-e04c-82db-eb03d14d1228"
},
"systemMetadata": {
"type": "SENSITIVE",
"expiryDate": "2024-06-23T00:00:00Z",
"createdDate": "2024-06-21T00:00:00Z",
"createdDateTime": "2024-06-21T07:35:01Z",
"createdBy": "<CLIENT_ID>",
"auditLevel": "QUALIFIED"
},
"coreData": {
"response": {
"subject": "cpPchEZj4bUtjH6ZKXVmVD8COVKHzei7s9LPT2MCTM4=",
"subjectType": "PERSISTENT",
"issuer": "https://auth.current.bankid.no/auth/realms/current",
"idp": "nbid",
"loa": "high",
"transactionId": "b1a1f071-8273-e04c-82db-eb03d14d1228",
"attributes": [
{
"name": "nbidTid",
"datatype": "string",
"value": "2c3c8a87-0770-4f4a-972f-55420af38167"
}
],
"standardAttributes": {
"name": {
"fullName": "Gustavo Silva",
"firstName": "Gustavo",
"lastName": "Silva"
},
"nin": {
"value": "***",
"issuingCountry": "NO",
"type": "BIRTH"
},
"dateOfBirth": "1908-09-29"
}
}
},
"timestampData": {
"timestamp": "MIIJCzADAgEAMIIJAgYJKo...q9cpN2WSu5e/",
"timestampValid": true
},
"relations": [
{
"relationID": "<RECORD_ID>",
"type": "SENSITIVE",
"_links": {
"self": {
"href": "https://api.signicat.com/dem/records/<RECORD_ID>"
}
}
}
],
"_links": {
"self": {
"href": "https://api.signicat.com/dem/records/<RECORD_ID>"
}
}
}
Note the following relevant fields:
Attribute | Description |
---|---|
id | Record ID in UUID/GUID standard. Use it to retrieve the record from the DEM API. |
metadata | Searchable field useful to filter DEM logged records. |
systemMetadata | Metadata object with information about creation and expiry date, source and type of record. |
coreData.response | Authentication response with personal information of the end-user. Note how nin is obfuscated *** in this example according to the DEM settings. |
timestampData | Qualified timestamp generated by Signicat's Qualified Timestamping Authority (QTSA). Available if you check the "Qualified timestamp" attribute in the DEM settings. |
Managing and retrieving records
You can manage DEM records in the Signicat Dashboard and with the DEM API.
Using the Dashboard
To view and manage records in the Signicat Dashboard:
- Go to Dashboard > Digital Evidence Management.
- Select a record.
- Now, you can view the data and manage the record:
- To view the raw data in full, select Expand lines.
- To download the record in PDF format, select Get report (PDF).
- To delete the record, select Delete. Then, confirm the action in the pop-up box.
Expiry dateWhen a record reaches the expiry date, it is deleted automatically and cannot be restored.
Using the DEM API
You can retrieve records from DEM using the DEM API. Learn more about connecting to the API and accessing records in the DEM API guide.
Useful links
You can read more about Digital Evidence Management in the documentation: