Authentication Vault

You can automatically save the data obtained during end-user authentication with the Signicat Authentication Vault.

The Authentication Vault allows you to store logs and personal data after your end-users authenticate with an eID. The data is stored securely inside Signicat Digital Evidence Management (DEM). You can access and manage the data in the Signicat Dashboard or by using the DEM API.

This page explains how to configure the Authentication Vault and manage your records in the Signicat Dashboard.

How it works

In a typical authentication flow, you:

Connect your application to an eID with an authentication protocol.
Direct the end-user to the authentication server where they verify their identity online and share their data.
Redirect the end-user back to your service.
Send a request to retrieve the end-user's personal data.

In the scenario above, your application sends/receives a series of requests/responses to/from Signicat eID Hub servers. Typically, the data is only available temporarily, for the scope of an authentication session.

The Authentication Vault allows you to persist the response in a database so that you can retrieve it at any later point.

Why use the Authentication Vault

After enabling the Authentication Vault, the authentication response from Signicat eID Hub is stored automatically in the DEM database. The data is saved into records that you can access from the Signicat Dashboard and the DEM API.

With the Authentication Vault you can configure the following aspects:

Obfuscating the national identity number.
Limiting storage only to specific eIDs.
Deciding how long the records should live in the DEM database.

Authentication protocols

The Authentication Vault can be used to store records obtained from connections with the following protocols:

OpenID Connect (OIDC)
Authentication REST API (only redirect flow)

Note that no data is stored for transactions with SAML 2.0.

Getting started

This section guides you through the steps to activate and configure the Authentication Vault in the Signicat Dashboard.

Prerequisites

If you do not have an account already, then you need to sign up to the Signicat Dashboard for free and complete the initial preparations. To do this:

Sign up to the Signicat Dashboard and register your profile.
Ensure that you have created an organisation.
Create an account. To do this:
1. Go to Signicat Dashboard > Organisation, then select + Add account.
2. Enter an account name, choose the type of account that you want to create, then select Create.
Create a domain. To do this:
1. Go to Signicat Dashboard > Settings > Domain management, then select + Add domain.
2. To create a standard domain, enter a domain name. Then, select Add domain.
3. To create a custom domain, follow the instructions in the Custom domains documentation.

Account types

We recommend that you create a sandbox account to test our services before going live. Sandbox and production accounts must be set up separately.

Going live in production

To use the Authentication Vault in a production account, you must first purchase it. When you are ready to do this, contact us by creating a support ticket in the Dashboard.

Permissions

The Authentication Vault stores data using the sensitive record type, as records contain personal data of the end-users that authenticate. For this reason, you should manage who has access to the records in the Dashboard appropriately.

To view, edit and create records from the Authentication Vault, Dashboard users require (one of) the following permissions:

DemSensitiveViewer: Access to read sensitive records in DEM.
DemSensitiveWriter: Access to read and write sensitive records in DEM.
DemSensitiveEditor: Access to read, write and update sensitive records in DEM.

You can manage the permissions for Dashboard users in the Dashboard > Access Management > Permissions page.

You can also add extra permissions to manage the DEM records, as explained in the DEM documentation.

Set up

To enable and configure the Authentication Vault in your account, do the following:

Go to Dashboard > Products > eID Hub.
In the left sidebar menu, select Authentication Vault.
In the Authentication Vault configuration page, set the following attributes:

Note
These settings apply only to the Authentication Vault product and do not affect the global configuration of Digital Evidence Management (DEM) in your account. You manage, activate and configure the DEM product separately.
Select Save to save the configuration and activate the Authentication Vault in your account.

Your configuration might look like this:

Authentication Vault in the Signicat Dashboard

After saving, try a test authentication flow to see what the authentication records look like in DEM, as explained in the next section.

Viewing the records

Once you activate the Authentication Vault in your account, the data obtained from end-user authentication is stored and available for you to access directly in the Signicat Dashboard.

To view and manage the records, go to Dashboard > Products > Digital Evidence Management.

Tutorial with Norwegian BankID

Imagine a scenario where one of your end-users wants to authenticate with your application using Norwegian BankID. This section guides you through the steps to configure the Authentication Vault, simulate an authentication session and review the outcome in the Signicat Dashboard.

1. Configure the Authentication Vault

Before starting an authentication, set the following configuration in the Authentication Vault:

Go to Signicat Dashboard > Products > eID Hub > Authentication Vault.
In the Authentication Vault configuration page, set the following attributes:

Time to live (TTL)/Unit: 2 Days
Selected authentication providers: Norwegian BankID
Obfuscate NIN:

Select Save to persist the changes.

2. Simulate an authentication

You can simulate an authentication flow with a test user by following the instructions in the Test an eID tutorial.

For authentication, you can use the following test user:

Alternatively, you can create your own test users on the Norwegian BankID test generator.

3. Inspect the results

Once the authentication is successful, you can access the records in the Digital Evidence Management. To do this:

Go to Signicat Dashboard > Products > Digital Evidence Management.
To inspect the authentication data, select the record.
Expand the raw data (JSON).

Example raw data from DEM

{
  "id": "<RECORD_ID>",
  "metadata": {
    "searchAttribute": "b1a1f071-8273-e04c-82db-eb03d14d1228"
  },
  "systemMetadata": {
    "type": "SENSITIVE",
    "expiryDate": "2024-06-23T00:00:00Z",
    "createdDate": "2024-06-21T00:00:00Z",
    "createdDateTime": "2024-06-21T07:35:01Z",
    "createdBy": "<CLIENT_ID>",
    "auditLevel": "QUALIFIED"
  },
  "coreData": {
    "response": {
      "subject": "cpPchEZj4bUtjH6ZKXVmVD8COVKHzei7s9LPT2MCTM4=",
      "subjectType": "PERSISTENT",
      "issuer": "https://auth.current.bankid.no/auth/realms/current",
      "idp": "nbid",
      "loa": "high",
      "transactionId": "b1a1f071-8273-e04c-82db-eb03d14d1228",
      "attributes": [
        {
          "name": "nbidSid",
          "dataType": "string",
          "value": "d36d3efd-b973-4cbb-9856-f0901b182593"
        }
      ],
      "standardAttributes": {
        "name": {
          "fullName": "Gustavo Silva",
          "firstName": "Gustavo",
          "lastName": "Silva"
        },
        "nin": {
          "value": "***",
          "issuingCountry": "NO",
          "type": "BIRTH"
        },
        "dateOfBirth": "1908-09-29"
      }
    }
  },
  "timestampData": {
    "timestamp": "MIIJCzADAgEAMIIJAgYJKo...q9cpN2WSu5e/",
    "timestampValid": true
  },
  "relations": [
    {
      "relationID": "<RECORD_ID>",
      "type": "SENSITIVE",
      "_links": {
        "self": {
          "href": "https://api.signicat.com/dem/records/<RECORD_ID>"
        }
      }
    }
  ],
  "_links": {
    "self": {
      "href": "https://api.signicat.com/dem/records/<RECORD_ID>"
    }
  }
}

Note the following relevant fields:

Managing and retrieving records

You can manage your DEM records in the Signicat Dashboard and with the DEM API.

Using the Dashboard

To view and manage records in the Signicat Dashboard:

Navigate to Products > Digital Evidence Management.
Select a record.
Now, you can view the data and manage the record:
- To view the raw data in full, select Expand lines.
- To download the record in PDF format, select Get report (PDF).
- To delete the record, select Delete. Then, confirm the action in the pop-up box.
Expiry date
When a record reaches the expiry date, it is deleted automatically and cannot be restored.

Using the DEM API

You can retrieve records from DEM using the DEM API. Learn more about connecting to the API and accessing records in the DEM API guide.

Important

By default, the DEM API is not included in the Authentication Vault. To use the DEM API, you need to purchase and activate it separately, as part of the Digital Evidence Management (DEM) product.

Useful links

You can read more about Digital Evidence Management in the documentation:

DEM documentation

Learn more about the Digital Evidence Management product

DEM API reference

Explore the endpoints and attributes of the DEM API

How it works​

Why use the Authentication Vault​

Getting started​

Prerequisites​

Permissions​

Set up​

Viewing the records​

Tutorial with Norwegian BankID​

1. Configure the Authentication Vault​

2. Simulate an authentication​

3. Inspect the results​

Managing and retrieving records​

Using the Dashboard​

Using the DEM API​

Useful links​