Authentication Vault
You can automatically save the data obtained during end-user authentication with the Signicat Authentication Vault.
The Authentication Vault stores logs and personal data after your end-users authenticate with an eID. The data is stored securely inside Signicat Digital Evidence Management (DEM). You can access and manage the data in the Signicat Dashboard or by using the DEM API.
This page explains how to configure the Authentication Vault and manage your records in the Signicat Dashboard.
How it works
In a typical authentication flow, you:
- Connect your application to an eID with an authentication protocol.
- Direct the end-user to the authentication server where they verify their identity online and share their data.
- Redirect the end-user back to your service.
- Send a request to retrieve the end-user's personal data.
In the scenario above, your application sends/receives a series of requests/responses to/from Signicat eID Hub servers. Typically, the data is only available temporarily, for the scope of an authentication session.
The Authentication Vault allows you to persist the response in a database so that you can retrieve it at any later point.
Why use the Authentication Vault
After enabling the Authentication Vault, the authentication response from Signicat eID Hub is stored automatically in the DEM database. The data is saved into records that you can access from the Signicat Dashboard and the DEM API.
With the Authentication Vault you can configure the following aspects:
- Obfuscating the national identity number.
- Limiting storage only to specific eIDs.
- Deciding how long the records should live in the DEM database.
The Authentication Vault can be used to store records obtained from connections with the following protocols:
- OpenID Connect (OIDC)
- Authentication REST API (only redirect flow)
Note that no data is stored for transactions with SAML 2.0.
Getting started
This section guides you through the steps to activate and configure the Authentication Vault in the Signicat Dashboard.
Prerequisites
If you don't have an account already, sign up for a free Signicat account by completing the following initial preparations:
- Sign up to the Signicat Dashboard and register your profile. For more details, see the Get started with Signicat guide.
- In the Dashboard, make sure you have set up an organisation and an account.
- Additionally, to use this product, you must set up a domain.
We recommend you create a sandbox account to test our services before going live. Sandbox and production accounts must be set up separately.
To use the Authentication Vault in a production account, you must first purchase it. When you are ready to do this, contact us by creating a support ticket in the Dashboard.
Permissions
The Authentication Vault stores data using the sensitive record type, as records contain personal data of the end-users that authenticate. For this reason, you should manage who has access to the records in the Dashboard appropriately.
To view, edit and create records from the Authentication Vault, Dashboard users require (one of) the following permissions:
- DemSensitiveViewer: Access to read sensitive records in DEM.
- DemSensitiveWriter: Access to read and write sensitive records in DEM.
- DemSensitiveEditor: Access to read, write and update sensitive records in DEM.
You can manage the permissions for Dashboard users in the Dashboard > Access Management > Permissions page.
You can also add extra permissions to manage the DEM records, as explained in the DEM documentation.
Set up
To enable and configure the Authentication Vault in your account, do the following:
-
Go to Dashboard > Products > eID Hub.
-
In the left sidebar menu, select Authentication Vault.
-
In the Authentication Vault configuration page, set the following attributes:
NoteThe settings apply only to the Authentication Vault product and do not affect the global configuration of Digital Evidence Management (DEM) in your account. You manage, activate and configure the DEM product separately.
-
Select Save to save the configuration and activate the Authentication Vault in your account.
Your configuration might look like this:
Authentication Vault in the Signicat Dashboard
After saving, try a test authentication flow to see what the authentication records look like in DEM, as explained in the next section.
Viewing the records
After you activate the Authentication Vault in your account, you can access the data obtained from end-user authentication in the Dashboard.
You can view and manage the records in the DEM page. To do this, go to Dashboard > Products > Digital Evidence Management.
Example
Imagine that one of your end-users has just completed an authentication with your application using Norwegian BankID. In this example, we use a test user with the following credentials:
and the following Authentication Vault configuration:
- Time to live (TTL)/Unit: 2 Days
- Selected authentication providers: Norwegian BankID
- Obfuscate NIN:
After mocking an authentication using the test user with Norwegian BankID, you should see the record in the Products > Digital Evidence Management page.
To learn how to quickly test authentication with an eID, see the Test an eID tutorial.
To inspect the authentication data, select the record and expand the raw data (JSON).
Example raw data from DEM
{
"id": "<RECORD_ID>",
"metadata": {
"searchAttribute": "b1a1f071-8273-e04c-82db-eb03d14d1228"
},
"systemMetadata": {
"type": "SENSITIVE",
"expiryDate": "2024-06-23T00:00:00Z",
"createdDate": "2024-06-21T00:00:00Z",
"createdDateTime": "2024-06-21T07:35:01Z",
"createdBy": "<CLIENT_ID>",
"auditLevel": "QUALIFIED"
},
"coreData": {
"response": {
"subject": "cpPchEZj4bUtjH6ZKXVmVD8COVKHzei7s9LPT2MCTM4=",
"subjectType": "PERSISTENT",
"issuer": "https://auth.current.bankid.no/auth/realms/current",
"idp": "nbid",
"loa": "high",
"transactionId": "b1a1f071-8273-e04c-82db-eb03d14d1228",
"attributes": [
{
"name": "nbidTid",
"datatype": "string",
"value": "2c3c8a87-0770-4f4a-972f-55420af38167"
}
],
"standardAttributes": {
"name": {
"fullName": "Gustavo Silva",
"firstName": "Gustavo",
"lastName": "Silva"
},
"nin": {
"value": "***",
"issuingCountry": "NO",
"type": "BIRTH"
},
"dateOfBirth": "1908-09-29"
}
}
},
"timestampData": {
"timestamp": "MIIJCzADAgEAMIIJAgYJKo...q9cpN2WSu5e/",
"timestampValid": true
},
"relations": [
{
"relationID": "<RECORD_ID>",
"type": "SENSITIVE",
"_links": {
"self": {
"href": "https://api.signicat.com/dem/records/<RECORD_ID>"
}
}
}
],
"_links": {
"self": {
"href": "https://api.signicat.com/dem/records/<RECORD_ID>"
}
}
}
Note the following relevant fields:
Managing and retrieving records
You can manage your DEM records in the Signicat Dashboard and with the DEM API.
Using the Dashboard
To view and manage records in the Signicat Dashboard:
- Navigate to Products > Digital Evidence Management.
- Select a record.
- Now, you can view the data and manage the record:
- To view the raw data in full, select Expand lines.
- To download the record in PDF format, select Get report (PDF).
- To delete the record, select Delete. Then, confirm the action in the pop-up box.
Expiry dateWhen a record reaches the expiry date, it is deleted automatically and cannot be restored.
Using the DEM API
You can retrieve records from DEM using the DEM API. Learn more about connecting to the API and accessing records in the DEM API guide.
By default, the DEM API is not included in the Authentication Vault. To use the DEM API, you need to purchase and activate it separately, as part of the Digital Evidence Management (DEM) product.
Useful links
You can read more about Digital Evidence Management in the documentation: