Identity Vault
What is an Identity Vault?
An identity vault is an identity safe. In a digital network, an identity vault is a highly secure data store for storing identity information. That can include contact details, passport or driver’s license numbers, biometric data, and passwords. Such personal data must be stored securely to prevent misuse and data breaches. Identity vaults, therefore, use encryption, multifactor authentication, and other security technologies.
Examples of Identity Vaults and Their Use
As more personal data is processed digitally, an identity vault becomes an important tool. Below are three concrete applications.
Password Manager
Most people need numerous passwords for their business and personal applications. It is difficult to remember all of them, so people often write them down or reuse the same password. That is far from secure, and many organizations and cloud providers try to prevent this with Single Sign-On. Using Single Sign-On, you can access multiple applications with a single login. However, there are usually more standalone passwords left than you would like. To store those safely, people now often use a password manager such as LastPass or KeePass. With it, you can securely store the username and password for each account, and often log in with a single click. A password manager also offers space to store other personal information, such as credit card details, addresses, and confidential notes. As a result, you have a personal identity vault.
Government Identity Vault
Within government, you also see more and more applications that resemble an identity vault in both role and functionality. These are primarily central databases with personal data, such as the Personal Records Database (BRP), which registers each citizen’s name, address, place of birth, nationality, and citizen service number (BSN). The Netherlands Vehicle Authority (RDW) also maintains an identity vault that manages driver’s licenses and vehicle registrations.
In addition, there are initiatives to give citizens a personal government vault where they can store their own data and access digital services. An EU-wide effort is underway on the European Digital Identity, the EDI Wallet. In it, citizens can store their own important digital data, such as driver’s licenses, passports, diplomas, or medical records. The wallet also gives them much more control over how that data can be shared. Today, for example, you still need to show your ID card to prove you are over 18. Soon, the EDI Wallet will confirm, upon request, that someone is over 18. The exact date of birth and other details are not relevant for that purpose and are therefore not visible. Each EU member state must have at least one certified EDI wallet available by the end of 2026. The Dutch government is developing a national version, the public NL wallet.
Identity Vaults Within IAM Environments
Identity vaults are also needed within IAM environments. In fact, there are two places within the IAM domain where a type of identity vault is used:
Within an IAM architecture, a central Identity Provider (IdP) is often used for authentication and Single Sign-On (SSO). As a user, you log in to that IdP at the start of a session. If the authentication attempt is successful, the IdP issues digital tokens that automatically grant access to your applications. You can use Entra ID as an IdP, but an IAM platform such as HelloID also offers customers an IdP. In effect, it is an identity vault that stores usernames, passwords, and other authentication data.
An IAM platform also includes an identity vault, which is specifically required for automated provisioning. With it, you can create accounts and automatically grant access rights. The mechanism uses various personal data that you collect from one or more source systems, then processes it in an identity vault within your IAM platform.
We describe that second type of identity vault in more detail below.
IAM Identity Vault for Provisioning
Managing accounts and access rights is simple in a small company with a few employees and a few applications. A spreadsheet is sufficient; you can enter the data directly into the relevant systems. In an organization with dozens to thousands of users and dozens of applications, this manual management is unworkable. You need user provisioning functionality that automatically grants accounts and access rights.
The key is that you do not maintain a list of personal settings for each individual user. Instead, you use a concept such as Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC). With these, you can automatically create accounts and grant rights based on user attributes.
To do this, you process two types of personal data within your IAM environment:
First, basic data such as a person’s given name, surname, preferred name, and contact details. You use this data to create digital identities on the platform, with profile information, account names, and email addresses. An organization defines its own rules for how first and last names are used in an email address. Often, that email address is also used as the username for all applications.
Second, there is other relevant personal data that you use in automated provisioning to determine which accounts and rights someone needs. In an organization, required rights often depend on the role someone holds and the department they work in. In a university, the program of study and the academic year of students are needed to issue the correct accounts and rights.
We collect and process this data within HelloID in a dedicated identity vault.
Use of the Identity Vault
The first task of your identity vault for provisioning is to collect the required data. You then process that data in the vault to create and manage accounts and rights.
Source Data in Your Identity Vault
You obtain the required data as much as possible from source systems where this data is naturally managed and maintained. In many IAM environments, the HR system is the primary source. It contains all basic employee data such as given name, surname, and contact details, as well as job title and department. An IAM platform, such as HelloID, therefore has a direct integration with the HR platform and imports the relevant HR data into its own identity vault.
At the same time, other source systems can be used. Universities often use data from the student information system to create student accounts. Data for contractors is often managed in a separate system, and information from scheduling and rostering applications can sometimes be used to allocate rights even more granularly.
Identity Vault Processing
The data from such source systems then undergoes various processing steps within the IAM platform. Data belonging to the same person may be stored in different places or even in multiple source systems. That data must be converted within the identity vault into a single set associated with that specific person. It can also occur that similar data is registered in multiple places and must be deduplicated. We also convert data into a single internal data format that you can use within your IAM platform. The result of all these processing steps is one uniform data set composed of data from different source systems.
This transition of data into one internal uniform format is not only needed to combine data from multiple source systems. A source system may also be replaced. For example, a different HR system is selected. The new system will usually process and share the data in a different format. By using a single uniform format across the IAM environment, you limit the impact on the connector between the new source system and the IAM platform. Internal processing and the rest of the user provisioning functionality remain unchanged.
Want to Learn More About the Identity Vault and Source Connectors?
Within your HelloID IAM platform, the identity vault is the place where we securely collect and process personal data. The user provisioning functionality then uses this data to create accounts and grant rights automatically.
The data that can be collected in the identity vault depends on the connected source systems. HelloID provides standard connectors to various source systems. In our catalog, you will find an overview of the available data for each source connector and how to use it for account and access management.