Web services platform for integrating identification, authentication and electronic signature (eIDAS) user methods. In addition to multifactor authentication, trust management and identity federation, the platform provides remote signing with PKI keys on the server via the Web API.
- It combines authentication, single sign-on (SSO), identity federation and authentication trust level management functionality. Authentication methods including PKI, SMS/email OTP and Safelayer Mobile ID are provided.
- The platform is complemented through the incorporation of PKI identity attributes for implementing electronic signature functions. In addition to authentication functionality, the platform provides server and mobile-device signature services. It is an integral solution for deploying the new eIDAS trust services.
Benefits
- Complete solution
Secure user identification on mobiles and in the cloud. As well as authentication, SSO and identity federation, the solution provides qualified remote signing via Web APIs. - Trust elevation
TrustedX eIDAS provides an adaptive authentication engine that classifies the trust level of the authentication method (as per NIST's AAL/eIDAS's assurance levels). The trust level can be raised via an additional authentication factor such as SMS/email OTP or Safelayer's Mobile ID. - Cloud signing
Management of public key infrastructure (PKI) identity attributes and remote signing functions in accordance with the CEN 419 241 technical standards. Ongoing Qualified Signature Creation Device (QSCD) certification to be operated by Trust Service Providers (TSPs). - Standard integration
Thanks to the support of the REST Web services API implemented via the OAuth 2.0/OpenID Connect, SAML and ETSI's *AdES signature format standards, basic HTTP tools available in any environment/language for integration can be used. - Security and auditing
The system records and aggregates identification, authentication and electronic signature information as per the security requirements applicable in the technical standards associated to the eIDAS Regulation.
Operation
The TrustedX eIDAS platform acts as an identity provider (IdP) and a signature provider (eSigP) for the users in their interactions with the applications by providing the following functionality.
- Identity provider (IdP)
Validates user identities, manages the trust level of the authentication as per NIST's ALL/eIDAS's assurance levels, and provides identity federation and SSO between applications.
It includes authentication methods based on PKI, SMS/email OTP and Safelayer Mobile ID (*). Supports authentication plug-ins for incorporating other authentication services. (*) - Electronic signature provider (eSigP)
Manages the PKI material of the users as identity attributes in a secure and audited HSM-based repository. The user can have one or more digital certificates for electronically signing documents once identified by the IdP.
Signing functions are available as a Web service or via the Safelayer Virtual Card component (*). - Integration standards
It supports the SAML and OAuth/OpenID Connect standards for Web SSO. Signature functions are accessible via a Web API. TrustedX eIDAS aswell supports the ETSI PAdES, XAdES, CAdES and RSA PKCS #1.
(*) See the product sheet for more information Safelayer Virtual Card and Safelayer Mobile ID.
Architecture
TrustedX provides multifactor authentication and user remote signing to the applications via corporate Web services or services operated by a trusted service provider.
The following figure illustrates the interactions between TrustedX eIDAS with the following infrastructure components:
- Identity services: Can include the LDAP server (for attributes and authentication), an authentication server (e.g., OTP), PKI services, databases and federated IdPs.
- Network HSM: Cryptographic security device that guarantees the protection of user PKI private keys.
- Other components (not displayed in the figure): Mail servers, SMS servers, monitoring systems.
Videos
PDF Document Signing with Safelayer Mobile ID
This video shows how to sign a PDF document using a smartphone. After logging into a document management portal, the user selects a PDF document and signs it electronically using only his smartphone.
OOB Transaction Verification with Safelayer Mobile ID
This video shows the transaction verification process using a second channel. The user is prompted to confirm the details of an operation with his smartphone via the Safelayer Mobile ID App.
Facebook federation and and step-up with Safelayer MobileID
This video shows how a smartphone with Safelayer Mobile ID can be used to provide a website with additional guarantees on the identity of the logged-in user (step-up).