Discover how governments and enterprises use proConsul to orchestrate digital identity, credentials, and trust services at scale across diverse scenarios.
From national digital identity programmes to enterprise credential management
A national government is implementing a comprehensive digital identity programme encompassing national ID cards, passports, driving licenses, and an EUDI Wallet. The programme must support millions of citizens, integrate with legacy population registry systems, coordinate multiple government agencies, and comply with eIDAS2 requirements. The system needs to issue secure credentials, manage lifecycle operations, enable cross-border recognition, and maintain comprehensive audit trails for regulatory compliance.
Policy Engine: proConsul defines and enforces policies governing credential issuance, validity periods, renewal procedures, and revocation conditions. Policies accommodate different credential types (national ID, passport, driving license) with appropriate authority delegation to issuing agencies while maintaining central oversight.
Workflow Coordination: Multi-step approval workflows coordinate between population registry verification, biometric capture, document examination, quality assurance, and final credential production. Escalation procedures handle exceptions and disputed cases. Approvals are digitally signed for non-repudiation.
Integration Hub: proConsul integrates the population registry, document management systems, biometric matching services, TrustVault PKI infrastructure, and idGuard wallet platform. Standard protocols (OpenID Connect, SAML) federate identity across government agencies.
Compliance Framework: Comprehensive audit trails document every credential operation for regulatory accountability. GDPR data subject rights are supported through automated request processing. eIDAS2 trust service provider compliance is maintained through evidence collection and reporting.
idGuard: Citizens receive their national identity credentials in the idGuard mobile wallet application. The wallet provides secure credential storage, privacy-preserving presentation, and AI-driven monitoring for identity threats. Citizens control disclosure of attributes to relying parties, with proConsul enforcing government policies on minimum disclosure requirements.
TrustVault: All cryptographic operations are performed by TrustVault with HSM-backed key material. TrustVault generates signing keys for credential issuance, maintains the PKI hierarchy from root CA through intermediate CAs to issuing CAs, performs digital signatures on credentials, and manages certificate lifecycle including revocation list publication.
User Consent Token (UCT) flow: A use-once, timebound token issued by a MasterCode or TrustCode to a Relying Party ID (RPID), which is then presented to fetch data from the wallet
Multiple EU member states are conducting a pilot for cross-border EUDI Wallet interoperability. Citizens from one member state need to use their nationally-issued digital credentials for government services, banking, and healthcare in other member states. The pilot must demonstrate technical interoperability, establish trust between national infrastructures, implement mutual recognition agreements, and respect data protection requirements across jurisdictions.
Trust Framework Management: proConsul maintains the cross-border trust framework defining mutual recognition rules, attribute mapping between national schemas, assurance level equivalencies, and liability arrangements. Each member state operates their own proConsul instance with federation configuration enabling cross-border transactions.
OpenID Federation: proConsul implements OpenID Federation to establish trust chains between member state identity providers, wallet providers, and relying parties. Entity statements, trust anchors, and metadata are managed through proConsul's federation module. Trust chain validation occurs in real-time during cross-border transactions.
Attribute Mapping & Translation: When credentials issued by one member state are presented in another, proConsul orchestrates attribute mapping based on agreed schemas. Privacy-preserving selective disclosure ensures only necessary attributes are shared. Consent management workflows record citizen authorization for cross-border data sharing.
Compliance Coordination: Each member state maintains GDPR compliance within their jurisdiction while proConsul coordinates cross-border data protection safeguards. Audit logs in each jurisdiction document incoming and outgoing credential transactions. Data localization policies are enforced where required.
idGuard: Citizens use idGuard wallets to store credentials from their home member state and present them to relying parties in visited member states. The wallet handles protocol translation and credential format conversion where necessary. Multi-language support accommodates citizens and relying parties across the EU.
TrustVault: Each member state's TrustVault maintains their national PKI hierarchy. Cross-border trust is established through CA cross-certification or bridge CA arrangements orchestrated by proConsul. TrustVault validates credentials issued by foreign member states against their PKI infrastructure, with validation results cached for performance.
A major retail bank must comply with stringent KYC/AML regulations requiring customer identity verification at onboarding and periodic re-identification. Traditional processes involve in-branch document checks or postal identity verification, creating friction and operational costs. The bank wants to leverage government-issued digital credentials for seamless KYC while maintaining regulatory compliance, fraud prevention, and audit trail requirements.
Identity Proofing Workflow: When a customer initiates account opening, the bank's application requests identity verification through proConsul. proConsul orchestrates the verification workflow: customer authenticates with their national eID, authorizes disclosure of required attributes (name, date of birth, address, national ID number), and consents to bank's processing. Verification response includes cryptographic proof of credential validity and issuing authority.
Risk-Based Authentication: proConsul integrates fraud signals and risk scoring. High-risk indicators (geographic anomalies, device fingerprinting, behavioral analytics) trigger enhanced verification workflows requiring additional evidence or manual review. Risk assessments are documented for AML compliance. Automated decisioning for low-risk cases accelerates customer onboarding.
Credential Validation: Real-time validation against credential issuer's systems confirms credential has not been revoked. Digital signature validation ensures credential integrity. Attribute values are extracted and provided to the bank's core banking system. Validation results include assurance level assessment per eIDAS framework.
Compliance Documentation: Complete audit trail documents the identity verification transaction for regulatory examination. Includes customer consent record, credential details (without storing the credential itself per GDPR minimization), validation results, risk assessment, and decision rationale. Records are retained per AML record-keeping requirements.
idGuard: Customer's government-issued identity credentials are stored in their idGuard wallet. When the bank requests identity verification, the customer receives a notification in idGuard showing which attributes are requested and for what purpose. Customer reviews and approves the disclosure. idGuard presents the credential to the bank's verification service with cryptographic proof.
TrustVault: The bank operates a qualified electronic signature service through TrustVault integration. When customer signs account opening documents, TrustVault generates qualified signatures meeting eIDAS requirements. For high-value transactions, TrustVault provides remote qualified signature creation device (QSCD) capabilities. All signing operations are logged and timestamped.
A telecommunications operator must comply with mandatory SIM registration regulations requiring verified customer identity for all mobile subscriptions. Objectives include reducing SIM swap fraud, preventing anonymous phone-based scams, enabling lawful intercept compliance, and improving customer experience. The operator manages millions of subscribers across retail stores, online channels, and authorized dealer networks requiring consistent identity verification processes.
Multi-Channel Identity Verification: proConsul orchestrates identity verification across channels. In retail stores, staff use tablets to scan customer's idGuard wallet QR code or NFC presentation. Online, customers authenticate with national eID and authorize disclosure. Dealer networks submit verification requests through proConsul APIs with cryptographic evidence of credential validity.
SIM Swap Protection: When subscriber requests SIM replacement, proConsul enforces enhanced verification workflows. Customer must re-authenticate with strong credentials and authorize the SIM change. Out-of-band notification is sent to existing phone number. Risk scoring considers request timing, location, and behavioral patterns. High-risk requests require additional verification or cooling-off periods.
Fraud Detection Integration: proConsul integrates with the operator's fraud management system and external fraud intelligence networks. Patterns indicating SIM box fraud, subscription fraud, or account takeover trigger automated protective actions. Suspicious SIMs are flagged for monitoring. Bulk analysis identifies fraud rings operating across multiple accounts.
Regulatory Compliance: proConsul maintains comprehensive subscriber identity records meeting regulatory requirements. Records include verified identity attributes, verification method, timestamp, and evidence retention. Lawful intercept requests are processed through proConsul with appropriate authorization and audit logging. Data retention policies automatically expire records per telecommunications regulations.
idGuard: Subscribers use idGuard wallets for seamless SIM activation and management. When purchasing SIM card, customer presents credential via QR code or NFC. For SIM swaps, enhanced authentication through idGuard prevents unauthorized changes. idGuard's AI-driven fraud detection alerts customers to suspicious activities on their mobile accounts.
TrustVault: The telecommunications operator issues digital certificates to subscribers for advanced services like enterprise VPNs, secure messaging, and IoT device authentication. TrustVault manages the operator's PKI infrastructure, generates per-subscriber certificates, and handles certificate lifecycle. Mobile network authentication integrates TrustVault certificate validation for high-security applications.
A healthcare system employs thousands of physicians, nurses, pharmacists, and allied health professionals across multiple hospitals and clinics. Professional credentials must be verified, privileges must be granted and tracked, continuing education requirements must be monitored, and access to patient records must be controlled based on professional scope. Manual credentialing processes are time-consuming and error-prone, delaying practitioner onboarding and creating compliance risks.
Credential Verification: When healthcare professionals join the organization, proConsul orchestrates verification of their professional credentials. Queries to medical licensing boards, professional colleges, and educational institutions confirm qualifications. Digital credentials from issuing authorities are cryptographically validated. Primary source verification is documented for Joint Commission and other accreditation requirements.
Privileging Workflows: proConsul manages privileging workflows where clinical leaders grant specific practice privileges (e.g., surgical procedures, prescription authorities, specialty consultations). Multi-level approval chains ensure appropriate oversight. Privilege expirations trigger automatic renewal workflows. Changes in professional status (license suspensions, malpractice events) automatically suspend privileges pending review.
Access Control Integration: proConsul integrates with electronic health record systems to enforce role-based access controls based on verified credentials and granted privileges. Physicians access patient records within their scope of practice. Audit logs track all record access for HIPAA compliance and quality assurance. Emergency access procedures with enhanced logging accommodate urgent care scenarios.
Continuing Education Tracking: Healthcare professionals' continuing medical education (CME) credits and certification renewals are tracked through proConsul. Integration with CME providers automatically updates credential status. Expiring certifications trigger notifications and initiate renewal workflows. Lapsed credentials result in automatic privilege suspension until remediated.
idGuard: Healthcare professionals store their professional credentials, licenses, and certifications in idGuard wallets. When joining a new healthcare organization or obtaining temporary privileges at another facility, they present verified credentials from their wallet. This streamlines credentialing across healthcare systems and reduces verification burden.
TrustVault: Electronic prescriptions are digitally signed using TrustVault-managed certificates, meeting regulatory requirements for prescription integrity. Healthcare professionals receive qualified electronic signature certificates for signing medical records, consent forms, and controlled substance prescriptions. TrustVault maintains the healthcare organization's internal PKI for secure communications and system authentication.
A university issues thousands of degrees, diplomas, and certificates annually. Graduates need verifiable proof of their qualifications for employment and further education. Employers and other educational institutions require efficient verification methods to combat credential fraud. The university wants to issue tamper-proof digital credentials that graduates can easily share while maintaining verification efficiency and reducing administrative burden on the registrar's office.
Credential Issuance Workflow: Upon graduation, proConsul orchestrates the credential issuance process. Student records are verified, degree requirements are confirmed, and approval workflows route through department chairs, registrar, and academic senate. Digital diploma is generated with cryptographic signatures from university authorities. Credential is delivered to graduate's idGuard wallet with notification of availability.
Credential Schema Management: proConsul maintains standardized credential schemas for various qualification types (bachelor's degrees, master's degrees, certificates, professional credentials). Schemas define required attributes (graduate name, degree type, major, graduation date, honors) and optional attributes (courses completed, grades, thesis title). Schema evolution is version-controlled with backward compatibility.
Verification Service: Employers and educational institutions verify credentials through proConsul's verification API. Verifier receives cryptographic proof of credential validity, issuing authority, and graduate identity. Selective disclosure enables graduates to share only necessary attributes (e.g., confirm degree without revealing GPA). Verification transactions are logged for security monitoring and usage analytics.
Revocation Management: In cases of degree revocation due to academic misconduct or credential fraud, proConsul manages the revocation process with appropriate due process workflows. Revoked credentials are added to revocation lists. Verifiers checking credential status receive revocation notification. Graduate receives formal notification through registered channels.
idGuard: Graduates receive their academic credentials in idGuard wallets. When applying for jobs or further education, they present credentials directly from their wallet. Selective disclosure controls enable sharing relevant qualifications without revealing transcript details. Lifetime access ensures credentials remain available years after graduation.
TrustVault: The university's credential signing keys are managed by TrustVault with HSM protection. Academic credentials are digitally signed using the university's qualified certificate, providing strong cryptographic assurance. TrustVault maintains the university's PKI infrastructure including timestamp services for proving credential issuance dates.
Every organization has unique requirements. Let's discuss how proConsul can be configured for your specific use case.