Identity Integration
Mandaitor integrates with multiple identity providers to verify who is creating and using mandates. The identity layer answers a foundational question: "Who is this person?" — so that Mandaitor can then answer: "May this person act on behalf of another?"
Supported Identity Providers
| Provider | Protocol | Use Case | Status |
|---|---|---|---|
| EUDI Wallet | OpenID4VP | eIDAS 2.0 European Digital Identity | Available |
| Auth0 | OAuth 2.0 / OIDC | Customer-facing apps (B2C/B2B SaaS) | Available |
| Okta | OAuth 2.0 / OIDC | Workforce identity (enterprises) | Available |
| Microsoft Entra ID | OAuth 2.0 / OIDC | Enterprise identity (Microsoft ecosystem) | Available |
| Google Cloud Identity | OAuth 2.0 / OIDC | Google Workspace / consumer accounts | Available |
| AWS IAM Identity Center | OAuth 2.0 / OIDC | AWS SSO workforce identity | Available |
| Generic OIDC | OIDC | Keycloak, PingIdentity, ForgeRock, etc. | Available |
| AWS Cognito | OAuth 2.0 / OIDC | Platform admin & tenant authentication | Built-in |
How It Works
Mandaitor uses an Identity Provider Abstraction Layer (IPAL) that normalizes identity claims from any provider into a canonical ResolvedIdentity. This means:
- A mandate created via EUDI Wallet can be verified by a service using Auth0 tokens — if the identities are linked.
- An AI agent authenticated via Entra ID can act on behalf of a user who verified with Okta — through the token exchange flow.
- All identity verification events are recorded in the audit trail, regardless of provider.
Provider Detection
When a token arrives at the Mandaitor API, the authorizer detects the provider automatically:
| Token Format | Detected Provider |
|---|---|
Bearer tnt_xxx:mk_live_xxx | API Key |
Bearer eudi_session:xxx | EUDI Wallet |
JWT with cognito-idp.*.amazonaws.com issuer | AWS Cognito |
JWT with *.auth0.com issuer | Auth0 |
JWT with *.okta.com issuer | Okta |
JWT with login.microsoftonline.com issuer | Microsoft Entra ID |
JWT with accounts.google.com issuer | |
JWT with identitycenter.amazonaws.com issuer | AWS IAM IDC |
| JWT with tenant-configured issuer | Generic OIDC |
Subject ID Mapping
Each provider maps to a canonical subject_id format used in mandates:
| Provider | subject_id Format | Example |
|---|---|---|
| EUDI Wallet | eudi:<unique_id> | eudi:DE/1234567890abcdef |
| Auth0 | oidc:auth0:<sub> | oidc:auth0:auth0|user123 |
| Okta | oidc:okta:<uid> | oidc:okta:00u1234abcdef |
| Entra ID | oidc:entra:<oid>@<tid> | oidc:entra:abc-123@def-456 |
oidc:google:<sub> | oidc:google:1234567890 | |
| AWS IAM IDC | oidc:aws-idc:<sub> | oidc:aws-idc:a1b2c3d4 |
| Generic | oidc:<prefix>:<sub> | oidc:keycloak:user123 |
| Cognito | cognito:<sub> | cognito:a1b2c3d4-e5f6 |
Configuration
Each tenant configures their identity providers via the API or the dashboard:
curl -X PUT https://api.mandaitor.io/v1/tenants/{tenantId}/identity-providers \
-H "Authorization: Bearer $TOKEN" \
-d '{
"enabled_providers": ["API_KEY", "COGNITO", "AUTH0"],
"auth0": {
"domain": "your-tenant.auth0.com",
"audience": "https://api.your-app.com",
"client_id": "your-client-id"
}
}'
See the individual provider guides for detailed setup instructions.
Cross-Provider Identity Binding
Mandaitor supports linking identities across providers. When a user verifies with the EUDI Wallet (high assurance), their canonical identity can be bound to their Auth0, Okta, or Entra ID accounts. This enables:
- Mandate portability: A mandate created with eIDAS identity can be used by the same person authenticating via their corporate Okta account.
- Progressive assurance: Start with OIDC authentication, upgrade to eIDAS HIGH assurance when needed.
- Audit continuity: All identity bindings are tracked in the audit trail.