Employee Onboarding Flow

Overview

GetTrusted's Employee Onboarding Flow creates hardware-backed enterprise device keys with dual-signed X.509 certificates for employees joining an organization. This flow combines personal identity management with organizational credentialing, resulting in a cryptographically verifiable chain of trust from the employee's hardware device through the organization's Certificate Authority.

Key Security Features:

Dual-Signature X.509 Certificates: Co-signed by employee's device key AND organization CA
Hardware-Backed Enterprise Keys: Generated in Secure Enclave/StrongBox/TPM (never exported)
OIDC Directory Integration: Employee identity validated via company SSO (Okta, Azure AD, etc.)
AWS KMS Protected CA: Organization CA private keys encrypted at rest in hardware security modules
Managed Data Sync: Automatic synchronization of employee persona and organizational contacts
Certificate Lifecycle: 365-day validity with automatic renewal support

Process Overview

Diana (a new employee at Acme Corp) has already authenticated via OIDC (Organization Signup Flow). Now she needs to create an enterprise device key that will be used for all organizational communications and access.

Diana's Perspective (New Employee)

Complete OIDC authentication

Diana completes OIDC authentication (Organization Signup Flow).

App prompts to create enterprise key

App prompts: "Create enterprise device key for Acme Corp".

Hardware generates key pair

Hardware generates new enterprise key pair in Secure Enclave/StrongBox.

Create X.509 CSR

App creates X.509 CSR (Certificate Signing Request) with employee info.

Device signs CSR

Device signs CSR with device key (first signature).

Send CSR to backend

CSR sent to backend with OIDC token for validation.

Organization CA signs certificate

Organization CA signs enterprise certificate (second signature).

Install certificate in hardware

Certificate installed in hardware with full chain.

Managed data syncs

Managed data syncs: Employee persona + organizational contacts auto-sync.

Enterprise key active

Enterprise key active: Diana can now use organizational identity.

Backend Perspective (GetTrusted API + Organization CA)

Receive enterprise key request

Enterprise key request arrives with OIDC token and device CSR.

Validate OIDC token

Validate OIDC token (JWT signature + claims: sub, email, email_verified).

Load organization CA key

Load organization CA private key from AWS KMS (encrypted at rest).

Extract directory ID

Extract directory ID from OIDC sub claim (e.g., "diana.prince").

Create X.509 certificate

Create X.509 certificate with employee subject and public key.

Sign certificate with Org CA

Sign certificate with organization CA (second signature).

Assemble certificate chain

Assemble certificate chain: [Enterprise Cert, Org CA Cert, Business CA Cert, Root CA].

Store certificate metadata

Store in Firestore /enterprise_device_keys/{key_id}.

Return signed certificate to device

Return signed certificate to mobile device.

Trigger managed data sync

Trigger managed data sync: Fetch employee persona from directory.

Process Flow Diagram

Cryptographic Security

Dual-Signature X.509 Certificate

TBS Certificate Structure:

Version: 3 (X.509v3)
Serial Number: {unique_serial}
Signature Algorithm: ECDSA-with-SHA256
Issuer: O=Acme Corporation, CN=Acme GetTrusted CA
Validity:
  Not Before: 2025-01-10 00:00:00 UTC
  Not After: 2026-01-10 00:00:00 UTC
Subject: O=Acme Corporation, OU=Employee, CN=diana.prince, [email protected]
Subject Public Key Info:
  Algorithm: id-ecPublicKey (P-256)
  Public Key: {p256_ecdsa_public_key}
Extensions:
  basicConstraints: CA:FALSE
  keyUsage: digitalSignature
  extendedKeyUsage: clientAuth, emailProtection
  subjectAltName: email:[email protected]

Dual Signature Structure:

signatureAlgorithm: ECDSA-with-SHA256
signatureValue:
  device_signature: {ecdsa_signature_from_device_key}    # First signature
  ca_signature: {ecdsa_signature_from_org_ca}            # Second signature

Certificate Chain Validation

Full PKI Hierarchy:

1. GetTrusted Root CA (Self-Signed)
   ├─ Subject: O=GetTrusted, CN=GetTrusted Root CA
   ├─ Key Usage: Certificate Signing, CRL Signing
   ├─ Validity: 20 years

2. GetTrusted Business CA (Signed by Root CA)
   ├─ Subject: O=GetTrusted, CN=GetTrusted Business CA
   ├─ Issuer: GetTrusted Root CA
   ├─ Key Usage: Certificate Signing, CRL Signing
   ├─ Validity: 10 years

3. Acme Corporation CA (Signed by Business CA)
   ├─ Subject: O=Acme Corporation, CN=Acme GetTrusted CA
   ├─ Issuer: GetTrusted Business CA
   ├─ Key Usage: Certificate Signing, CRL Signing
   ├─ Basic Constraints: CA:TRUE, pathlen:0
   ├─ Validity: 10 years

4. Diana's Enterprise Device Certificate (Signed by Acme CA + Device Key)
   ├─ Subject: O=Acme Corporation, OU=Employee, CN=diana.prince
   ├─ Issuer: Acme Corporation CA
   ├─ Key Usage: digitalSignature
   ├─ Dual Signatures: [Device Key, Org CA]
   ├─ Validity: 365 days (1 year)

Security Guarantees

Hardware-Backed Enterprise Keys

Enterprise private keys never leave Secure Enclave/StrongBox/TPM
Key generation happens entirely in hardware security module
Private keys cannot be extracted or exported

Dual-Signature Verification

TWO independent signatures on same TBS certificate
Device signature proves delegation from personal identity
Organization CA signature proves organizational authorization
Both must be valid for certificate to be trusted

OIDC Directory Integration

Employee identity validated via company SSO
Directory ID from OIDC sub claim (unique, immutable)
Email verification required (email_verified: true)
JWT signature verification prevents token tampering

AWS KMS Key Protection

Organization CA private keys encrypted at rest
Decryption requires IAM authentication
Audit logging for all key usage
Automatic key rotation supported

Certificate Chain Trust

Full PKI validation from device through organization to root
Each link in chain cryptographically verified
Expired certificates automatically rejected
Certificate revocation supported (future enhancement)

Managed Data Security

Employee persona data read-only (cannot be tampered)
Organizational contacts auto-synced from directory
Data freshness guaranteed via periodic sync
Access controlled via enterprise key

Production Resilience

Automatic retry with exponential backoff (1s, 2s, 4s)
30-second timeout for enterprise key creation
Smart error classification (never retry implementation failures)
Immediate managed data sync after key creation

Strategic Implications

Enterprise Identity Lifecycle

Before GetTrusted:

- Manual employee onboarding with IT support
- Physical hardware tokens or smart cards required
- No cryptographic binding to personal identity
- Separate credentials for each enterprise app

With GetTrusted:

- Automatic onboarding via OIDC SSO
- Hardware-backed enterprise keys (no physical tokens)
- Cryptographically bound to employee's personal device identity
- Single enterprise credential for all GetTrusted organizational features

Certificate-Based Access Control

Dual-Signature Benefits:

Delegation Proof: Device signature proves employee authorized this enterprise key
Authorization Proof: Org CA signature proves organization authorized this employee
Non-Repudiation: Both parties cryptographically committed to relationship
Automatic Revocation: Organization can revoke CA signature without affecting device

Organizational Trust Hierarchy

Trust Levels:

1. Maximum Trust: P2P trust establishment + hardware attestation
2. High Trust: Phone number ownership + remote attestation
3. Organizational Trust: Enterprise OIDC + dual-signed certificate ← Employee Onboarding
4. Business Trust: Business certificate + entity verification
5. Unverified: Contact information only

Organizational Trust Grants:

Access to organizational shared resources
Managed persona and contacts (auto-synced)
Enterprise messaging and verification
Organizational compliance features

PreviousEnterprise Self Service Signup

Last updated 5 months ago

hashtagOverview

hashtagProcess Overview

hashtagDiana's Perspective (New Employee)

hashtagComplete OIDC authentication

hashtagApp prompts to create enterprise key

hashtagHardware generates key pair

hashtagCreate X.509 CSR

hashtagDevice signs CSR

hashtagSend CSR to backend

hashtagOrganization CA signs certificate

hashtagInstall certificate in hardware

hashtagManaged data syncs

hashtagEnterprise key active

hashtagBackend Perspective (GetTrusted API + Organization CA)

hashtagReceive enterprise key request

hashtagValidate OIDC token

hashtagLoad organization CA key

hashtagExtract directory ID

hashtagCreate X.509 certificate

hashtagSign certificate with Org CA

hashtagAssemble certificate chain

hashtagStore certificate metadata

hashtagReturn signed certificate to device

hashtagTrigger managed data sync

hashtagProcess Flow Diagram

hashtagCryptographic Security

hashtagDual-Signature X.509 Certificate

hashtagCertificate Chain Validation

hashtagSecurity Guarantees

hashtagStrategic Implications

hashtagEnterprise Identity Lifecycle

hashtagCertificate-Based Access Control

hashtagOrganizational Trust Hierarchy