Enterprise Self Service Signup

This describes the self service and managed signup flow (managed is just done backend)

Overview

GetTrusted's Organization Signup Flow enables enterprise administrators to create their organization account through the GetTrusted Enterprise web portal using AWS Cognito authentication. This flow establishes the organizational infrastructure including AWS KMS encryption keys, an organization-specific Certificate Authority (CA), and OIDC integration capabilities for employee onboarding.

Key Security Features:

AWS Cognito Authentication: Authentication with email verification, this becomes the root account after SSO.
Automatic CA Generation: Organization intermediate CA created invisibly during signup
AWS KMS Encryption: Organization data encrypted at rest with dedicated KMS keys
FIPS-Compliant Cryptography: ECC P-256 signing keys with ECDSA-SHA256
Certificate Authority Hierarchy: Organization CA signed by GetTrusted Business CA
Transparency Logging: Business identity attestations submitted to public transparency log
Zero-Knowledge Architecture: Sensitive data encrypted before storage in Firestore

Process Overview

Diana (a new enterprise administrator) wants to set up GetTrusted for her organization, Acme Corp. She will create an account in the gettrusted-enterprise web portal and establish her organization's cryptographic infrastructure.

Diana's Perspective (Enterprise Administrator)

Diana visits the Enterprise portal and clicks "Create Account".

Fields: First Name, Last Name, Work Email, Company Name, Password.

Accept terms

Accept Terms of Service and Privacy Policy.

Email verification

Cognito sends verification code to her work email via SES.

Enter confirmation code

Diana enters the confirmation code from email.

Auto-login after confirmation and redirect to dashboard.

Create organization

Dashboard prompts organization creation with pre-filled data.

Submit organization details

Diana submits: Company Name, Company Domain, Contact Email.

Backend creates organization

Backend creates organization with encrypted data and CA certificate.

Organization active

Organization active: Diana can now configure OIDC and onboard employees.

Backend Perspective (GetTrusted API + AWS Services)

Cognito signup request arrives with user credentials. Cognito creates user in user pool with email verification required. Verification code sent via AWS SES.

Confirmation & authentication

Confirmation received with verification code from user. User authenticated and JWT tokens issued.

Organization creation request

Organization creation request arrives with organization details.

Generate organizationId

Generate organizationId (UUID v4) and check domain uniqueness.

Create KMS encryption key

Create KMS encryption key for organization data (SYMMETRIC_DEFAULT) and enable key rotation.

Encrypt sensitive data

Encrypt sensitive data (organization name, contact email) with KMS.

Store initial organization document

Store initial organization document in Firestore.

Create organization CA signing key

Create organization CA signing key in KMS (ECC_NIST_P256, SIGN_VERIFY).

Create CSR and sign

Create X.509 CSR for organization intermediate CA, sign CSR with Business CA using KMS signature.

Build certificate chain

Build certificate chain: [Org CA, Business CA, Root CA].

Attestation & transparency log

Create business identity attestation signed by Business CA and submit to transparency log for public verification.

Create master identity

Create master identity for organization CA (gtm prefix + SHA256) and sign for proof of possession.

Update organization & subscription

Update organization document with CA key ARN and serial number. Create subscription record (30-day trial).

Return success

Return success to web portal.

Process Flow Diagram

sequenceDiagram
    participant Diana Browser
    participant Enterprise Portal
    participant AWS Cognito
    participant GetTrusted Backend
    participant AWS KMS
    participant Business CA (KMS)
    participant Firestore
    participant Transparency Log

    Note over Diana Browser,Transparency Log: Phase 1: Cognito Authentication
    Diana Browser->>Enterprise Portal: Navigate to /signup
    Diana Browser->>Enterprise Portal: Submit signup form<br/>{firstName, lastName, email, password, companyName}
    Enterprise Portal->>AWS Cognito: SignUp({email, password, attributes})
    AWS Cognito-->>Enterprise Portal: {userSub, requiresConfirmation: true}
    AWS Cognito->>Diana Browser: Send email verification code via SES

    Diana Browser->>Enterprise Portal: Enter verification code
    Enterprise Portal->>AWS Cognito: ConfirmSignUp({email, code})
    AWS Cognito-->>Enterprise Portal: {success: true}

    Enterprise Portal->>AWS Cognito: SignIn({email, password})
    AWS Cognito-->>Enterprise Portal: {accessToken, idToken, refreshToken}
    Enterprise Portal->>Diana Browser: Store tokens, redirect to /dashboard

    Note over Diana Browser,Transparency Log: Phase 2: Organization Creation
    Diana Browser->>Enterprise Portal: View dashboard with "Create Organization" prompt
    Diana Browser->>Enterprise Portal: Submit organization form<br/>{company_name, company_domain, contact_email}
    Enterprise Portal->>GetTrusted Backend: POST /enterprise/portal/organizations<br/>{JWT, organization_data}

    GetTrusted Backend->>GetTrusted Backend: Validate JWT (Cognito token)
    GetTrusted Backend->>GetTrusted Backend: Generate organizationId (UUID)
    GetTrusted Backend->>GetTrusted Backend: Check domain uniqueness

    Note over Diana Browser,Transparency Log: Phase 3: KMS Key Creation
    GetTrusted Backend->>AWS KMS: CreateKey(SYMMETRIC_DEFAULT)<br/>For organization data encryption
    AWS KMS-->>GetTrusted Backend: {keyArn_encryption}
    GetTrusted Backend->>AWS KMS: EnableKeyRotation({keyArn_encryption})
    AWS KMS-->>GetTrusted Backend: Rotation enabled

    GetTrusted Backend->>AWS KMS: Encrypt({keyArn, company_name})
    AWS KMS-->>GetTrusted Backend: encrypted_company_name (base64)
    GetTrusted Backend->>AWS KMS: Encrypt({keyArn, contact_email})
    AWS KMS-->>GetTrusted Backend: encrypted_contact_email (base64)

    GetTrusted Backend->>Firestore: Create /enterprise_organizations/{org_id}<br/>{encrypted_name, encrypted_email, domain, kms_key_arn}
    Firestore-->>GetTrusted Backend: Document created

    Note over Diana Browser,Transparency Log: Phase 4: Organization CA Creation
    GetTrusted Backend->>AWS KMS: CreateKey(ECC_NIST_P256, SIGN_VERIFY)<br/>For organization CA signing
    AWS KMS-->>GetTrusted Backend: {keyArn_ca_signing}

    GetTrusted Backend->>AWS KMS: GetPublicKey({keyArn_ca_signing})
    AWS KMS-->>GetTrusted Backend: org_ca_public_key (DER)

    GetTrusted Backend->>GetTrusted Backend: Build X.509 TBS Certificate:<br/>Subject: CN=Acme Intermediate CA, O=Acme, C=US<br/>Issuer: CN=GetTrusted Business CA<br/>Extensions: BasicConstraints(CA:TRUE, pathlen:0)

    GetTrusted Backend->>GetTrusted Backend: Serialize TBS to DER
    GetTrusted Backend->>Business CA (KMS): Sign({TBS_DER, ECDSA_SHA_256})
    Business CA (KMS)-->>GetTrusted Backend: business_ca_signature (DER)

    GetTrusted Backend->>GetTrusted Backend: Construct X.509 Certificate:<br/>{TBS, business_ca_signature}
    GetTrusted Backend->>GetTrusted Backend: Build certificate chain:<br/>[Org CA Cert, Business CA Cert, Root CA Cert]

    GetTrusted Backend->>Firestore: Update /enterprise_organizations/{org_id}<br/>{ca_key_arn, certificate_der_base64, certificate_chain}
    Firestore-->>GetTrusted Backend: Updated

    Note over Diana Browser,Transparency Log: Phase 5: Attestation & Master Identity
    GetTrusted Backend->>GetTrusted Backend: Create business identity attestation:<br/>subject_fingerprint: SHA256(org_ca_pubkey)<br/>issuer_fingerprint: SHA256(business_ca_pubkey)

    GetTrusted Backend->>Business CA (KMS): Sign(attestation_canonical_json)
    Business CA (KMS)-->>GetTrusted Backend: attestation_signature

    GetTrusted Backend->>Transparency Log: POST /attestation/v1/add-attestation<br/>{attestation, business_ca_pubkey, signature}
    Transparency Log-->>GetTrusted Backend: {index, leaf_hash, inclusion_proof}

    GetTrusted Backend->>GetTrusted Backend: Create master identity:<br/>master_id = gtm{SHA256(org_ca_pubkey)}
    GetTrusted Backend->>AWS KMS: Sign({master_id}, keyArn_ca_signing)
    AWS KMS-->>GetTrusted Backend: proof_of_possession

    GetTrusted Backend->>Firestore: Create /master_identities/{master_id}<br/>{pubkey, proof_of_possession, enterprise_id, ca_metadata}
    Firestore-->>GetTrusted Backend: Master identity created

    GetTrusted Backend->>Firestore: Create /enterprise_subscriptions/{org_id}<br/>{status: trial, trial_expires_at: +30 days}
    Firestore-->>GetTrusted Backend: Subscription created

    Note over Diana Browser,Transparency Log: Phase 6: Complete
    GetTrusted Backend-->>Enterprise Portal: {success: true, organization_id, master_identity}
    Enterprise Portal-->>Diana Browser: Redirect to organization dashboard<br/>Show OIDC configuration wizard

Cryptographic Security

Full PKI Hierarchy:

1. GetTrusted Root CA (Self-Signed, Offline)
   ├─ Subject: O=GetTrusted, CN=GetTrusted Root CA
   ├─ Key Usage: Certificate Signing, CRL Signing
   ├─ Basic Constraints: CA:TRUE
   ├─ Validity: 20 years

2. GetTrusted Business Intermediate CA (Signed by Root CA, KMS)
   ├─ Subject: C=US, L=GetTrusted, CN=GetTrusted Business Intermediate CA
   ├─ Issuer: GetTrusted Root CA
   ├─ Key Usage: Certificate Signing, CRL Signing
   ├─ Basic Constraints: CA:TRUE, pathlen:1
   ├─ KMS Key ARN: arn:aws:kms:us-east-2:760715349462:key/b76016f1-c832-4bc7-b05d-157fad7a0fbf
   ├─ Validity: 10 years

3. Acme Corporation Intermediate CA (Signed by Business CA, KMS)
   ├─ Subject: CN=Acme Corporation Intermediate CA, O=Acme Corporation, C=US
   ├─ Issuer: GetTrusted Business Intermediate CA
   ├─ Key Usage: Certificate Signing, CRL Signing
   ├─ Basic Constraints: CA:TRUE, pathlen:0
   ├─ KMS Key ARN: {organization_ca_signing_key_arn}
   ├─ Validity: 5 years

4. Employee Device Certificates (Signed by Org CA + Device Key)
   ├─ Subject: O=Acme Corporation, OU=Employee, CN=diana.prince
   ├─ Issuer: Acme Corporation Intermediate CA
   ├─ Key Usage: digitalSignature
   ├─ Dual Signatures: [Device Key, Org CA]
   ├─ Validity: 365 days (1 year)

Business Identity Attestation

Attestation Structure:

{
  "version": 1,
  "subject_fingerprint": "sha256_hash_of_org_ca_public_key",
  "issuer_fingerprint": "sha256_hash_of_business_ca_public_key",
  "claim_type": "business_ca_delegation",
  "claim_data": {
    "claim_hash": "sha256_hash_of_private_claim_data_with_salt",
    "public_metadata": {
      "category": "business_ca_delegation",
      "assurance_level": 4,
      "region": null,
      "sector": null,
      "geohash": null,
      "proximity": null
    },
    "proof_requirements": {
      "requires_claim_details": false,
      "requires_salt": false,
      "requires_context": false
    }
  },
  "issued_at": "2025-01-10T00:00:00Z",
  "expires_at": "2026-01-10T00:00:00Z",
  "nonce": "random_16_byte_hex",
  "signature": "ecdsa_signature_from_business_ca"
}

Security Guarantees

Cognito Authentication

Industry-standard OAuth 2.0 / OpenID Connect
Email verification required before account activation
RS256 JWT tokens with Cognito public key validation
MFA support available
Password policies: minimum 8 characters

AWS KMS Key Protection

Organization encryption keys created per-organization
CA signing keys stored in Hardware Security Modules (HSMs)
Keys never leave KMS (all operations via API)
Automatic key rotation for symmetric keys (365 days)
Fine-grained IAM policies control key access
CloudTrail logging for all key usage

Data Encryption at Rest

Organization name and contact email encrypted with KMS
Encrypted data stored as base64 in Firestore
Decryption requires both KMS key ARN and ciphertext
No plaintext sensitive data in database

Certificate Authority Security

FIPS-compliant ECC P-256 cryptography
Business CA private key in KMS (never exported)
Organization CA private key in KMS (never exported)
Certificate chain validation from root to leaf
5-year validity for organization CAs
Rotation eligible 6 months before expiry

Transparency and Auditability

Business identity attestations logged publicly
Merkle tree inclusion proofs
Public verification of organization CA delegation
Immutable audit trail in transparency log
Master identity with cryptographic proof of possession

Zero-Knowledge Architecture

GetTrusted backend never sees private keys
Encrypted blobs stored in Firestore
KMS handles all encryption/decryption operations
Minimal metadata for indexing/querying

Certificate Lifecycle Management

Automatic rotation support (6 months before expiry)
CRL distribution points configured
OCSP endpoints for real-time revocation checking
Certificate serial numbers tracked in Firestore

Strategic Implications

Enterprise Onboarding Simplification

Before GetTrusted:

- Manual CA setup with HSM procurement
- Complex PKI infrastructure deployment
- IT staff training on certificate management
- Weeks/months of setup time
- High upfront costs ($50k-$500k+)

With GetTrusted:

- 5-minute signup via web portal
- Automatic CA generation with AWS KMS
- No infrastructure to deploy or maintain
- Instant employee onboarding capability
- Pay-as-you-grow pricing (trial included)

Cryptographic Trust Hierarchy

Trust Establishment:

Organization CA signed by GetTrusted Business CA
Business CA signed by GetTrusted Root CA (offline, air-gapped)
Root CA trusted by GetTrusted mobile apps
Employee device certificates signed by Organization CA
End-to-end cryptographic verification

Assurance Levels:

1. Root CA (Maximum Trust): Offline signing, physical security
2. Business CA (High Trust): AWS KMS HSM, audited operations
3. Organization CA (Organizational Trust): Per-org KMS keys, business attestation
4. Employee Certificates (Delegated Trust): Dual-signed by org CA + device key

PreviousUser Data Restoration NextEmployee Onboarding Flow

Last updated 22 days ago

Good evening