What is a vault identity?

Vault identity refers to the way you can recognise and authorise users in order to grant them access to confidential data stored in a digital vault.

What is a source system?

A source system is an information system that serves within an organisation as the source for a specific type of data. For example, the HR system is the source system for your personnel data.

What is an Identity Vault?

Q: What is an identity vault?

An identity vault is a secure digital repository for identity data. The data may range from passport or driving licence details through to biometric data and passwords.

An identity vault is a highly secured data store for identity data. Depending on the context, this includes contact details, passport or driving licence numbers, biometric data, and passwords. Such personal data must be protected rigorously against misuse and data breaches. Identity vaults apply encryption, MFA, and other security controls as standard to achieve this.

Identity Vault Examples

The volume of digital personal data continues to grow, making identity vaults an increasingly important tool. Three concrete applications illustrate how they are used in practice.

Password Managers

Most users maintain a large number of passwords across business and personal applications. Remembering them all is impractical, and people frequently write them down or reuse the same password across multiple accounts. Neither practice is secure. Organisations and cloud providers seek to reduce this risk through Single Sign-On (SSO), which provides access to multiple applications from a single sign-in.

Even with SSO in place, standalone passwords remain. Password managers such as LastPass, KeePass, or Bitwarden allow users to store usernames and passwords securely for each account, with sign-in often completed in a single click. Most also provide space for credit card details, addresses, and confidential notes. In effect, a password manager is a personal identity vault.

Government Identity Vaults

Government organisations manage some of the largest identity vaults in existence. In the UK, the Driver and Vehicle Licensing Agency (DVLA) maintains records for all driving licences and vehicle registrations. HMRC holds National Insurance (NI) numbers and tax records. The NHS maintains patient records indexed by NHS number.

The UK government is also building a citizen-facing identity wallet. GOV.UK One Login is being developed as the single front door for accessing all government services, with over 13 million people having verified their identity through the platform as of October 2025. The GOV.UK Wallet, built by the Government Digital Service, allows citizens to securely store and present government-issued credentials, and is designed to be modular, interoperable, and user-controlled. Initially supporting digital driving licences and Veteran Cards, the wallet is planned to encompass every government-issued credential by the end of 2027. SIIT IT Desk

The system is also designed to give citizens greater control over how their data is shared. A user can confirm they are over 18, for example, without revealing their full date of birth or any additional personal details.

Identity Vaults in IAM Environments

Identity and Access Management (IAM) platforms also rely on identity vaults. Within a typical IAM architecture, identity vaults serve two distinct purposes, which are described in detail below.

Two Types of Identity Vault in IAM

	Identity Provider Vault	Provisioning Vault
Purpose	Stores credentials for authentication and SSO	Stores identity attributes for automated account and rights management
Data stored	Usernames, hashed passwords, authentication tokens	Personal details, job roles, departments, contract data
Function	Verifying who a user is at the point of sign-in	Determining which accounts and access rights a user should receive
Examples	Entra ID, HelloID Access Management	HelloID identity vault for provisioning

The first type supports the Identity Provider (IdP) function. When a user signs in, the IdP verifies their credentials and issues digital tokens that grant automatic access to connected applications. Entra ID is a widely used IdP; HelloID also provides IdP functionality through its Access Management module.

The second type, the provisioning vault, is the focus of the remainder of this article.

The HelloID Identity Vault for Provisioning

Managing accounts and access rights is straightforward in a small organisation with a handful of applications. In an organisation with hundreds or thousands of users and multiple connected systems, manual management quickly becomes unworkable. Automated user provisioning is required, and that requires a central identity vault.

Rather than maintaining individual settings for each user, automated provisioning applies Role-Based or Attribute-Based Access Control (RBAC or ABAC). These approaches use user attributes to create accounts and assign the correct access rights automatically.

Two categories of personal data are needed within the provisioning identity vault:

Data category	Examples	Used for
Basic identity details	Given name, surname, preferred name, contact details	Creating digital identities, account names, and email addresses
Role and context attributes	Job role, department, location, contract type, course of study	Determining which accounts and access rights the user should receive

Each organisation defines its own naming conventions for translating these details into account names and email addresses. That email address is typically also used as the username across all connected applications.

Source Data in the Identity Vault

Wherever possible, the data held in the provisioning vault is drawn from source systems in which it is already actively maintained. For most IAM environments, the HR system is the primary source. It holds employee master data including names, contact details, job roles, and department assignments. HelloID connects directly to the HR platform and imports the relevant data into its identity vault automatically.

Additional source systems can also be incorporated where required:

Universities draw student data from a student information system to create and manage student accounts and access rights.
Contractor data is often maintained in a separate system, distinct from the main HR platform.
Planning and scheduling applications can provide granular data for more precise access rights assignment where shift patterns or locations affect entitlements.

Identity Vault Processing

Data from multiple source systems then undergoes a series of transformations within the identity vault. Records relating to the same person may exist across several systems, and that data must be consolidated into a single unified profile. De-duplication removes conflicting or overlapping entries, and all data is converted into a single internal format that can be used consistently across the platform.

This standardised format also provides resilience against future change. If an organisation replaces its HR system, the new system will typically use a different data structure. Because the identity vault operates to a fixed internal format, the impact of that change is limited to the connector between the new source system and HelloID. All internal processing and downstream provisioning workflows continue without modification.

Learn More About the HelloID Identity Vault

Within HelloID, the identity vault is where personal data is securely collected, normalised, and maintained. The provisioning module uses that data to create accounts automatically and assign the correct access rights to every user throughout their employment lifecycle.

The data available in the identity vault depends on the source systems connected to your environment. HelloID provides standard connectors for a wide range of source systems. For each connector, a full overview of available data attributes and their use in account and rights management is available in the connector catalogue.