Proven User Guide

Introduction

Indicio Proven™ provides the tools to establish a Trusted Digital Ecosystem (TDE). Out of the box, you can issue, verify, and manage user credentials. Once you have a user credential, other workflows become possible because you can trust you are working with a known person or agent. The issuer’s role is to send invitations to the contacts to offer them user credentials. The issuer also manages contacts.

Home

After logging into the Admin screen, you will land on the home page. To issue yourself a User credential first select the User credential from the dropdown list. If the user credential does not appear, then a browser refresh might be required. Then click Issue. Scan the displayed QR code with your mobile identity wallet app. Complete the form, then click Send. Accept the offered credential on your mobile device.

Invitations

This selection just shows a list of all invitation QR codes that have been generated by this instance of Proven.

Contacts

Contacts are connections between the Proven Issuer and other agent applications. Not all software includes an editable label; therefore, some contacts will show the name of the software rather than the name of the person. The following information is displayed when first clicking into Contacts:

  • Contact Name: The name of the mobile app user

  • Connection Status:

    • Invite: an invitation has been sent

    • Request: the second party has received the invite and is requesting a connection.

    • Response: the system has responded with details to finish setting up the connection.

    • Active: the second party has acknowledged the connection.

  • Created At: the date and time the invitation was sent.

Click on a specific contact to view more information. You can use this interface to issue credentials to Users who have connected to Proven using the main URL. At the bottom of the screen, there is a section of all the credentials issued to a user. To view more detailed information on any issued credential, click on it. This displays things such as the credential name, ID, state, and date created. It also displays certain attributes, such as the different parts of the user credential and the date the credential was validated.

Credentials

A credential is encrypted data. When the Credentials tab is displayed it shows one of the following in the Status column:

  • Offer Sent: A credential is created, and a connection is sent to the mobile app user

  • Credential Acked: The mobile app user has acknowledged the offer and sent a request for a credential.

  • Credential Issued: the system has created a credential

Click on any credential to view more information

Issuing Credentials

A credential can be issued by using the Workflow section on the Home page or a similar method on the selected Contact page. Both methods offer a drop-down menu to choose the credential, but the Workflow section requires establishing a connection via the displayed QR code after selecting the credential from the menu. Subsequently, a form appears for the user to provide attribute values for the selected credential. After submitting the form, the credential will be issued.

It's important to note that while most credentials follow this flow, some credentials (e.g. Email) may require additional steps before issuance.

Users

Users have access to the Proven Issuer admin system and can be created by anyone with the Admin role. Idicio uses a third party, Kekcloak to manage users. To manage users, follow the steps below.

Create New Users

  1. Log in to Keycloak. The address is https://yourURL/identiy.

  2. Change the realm to Indicio Proven. (Image 1)

    Image 1: Indicio Proven realm

  3. Click on Users. (Image 2)

  4. Click Add user. (Image 2)

    Image 2: Add user

  5. Enter the Username. (Image 3)

  6. The other fields are optional, but may be useful: (Image 3)

    1. Email

    2. First name

    3. Last name

  7. Click Create. (Image 3)

    Image 3: User information

  8. Click the Credentials tab. (Image 4)

  9. Click Set password. (Image 4)

    Image 4: Credentials tab

  10. Enter the information in the box that opens: (Image 5)

    1. Password

    2. Password confirmation

    3. Turn on Temporary. This requires the user to reset his or her password when they log in the first time.

    4. Click Save.

      Image 5: Add password

  11. Click the Role Mapping tab. (Image 6)

  12. Click Assign Role. (Image 6)

    Image 6: Role mapping tab

  13. Select Filter by Realm Role from the drop-down. (Image 7)

  14. Click on all desired roles: (Image 7)

    1. admin:

      1. This role can do all regular agent functions: connections, DID creation, credential issuance and presentation, messaging, governance file management, schema management

      2. This role can also create and revoke API keys (only for their own wallet(s); in contrast, super-admins can create/revoke API keys for any subwallet)

    2. offline_access: This is a KeyCloak role and Indicio does not make use of it.

    3. super-admin:

      1. This role is for management of multitenancy

      2. Super admins can create subwallets, query all subwallets, and create and revoke API keys for all subwallets

      3. Highest level of privilege

      4. Does not encompass admin privileges; if you want multitenancy management and regular agent privileges, you need both super-admin and admin

    4. technician:

      1. This role is a reduced version of admin privileges; it can do messaging, connections (can't delete a contact), credential issuance (can't delete a received credential), credential presentation, can't manage governance files, can't create a did, can manage invitations (can't delete an invitation), can't manage schemas (only read them), can't manage settings, can't manage its own API keys

      2. Overall, can't delete resources. A technician can do issuance and presentations, but an admin role is needed for the full issuance setup if a new schema needs to be created

      3. Regarding the differences between Admin and Technician roles, Simon is a better resource than me since he wrote that code

    5. : This is a KeyCloak role and Indicio does not make use of it.

  15. Click Assign. (Image 7)

    Image 7: Roles

  16. Click on the Groups tab. If a group doesn't exist, you may need to create a group.

  17. Click Join Group.

  18. Select any groups applicable. (Image 8)

  19. Click Join. (Image 8)

    Image 8: Join group

Invitations are only valid for 24 hours after they are issued. If the new user doesn’t sign in within that time period, press the envelope in the Resend column to reissue the invite. Usernames are established as new users log in for the first time.

Edit Users

You can edit the following items for users. Refer to the Create New Users section for help.

  1. Log in to Keycloak.

  2. Click Users in the left menu.

  3. Click on the user you wish to edit.

    1. Edit the user’s name or email.

    2. Reset the user’s password

    3. Add or remove roles.

    4. Add or remove groups.

Delete Users

If you wish to delete a user, follow the steps below:

  1. Log in to Keycloak.

  2. Click Users in the left menu.

  3. Click on the three vertical dots found to the right of the user.

  4. Click Delete.

  5. Confirm you want to delete the user.

Create New Group

Groups define how user access is managed. Each wallet (aka agent) has its own group. A user be assigned to the correct group to have access to the wallet.

  1. Log in to Keycloak.

  2. Go to Groups found in the left menu.

  3. Click Create group.

  4. Assign a Name.

  5. Click Create.

  6. Click on the group you just created.

  7. Select the Members tab.

    1. Click Add members.

    2. Add any desired users in the dialog that appears. These are the users that should have access to the wallet that will be associated with this group

    3. Click Add.

  8. Go to Attributes tab.

    1. Click Add attributes.

    2. Key: proven_group_id

    3. value: [WalletNameHere]

    4. Click Save.

Settings

In Settings, an admin can customize the screen to match the branding of the organization. Below are the options and descriptions:

  • Organization Details:

    • Organization name: as it appears below the logo on the left

    • Website title: name as it appears on the browser’s tab

  • Change Logo: This takes any properly formatted image file which is transparent or has a background that matches the admin system background (the default background color is white, #ffffff):

    • Change logo: on email stream and on the left.

    • Change logo 192 x 192: used when a mobile device is used instead of a desktop.

    • Change logo 512 x 512: used for mobile devices.

    • Update favicon.io: image found next to the name in the browser’s tab.

  • Web App Manifest: The web app manifest provides app information to devices which treat the admin portal as a single-page application (such as mobile devices).

    • Short name

    • Full name

    • Theme color

    • Background color

  • SMTP Configuration: This is the email account used when sending credentials and invitations to users. It must be set up before any credential invitations can be issued. If your company has a no-reply email, it is acceptable to use it here.

    • Host: mandatory field — the hostname or IP address to connect to (defaults to ‘localhost’).

    • Mail Username: mandatory field — the username (for Gmail accounts, mail username must be the same as the user email, e.g., [email protected]).

    • User email: mandatory field — the user email

    • User password: mandatory field — the password for the email account (or an app password if a Gmail account is used)

    • Port: optional field — the port which the email system uses to accept email sending requests (defaults to 587 if Encryption Type is false or 465 if true).

    • Encryption: optional field — if true, the connection will use TLS when connecting to server. If false, (the default), then TLS is entered if the server supports the STARTTLS extension. In most cases, set this value to true if you are connecting to port 465. For port 587 or 25 keep it false.

  • Theme: The theme changes the colors of the different elements. Below is a list of the possibilities and the elements affected:

    • Primary color: action buttons (submit, confirm, save, edit, etc.), current tab color, and username.

    • Secondary color: hover-over tab, tooltip symbols.

    • Tertiary color: home page hover-over color.

    • Neutral color: disabled buttons and form elements.

    • Negative color: warnings that pop up, delete buttons, cancel buttons.

    • Warning color: undo buttons.

    • Positive color: successes that pop up.

    • Text color: all text with the exception of tooltips.

    • Text light: text on buttons

    • Border: most of the border lines found in the application; it uses a full CSS declaration, such as “1pxsolid #ddd.”

    • Drop shadow: some of the various boxes in the application; they require a full CSS declaration, such as “3px 3px 3px rgba(0, 0, 0, 0.3).”

    • Primary background: background of all the boxes.

    • Secondary background: every other row of the tables.

Click Save when all desired changes are made

Copyright 2025 Indicio PBC

PreviousProven User TutorialNextProven Mobile SDK

Last updated

Was this helpful?