The principle of the SafeID Token Service (STS) is to avoid saving any personally identifiable information (PII) in its local database. Most operations carried out in STS are in the so-called live view mode where data is retrieved from the external user directory, such as Azure AD or Entra ID, in real time. STS does not save the data you see on the screen in its local database. However, some functions in STS do require it to save some data locally, in order for it to function properly and efficiently. The data it has to save locally depends on the types of functions and operations it has to provide.
Local Account
STS supports SSO with external identity providers such as Azure AD/Entra ID, which allows external users to be assigned as administrators and operators in STS. In other words, you do not need to create local accounts for administrators and operators. However, if you prefer to create local accounts in STS, then STS will save the following data in its local database.
- First Name
- Last Name
- Email Address
- Mobile Number (Optional)
- Display Name (Optional)
Role Assignment
When you assign an admin role to an external user, e.g. a user in Azure AD/Entra ID, STS will save the following data in its local database.
- Object GUID
- First Name
- Last Name
- Email Address
- User Principal Name (UPN)
- Display Name (Optional)
Token Assignment
When you assign a security token, e.g. a TOTP token, to an external user, STS will save the following data in its local database.
- Object GUID
- User Principal Name (Optional)
- Display Name (Optional)
Activity Log
If you enable the activity log function in STS, then STS will save the following data in its local database.
- First Name
- Last Name
- User Principal Name (UPN)
Please note that you can specify the lifetime of activity logs, such as 1 day, 1 week, 1 month etc. As soon as an activity log expires, its data is completely removed from the local database.