Token-data - i.e. data required for authentication tokens such as matrix cards, OTP tokens, client certificates, and so on - is generally stored independent of user data (exception: password data).
There are two types of token data (mainly for historical reasons):
User-token data ("CredentialBeans")
- Are stored "in" the user record = there is exactly one or no token of a type per user
- Examples: Matrix card, MOTP (OATH), mTAN (SMS)*
- Configuration: using "Credential Persister" plugins. They are configured where used, e.g. in the token management section of the Adminapp or in the corresponding authenticator plugins.
Token data ("Token Model") - only in Airlock IAM
- Are stored independent of users data in separate tables or directory trees = multiple tokens per type and user possible (even multiple users per token possible)
- Examples: mTAN (SMS), PhotoTAN (Cronto), OneSpan (Vasco) OTP, smart cards (certificates) ...
- Configuration of data repository for token data: "MAIN SETTINGS" - "Data Sources" - "Token Data Source"
(*) mTAN(SMS) tokens can be stored with the user (as mobile phone attribute of the user) or in a separate token data table/directory tree.