From Passwords to Proof: How the vLEI Authenticator Establishes Verifiable Organizational Roles
Dr. Andre Kudra, CIO of esatus AG, provides a technical deep-dive into how the vLEI Authenticator, developed in collaboration with GLEIF, operationalizes the use of the vLEI into identity and access management systems to enable a login process that automatically validates a person’s role and organizational authority.
Author: Dr. Andre Kudra, CIO of esatus AG
Date: 2026-02-24
Views:
In digital identity management, authentication still depends on assumptions. We verify credentials, passwords, or tokens that tell us who a user claims to be, but rarely who they represent or under what authority they act. Dr. Andre Kudra, CIO of esatus AG, previously explained how the vLEI Authenticator – developed in collaboration with GLEIF – bridges this gap by establishing verifiable organizational identity and delegated roles, built on cryptographic proof rather than trust assertions. In this follow-up, Dr. Kudra takes a deep-dive into the technical foundations underpinning the vLEI Authenticator.
When “who” isn’t enough
In enterprise systems, users log in as individuals. But many processes, such as compliance audits, supplier onboarding, data access, and regulatory reporting, require knowledge of the organization behind the person and their formal role within it. In addition, traditional identity systems, even federated or SSO-based ones, rely on assertions like “user X belongs to company Y.” These claims are not cryptographically verifiable and depend on directory maintenance or contractual trust.
The verifiable Legal Entity Identifier (vLEI) addresses these limitations. Utilizing Authentic Chained Data Container (ACDC) technology and the Key Event Receipt Infrastructure (KERI) protocol, it is a digital credential for organizations, issued by Qualified vLEI Issuers (QVIs) under GLEIF governance. It verifies that an organization officially exists and that specific individuals are authorized to act on its behalf. All information is cryptographically secured, machine-readable, and verifiable within GLEIF’s vLEI ecosystem.
When combined with an Official Organizational Role (OOR) or Engagement Context Role (ECR) credential, a vLEI can express not only which organization a person belongs to but also the function they perform, for example, as CFO, compliance officer, or authorized representative.
The vLEI Authenticator operationalizes this concept in real-world Identity and Access Management (IAM) systems. Here's how it works.
From identity to verification: A practical architecture
The vLEI Authenticator integrates with Keycloak, the open-source IAM solution, via its Service Provider Interface (SPI). It does not modify Keycloak itself but extends the authentication flow with an additional verification step.
When a user chooses “Login with vLEI,” Keycloak delegates the process to SOWL, which is the orchestration layer developed by esatus. SOWL bridges decentralized identity components such as wallets, verifiers, and issuers with enterprise IAM infrastructures. It coordinates the request, presentation, and validation of verifiable credentials, then returns a signed verification result to Keycloak, which issues the usual OpenID Connect (OIDC) or SAML token.
In practice, most of the process runs automatically in the background. This means that from a user’s perspective, logging in with a vLEI is as simple as selecting the option and confirming the credential presentation in their wallet.
The following sequence describes what happens behind the scenes:
The user selects “Login with vLEI” in an application such as Nextcloud.
Keycloak triggers the SOWL authentication flow.
SOWL interacts with the KERIAuth browser extension, which requests the user’s OOR or ECR vLEI credential from their KERIa Cloud Wallet.
The wallet creates a verifiable presentation and the signature headers, so that the verifiable presentation can be sent to the verifier.
It then returns the verifiable presentation and signature-headers via the KERIAuth extension back to SOWL.
SOWL forwards the presentation to the vLEI Verifier, which checks authenticity and integrity through the KERI trust chain under GLEIF governance.
Once validated, SOWL confirms the result to Keycloak, which completes authentication and issues the access token.
Passwords are optional in this flow, and compatibility with existing username-password logins is preserved. The login succeeds only if both the organizational credential (vLEI) and the role credential (OOR or ECR) are valid, cryptographically signed, and traceable to an authorized issuer. GLEIF calls this the vLEI trust chain.
SOWL: Making Verifiable Credentials Work at Enterprise Scale
As referenced, SOWL is a platform layer developed by esatus for managing verifiable credentials across diverse systems. Its design aligns with the EU Architecture Reference Framework (ARF) and supports standards such as OpenID4VCI and OpenID4VP, as well as credential formats like SD-JWT and mDoc.
In the vLEI Authenticator use case, SOWL provides three core capabilities:
Orchestration: coordinating the flow between wallets, verifiers, and IAM systems while keeping trust domains separate.
Standardization: exposing uniform REST interfaces so Keycloak, and potentially other IAM systems in the future, can consume verification results as authentication decisions.
Compliance and auditability: ensuring that each verification event is logged, reproducible, and aligned with GLEIF’s governance model.
By decoupling verification logic from IAM systems, SOWL allows existing infrastructures to use verifiable credentials without redesign. It extends trust boundaries into the domain of decentralized identity while maintaining enterprise control and traceability.
Combining governance and cryptography
In the vLEI ecosystem, governance and cryptography work hand in hand. GLEIF defines the rules and trust anchors for LEIs and vLEIs but does not issue them. QVIs issue under defined governance for legal-entity vLEIs as well as OOR credentials, and legal entities manage their own ECR credentials. This layered trust model connects governance, issuance, verification, and access control in a single chain:
GLEIF provides global governance and trust anchors.
QVIs and legal entities issue credentials.
Independent verifiers validate them cryptographically.
IAM systems such as Keycloak consume the results via SOWL.
The upshot is that authentication becomes a governed and verifiable process, not just a local trust decision.
What real-world integration taught us
The vLEI-based authentication was tested and deployed in a productive enterprise environment, revealing clear key lessons:
Integration: The SPI approach in Keycloak allowed modular, low-effort integration.
User experience: The login flow is intuitive and does not rely on passwords.
Security: Custodial wallets simplify operations but require availability; passphrases remain essential for key protection.
Performance: Verification completes within seconds.
Stability: Browser-based presentation via KERIAuth proved robust and interoperable.
The outcome is a login process that automatically validates a person’s role and organizational authority through verifiable credentials. Organizations successfully used the vLEI Authenticator to verify both their corporate identity and employees' authorization to act on their behalf. Access to data was granted only after verification. The process took seconds and replaced manual reviews that typically take hours or days.
While the deployment within GLEIF’s ecosystem shows that verifiable authentication is ready for real-world use, the next challenge is interoperability. Future work focuses on integrating the Authenticator with wallet-based identity frameworks such as the European Digital Identity (EUDI) Business Wallet. Although KERI/ACDC and SD-JWT VC rely on different foundations, both share a common principle: distributed trust verified by cryptography. Bridging these architectures would link enterprise IAM with Europe’s digital identity infrastructure, turning “trust” into a shared operational layer rather than an assumption.
From logging in to building trust
The vLEI Authenticator shows how organizational identity and delegated roles can be embedded in enterprise systems without disrupting existing architectures. By combining GLEIF’s governance, verifiable credentials, and SOWL’s orchestration, authentication becomes verifiable by design, cryptographically provable, auditable, and policy-driven.
This points toward a future where enterprise access is based not on shared secrets but on shared, verifiable truth across organizations and sectors.
If you would like to comment on a blog post, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion board you agree to abide by the terms of the GLEIF Blogging Policy, so please read them carefully.
Dr. Andre Kudra is CIO of esatus AG. He is internationally recognized as one of the defining figures in Self-Sovereign Identity. He actively shapes standardization and governance bodies, including IDunion, Trust over IP, and global initiatives such as vLEI. He combines deep technical expertise with a strategic understanding of regulatory frameworks. As an entrepreneur and technology leader, he has been driving the development of trusted digital identity ecosystems for years.
