The provisioning integration point establishes the link between the application instance and the user identity and is the responsibility of the service provider (server side) and application (at runtime).

The typical provisioning flow is:

1. User logs into the service
2. Service provider generates provisioning information (VUIT) and provides it back to the application based on subscriber information
3. Application shares the provisioning information (VUIT) with the analytics agent
4. Analytics agent ingests the provisioning information (VUIT) and shares this with Verimatrix XTD analytics
5. Service provider can use the VUIT to request a risk assessment of the application instance

This flow assumes provisioning is done on the server side (within the service provider infrastructure). An alternative provisioning flow allows the application itself to provide the provisioning information (generated client side). This is considered less secure and should be avoided if possible, as it could allow potential attackers to tamper with the identity of the application instance.

Application Driven Provisioning

In the case where the application is responsible for providing the provisioning information, the application would need to be changed to generate the required unique identifier and share it with the analytics agent in the same way. The drawback with this approach is that there is no assurance that the value will not be used intercepted and/or tampered with. It can also provide means for an attacker to inject fake identities into the system.