Use Fortified ID Integrity Web to provide user attributes during Microsoft Entra Verifiable Credentials issuance. To learn more about Verifiable Credentials in general, please contact Fortified ID.
Last updated
Microsoft Entra Verified ID is a verifiable credential issuance and verification service provided by Microsoft Azure. With MS Entra users are able to generate and present digital credentials. These credentials can be also be verified by applications, using MS Entra Verified ID as the platform.
Microsoft Entra Verified ID supports configuring an external OpenID Connect Provider, such as Fortified ID Integrity Web, as an attribute (claim) provider for verifiable credentials. The OpenID Connect Provider asserts and id_token with a set of attributes (claims) which is used to generate the verifiable credential.
The purpose of this document is to explain how to set this up with Fortified Integrity Web and Microsoft Entra ID. It also includes instruction on how to test it, using a sample app from Microsoft.
The document describes a use case where the OpenID Connect Provider (Integrity Web) uses Freja OrganisationID as the authentication method. The organisation identifier (userID) is returned as the preferred_username claim which is then used to populate the Verifiable Credential.
Please note that this is only one use case example. Integrity Web can be configured to use a vast range of authentication methods and data sources for claim population, based on the Verifiable Credential requirement. Please contact Fortified ID for further assistance.
Integrity web installed
Front end web server, such as Apache or Nginx, installed on the same machine as Integrity
Front end web server must be exposed to the internet with a resolvable DNS name and valid https certificate (you can use ngrok to temporary expose local machines to the internet for testing purposes etc)
Front end web server should proxy all http traffic to the Integrity web server, with one exception: ProxyPass /.well-known ! ProxyPassReverse /.well-known !
Follow these instructions to create a key vault. Do not proceed with setting access policies, we will come to that later.
Example:
Example:
The sample test app must be authorized to use Entra for issuance of Verifiable Credentials.
Example:
Click Certificates and secrets
Create a new Client Secret
Set a description and an expiry date
Make sure to note the client secret value as this will be used in a later step.
Example:
The complete server-config.json can be found here. The annotated values should be changed to match your environment. Please click on the annotation for instructions.
Restart integrity web
Verify the initial configuration by browsing to https://<your_external_dns_name>/oidc/tenant1/.well-known/openid-configuration. OIDC discovery json should now be displayed.
Check log files for errors if no discovery json is presented. Fix the error(s) and try again.
Open the Azure portal
Select Verified ID
Credentials
Click Add Credential
Select Custom Credential
Enter a name (in this config example we used FortifiedIDEmployeeType)
Add this json configuration below Display. Please change to suite your environment.
Add this json configuration below Rules. Please change to suite your environment.
Click Create
Once created, open the Verifiable Credential
Click Issue Credential
Take note of the Authority and Manifest values. These will be used later in the instruction.
Unzip in any location
Open 1-node-api-idtokenhint/config.json file in a text editor
Set these configuration parameters:
azTenantId - Your Azure tenant ID
azClientId - The client ID for the app (value from the process Register the app in Azure)
azClientSecret - The client secret for the app (value from the process Register the app in Azure)
CredentialManifest - The manifest URL of the credential. Recevied in previous step.
IssuerAuthority - The Authority. Recevied in previous step.
VerifierAuthority - The Authority. In this sample, this is the same as IssuerAuthority. Recevied in previous step.
Full example:
Save the file.
Open 1-node-api-idtokenhint/presentation_request_config.json file in a text editor
Change these configuration parameters:
acceptedIssuers - set to Issuer DID
type - set to Verifiable Credentials type
Example:
Save the file
Open a terminal
Change folder to the directory
Run the command npm install && npm start
The application runs on http://localhost:8080. However, it's not able to test the Verifiable Credentials Flow from a local application. ! To test the Verifiable Credentials flow, the application must be reachable from the internet, on a public DNS. For testing purposes, ngrok may be used to expose the application to the internet.
Browse to the application (using the external DNS). This page should be presented:
Click GET CREDENTIAL to test issuance
Click VERIFY CREDENTIAL to test presentation / verification
In case of errors, please view the console log of the application to check for configuration issues.
In case of errors on the OpenID Connect Provider during issuance, please view the Fortified ID Integrity log files.
in place
Example:
Set up Verified ID, using
Set access policies for the Verified ID service principals, using
Set it up in Azure, using . Follow to grant access.
In this step, Fortified ID Integrity Web will be configured as an OpenID Connect Provider. The supporting instruction for this setup can be found .
Download the test application from
