Overview


This guide will explain the IdRamp Entra Verified ID credential creation and issuance process. The IdRamp verification orchestration platform streamlines the process by removing the need for custom code development, saving you time and resources.


Setup Entra Verified ID (Verified ID Authority)

The first step is to configure Verified ID in your Entra tenant. Microsoft provides two options for setup: Quick and Advanced. The quick setup option is easy, but comes with several caveats (ie. shared resources) which may prevent it from being valid for your use case. The advanced setup option is more involved. It requires creation of Azure resources (eg. key vault), and hosting of static files on your domain. 


For a production deployment, we recommend using the Advanced Setup. The following links are to the Microsoft documentation for configuring Verified IDs within an Entra tenant.


Microsoft Entra ID Verified ID - Quick Setup


Microsoft Entra ID Verified ID - Advanced Setup

When Complete

You should have an Application Registration with permission to issue and verify Verified IDs. Please record the following details for later use.


 

Application (client) ID

Directory (tenant) ID

Client Secret


Create a Verified Credential (Credential Type/ Contracts)

Now that you have your Entra tenant configured to support Verified IDs, it is time to create a credential type. The following sections were adapted from Microsoft documentation.

Create a CLEAR Verified Credential

  1. Sign in to the Microsoft Entra admin center as a Global Administrator.


  1. Select Verified ID.


  1. Select Credentials in the left-hand menu.


  1. Select + Add a credential.


  1. In Create credential, select Custom Credential and click Next:

    1. For Credential name, enter CLEAR Verified. This name is used in the portal to identify your verifiable credentials. It's included as part of the verifiable credentials contract. If a different value is used here, it will be necessary to update the $.vc.type property in step c below. Note: this value cannot be changed later.

    2. Copy the following JSON and paste it in the Display definition textbox. 


      1. Replace any “<...>” with your values.
         

      2. Optionally change the “backgroundColor” and “textColor” as appropriate for your organization’s branding (these can be changed at a later time).


{

    "locale": "en-US",

    "card": {

      "title": "CLEAR Verified",

      "issuedBy": "<Your Organization Name>",

      "backgroundColor": "#ffffff",

      "textColor": "#000000",

      "logo": {

        "uri": "https://<hosted logo URL>",

        "description": "<Your Organization Name> Logo"

      },

      "description": "Provide access to your CLEAR verification results."

    },

    "consent": {

      "title": "Do you want to get your Verified Credential?",

      "instructions": "Sign in with your account to get your card."

    },

    "claims": [

      {

        "claim": "vc.credentialSubject.firstName",

        "label": "First name",

        "type": "String"

      },

      {

        "claim": "vc.credentialSubject.lastName",

        "label": "Last name",

        "type": "String"

      },

      {

        "claim": "vc.credentialSubject.phone",

        "label": "Phone Number",

        "type": "String"

      },

      {

        "claim": "vc.credentialSubject.photo",

        "label": "Photo",

        "type": "image/jpg;base64url"

      }

    ]

}


  1. Copy the following JSON and paste it in the Rules definition textbox. 


    1. If a different value was used in step “a” above, it will be necessary to update the $.vc.type[0] property to match.

    2. Optionally update the “validityInterval”. This represents the lifespan of the credential in seconds. The default value below is 30 days (30 days x 24 hours/day x 60 minutes/hour x 60 seconds/minute = 2592000 seconds). This means that 30 days after the credential is issued it will be considered “expired” and the user will need to be issued a new credential.


{

  "attestations": {

    "idTokenHints": [

      {

        "mapping": [

          {

            "outputClaim": "firstName",

            "required": true,

            "inputClaim": "firstName",

            "indexed": false

          },

          {

            "outputClaim": "lastName",

            "required": true,

            "inputClaim": "lastName",

            "indexed": false

          },

          {

            "outputClaim": "phone",

            "required": true,

            "inputClaim": "phone",

            "indexed": true

          },

          {

            "outputClaim": "photo",

            "required": false,

            "inputClaim": "photo",

            "indexed": false

          }

        ],

        "required": false

      }

    ]

  },

  "validityInterval": 2592000,

  "vc": {

    "type": [

      "CLEAR Verified"

    ]

  }

}

  1. Select Create.

The following screenshot demonstrates how to create a new credential:

Screenshot that shows how to create a new credential.


Gather credentials and environment details


Now that you have a new credential, you're going to gather some information about your environment and the credential that you created. You will use these pieces of information when you set up your sample application.

  1. In Verifiable Credentials, select Issue credential.

    Screenshot that shows how to select the newly created verified credential.

  2. Copy the authority, which is the Decentralized Identifier, and record it for later.

  3. Copy the manifest URL. It's the URL that Authenticator evaluates before it displays to the user verifiable credential issuance requirements. Record it for later use.

  4. Copy your type, and record it for later. This will likely be “CLEAR Verified”.

When Complete


You should have a decentralized identifier (DID), and a new Credential Type which can be issued and verified with your Verified ID Authority. Please record the following details for later use.


 

DID (starts with “did:web:”, ex. did:web:idramp.com)

Credential Type

Manifest URL


Configure IdRamp


Create an IdP for the Authority


  1. In the left-hand navigation, select ID PROVIDERS.


  1. Select + ADD NEW.


  1. Find Entra and select ADD.


  1. Specify the display name for the new identity provider (e.g. Entra Verified ID), and select SAVE.


  1. Use the details saved from earlier in this document to fill out the form. 


  1. Optionally select and upload a custom icon.


  1. Select SAVE.

Create an Issuance Service

  1. In the left-hand navigation, select SERVICES.


  1. Select + ADD NEW.


  1. Specify the display name for the new service provider (eg. CLEAR Verified ID).


  1. For Service Type select Entra VID Issuance.


  1. Select CONTINUE.


  1. Select CONFIGURE SERVICE.


  1. Select the ENTRA tab.


  1. For Authority make sure the IdP created above is selected.


  1. Set the Credential Type and Manifest URL fields using the details saved earlier in this document.

    1. Ignore the API Key field.


  1. Select SAVE.


  1. Again, in the left-hand navigation, select SERVICES.


  1. Find the new Service Provider (eg. CLEAR Verified ID) and select the Gear icon.


  1. Select Copy URL. This URL can be used by any user to complete issuance of the Verified ID using the CLEAR identity provider.


Congratulations, you have completed the Entra Verified ID credential creation and issuance process.