Using the Verified ID code sample for Woodgrove Helpdesk with Entra ID VC
The use case is “showcasing identifying yourself at a help desk by presenting your VerifiedEmployee card.
The help desk website requires a Face Check together with the presentation for high assurance that the person is who they claim to be before getting support”.
The docs are here.
The GitHub sample is here.
The first thing to do is ensure you have a decent photo of yourself in Entra ID.
If you don’t, upload a photo in your user profile in the Entra ID portal if you have access.
Otherwise, you can do this with M365.
You may need to get your HR department to do this.
Also, ensure that your display name and email address are populated.
Then, download the GitHub sample and ensure it compiles.
You need to update the appsettings.json:
"VerifiedID": {
"ApiEndpoint": "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/",
"TenantId": "00d...c79",
"Authority": "https://login.microsoftonline.com/",
"scope": "3db474b9-6a0c-4840-96ac-1fceb342124f/.default",
"ManagedIdentity": false,
//--- Not needed if you use MSI ("ManagedIdentity": true). Needed if not
using MSI
"ClientId": "6e5...125",
"ClientSecret": "c-8...bsi",
"CertificateName": "",
//---
"DidAuthority": "did:web:verifiedid.entra.microsoft.com:00d...1a3",
//--- The following can be omitted as the app have defaults
"client_name": "Woodgrove Helpdesk",
"Purpose": "To prove your identity",
"includeQRCode": false,
"includeReceipt": true,
"allowRevoked": false,
"validateLinkedDomain": true,
"CredentialType": "VerifiedEmployee",
"GuestEmailClaimName": "mail",
"GuestDisplayClaimName": "displayName"
}I did not use MSI, so I set “ManagedIdentity” to false.
Set the “CertificateName” to an empty string.
Register the app. registration. Plus, the next section in the docs, “Grant permissions to get access tokens”. Create a client secret.
Set your tenantID, clientID and client secret in the JSON file from the registration details.
Set the redirect URI:
https://localhost:5001/signin-oidcAlso, set your “DidAuthority”. You’ll find this on the VC “Organisation settings” page.
Enable Face Check:
You must set the photo and ensure the display name and email are populated before getting the VC. Otherwise, the claims will not be in the VC, and the sample won’t work.
Go to https://myaccount.microsoft.com/.
Log in as the user above with the photo.
Issue yourself a verified ID.
Entra ID needs to get to the sample, so either deploy it to Entra App Services or use ngrok.
ngrok http 5000You will see an entry like this:
https://1c6a-222-155-30-156.ngrok-free.app -> http://localhost:5000 In the app. registration, add another redirect URI using the above URL:
Note: This URI changes every time you run ngrok.
Start the sample.
In the browser, navigate to:
https://1c6a-222-155-30-156.ngrok-free.appYou should see:
Click “I already have my card”.
Scan the QR code using the authenticator app. under the Verified ID tab.
Then select the Verified Employee VC you created earlier (if multiple).
Then select “Next”.
Now, you start the face check. Read the instructions and then click “Next”.
Your phone will now take a picture of your face. Try to fit your face into the border provided.
Then click “Share”.
You will see a message on your phone — “Verification complete”.
In the real world, you will now be able to get support.
Note: You decide what minimum score is acceptable. The score in the GitHub sample is set to 70.
You can check the activity in the VC log in the portal.
All good!
