the_order/manifests/entra/README.md

Entra VerifiedID Credential Manifest Templates

This directory contains templates and guides for creating credential manifests in Entra VerifiedID.

Manifest Templates

Default/Identity Manifest

File: default-manifest-template.json

Use this for general identity credentials. Includes:

• email (required)
• name (required)
• role (optional)
• userId (optional)

Diplomatic Manifest

File: diplomatic-manifest-template.json

Use this for Letters of Credence. Includes:

• recipientName (required)
• recipientTitle (required)
• missionCountry (required)
• missionType (required: embassy, consulate, delegation, mission)
• appointmentDate (required)
• expirationDate (optional)

Judicial Manifest

File: judicial-manifest-template.json

Use this for judicial appointments. Includes:

• role (required: judge, magistrate, justice, prosecutor)
• appointmentAuthority (required)
• jurisdiction (required)
• appointmentDate (required)
• termLength (optional)

Financial Manifest

File: financial-manifest-template.json

Use this for financial role credentials. Includes:

• role (required: financial-officer, treasurer, accountant, auditor)
• appointmentAuthority (required)
• jurisdiction (required)
• appointmentDate (required)

Creating Manifests

Step 1: Access Azure Portal

1. Go to: https://portal.azure.com/#view/Microsoft_AAD_IAM/VerifiedIDBlade
2. Navigate to: Verified ID → Credentials

Step 2: Create Manifest

1. Click "Add credential" or "Create new credential"
2. Choose "Custom credential" or appropriate template
3. Configure using the JSON templates in this directory

Step 3: Configure Claims

For each claim in the template:

1. Add the claim name
2. Set the data type (String, Number, DateTime, Boolean)
3. Mark as required if specified
4. Add enum values if specified

Step 4: Configure Issuer

• Name: "The Order"
• Domain: "theorder.org" (or your domain)
• DID: Will be auto-generated (format: did:web:<tenant-id>.verifiedid.msidentity.com)

Step 5: Save and Note Manifest ID

After creating the manifest:

1. Note the Manifest ID (displayed after creation)
2. Run: ./collect-manifest-ids.sh
3. Or manually add to ENTRA_MANIFESTS environment variable

Quick Reference

Default Manifest

• Purpose: General identity credentials
• Use Case: Member identification, basic credentials
• Manifest ID Variable: ENTRA_CREDENTIAL_MANIFEST_ID

Diplomatic Manifest

• Purpose: Letters of Credence
• Use Case: Diplomatic appointments
• Manifest Name: diplomatic

Judicial Manifest

• Purpose: Judicial appointments
• Use Case: Judge, magistrate, justice credentials
• Manifest Name: judicial

Financial Manifest

• Purpose: Financial role credentials
• Use Case: Financial officers, treasurers, accountants
• Manifest Name: financial

Multi-Manifest Configuration

After creating all manifests, configure multi-manifest support:

./scripts/deploy/configure-multi-manifest.sh

Or manually set:

export ENTRA_MANIFESTS='{"default":"id1","diplomatic":"id2","judicial":"id3","financial":"id4"}'

Testing Manifests

After creating manifests, test with:

# Test default manifest
curl -X POST http://localhost:4002/vc/issue/entra \
  -H "Content-Type: application/json" \
  -d '{"claims": {"email": "test@example.com", "name": "Test User"}}'

# Test diplomatic manifest
curl -X POST http://localhost:4002/vc/issue/entra \
  -H "Content-Type: application/json" \
  -d '{"claims": {...}, "manifestName": "diplomatic"}'

Troubleshooting

Manifest Not Found

• Verify Manifest ID is correct
• Check manifest exists in Azure Portal
• Verify API permissions are granted

Invalid Claims

• Ensure claim names match exactly
• Check data types are correct
• Verify required claims are provided

Issuance Fails

• Check manifest is active
• Verify issuer DID is correct
• Review Entra API logs

---

Last Updated: [Current Date]