the_order/manifests/entra/README.md

# Entra VerifiedID Credential Manifest Templates

This directory contains templates and guides for creating credential manifests in Entra VerifiedID.

## Manifest Templates

### Default/Identity Manifest
**File**: `default-manifest-template.json`

Use this for general identity credentials. Includes:
- email (required)
- name (required)
- role (optional)
- userId (optional)

### Diplomatic Manifest
**File**: `diplomatic-manifest-template.json`

Use this for Letters of Credence. Includes:
- recipientName (required)
- recipientTitle (required)
- missionCountry (required)
- missionType (required: embassy, consulate, delegation, mission)
- appointmentDate (required)
- expirationDate (optional)

### Judicial Manifest
**File**: `judicial-manifest-template.json`

Use this for judicial appointments. Includes:
- role (required: judge, magistrate, justice, prosecutor)
- appointmentAuthority (required)
- jurisdiction (required)
- appointmentDate (required)
- termLength (optional)

### Financial Manifest
**File**: `financial-manifest-template.json`

Use this for financial role credentials. Includes:
- role (required: financial-officer, treasurer, accountant, auditor)
- appointmentAuthority (required)
- jurisdiction (required)
- appointmentDate (required)

## Creating Manifests

### Step 1: Access Azure Portal
1. Go to: https://portal.azure.com/#view/Microsoft_AAD_IAM/VerifiedIDBlade
2. Navigate to: Verified ID → Credentials

### Step 2: Create Manifest
1. Click "Add credential" or "Create new credential"
2. Choose "Custom credential" or appropriate template
3. Configure using the JSON templates in this directory

### Step 3: Configure Claims
For each claim in the template:
1. Add the claim name
2. Set the data type (String, Number, DateTime, Boolean)
3. Mark as required if specified
4. Add enum values if specified

### Step 4: Configure Issuer
- Name: "The Order"
- Domain: "theorder.org" (or your domain)
- DID: Will be auto-generated (format: `did:web:<tenant-id>.verifiedid.msidentity.com`)

### Step 5: Save and Note Manifest ID
After creating the manifest:
1. Note the Manifest ID (displayed after creation)
2. Run: `./collect-manifest-ids.sh`
3. Or manually add to `ENTRA_MANIFESTS` environment variable

## Quick Reference

### Default Manifest
- **Purpose**: General identity credentials
- **Use Case**: Member identification, basic credentials
- **Manifest ID Variable**: `ENTRA_CREDENTIAL_MANIFEST_ID`

### Diplomatic Manifest
- **Purpose**: Letters of Credence
- **Use Case**: Diplomatic appointments
- **Manifest Name**: `diplomatic`

### Judicial Manifest
- **Purpose**: Judicial appointments
- **Use Case**: Judge, magistrate, justice credentials
- **Manifest Name**: `judicial`

### Financial Manifest
- **Purpose**: Financial role credentials
- **Use Case**: Financial officers, treasurers, accountants
- **Manifest Name**: `financial`

## Multi-Manifest Configuration

After creating all manifests, configure multi-manifest support:

```bash
./scripts/deploy/configure-multi-manifest.sh
```

Or manually set:
```bash
export ENTRA_MANIFESTS='{"default":"id1","diplomatic":"id2","judicial":"id3","financial":"id4"}'
```

## Testing Manifests

After creating manifests, test with:

```bash
# Test default manifest
curl -X POST http://localhost:4002/vc/issue/entra \
  -H "Content-Type: application/json" \
  -d '{"claims": {"email": "test@example.com", "name": "Test User"}}'

# Test diplomatic manifest
curl -X POST http://localhost:4002/vc/issue/entra \
  -H "Content-Type: application/json" \
  -d '{"claims": {...}, "manifestName": "diplomatic"}'
```

## Troubleshooting

### Manifest Not Found
- Verify Manifest ID is correct
- Check manifest exists in Azure Portal
- Verify API permissions are granted

### Invalid Claims
- Ensure claim names match exactly
- Check data types are correct
- Verify required claims are provided

### Issuance Fails
- Check manifest is active
- Verify issuer DID is correct
- Review Entra API logs

---

**Last Updated**: [Current Date]