Understanding and using Microsoft Entra Verified ID

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and uh welcome everybody and I think it's a good morning it's good afternoon it's good evening and good middle of the night uh we've had sign ups from completely around the world so um I'm very pleased everyone's joined uh not everyone's joined we've got way more um sign ups and we've got participants at the moment but hopefully people will will come along in a minute what would be really really useful is um if you could actually I'd like to try and make it look as as much like a live event as could be so if you could keep your cameras on that would be fantastic we won't we won't actually include you in the uh the actual webinar uh presentation itself but we might do the odd screenshot and things uh for a bit of social media so I hope that's okay um so um for those who don't know me I'm John Cradock and uh I've been working in the identity space for oh many years now um I was involved with the the Microsoft launch of um there's a reminder that's just popped up let me get rid of that and let me make sure that's closed off um yeah so it's always involved in the launch of on-prem active directory um so about the same sort of time I was working with IBM Federation and then I got involved in adfs um and did a lot of Federated work with that and then of course got heavily involved in Azure ad and then I was looking at and I actually started looking at about the same time Microsoft started work on it um I started looking at decentralized identity and also um verifiable credentials as it was called and Microsoft had their verifiable credential service but of course that name changed only a few weeks ago so now it's intra verified ID um so I I just love the way Microsoft you know you just get used to a name and then they change things I think the worst thing was uh and you probably all started this was the defender renamed the defender you suddenly got to know all the different products and suddenly there were all new products but of course they were all the same um okay so I'm going to be talking for for the next hour um or thereabouts about um looking at um verified IDs and what I need to do is go to my screen share and put kick off on that and I'm just checking that's coming out so it is so that that's really good news um so let's uh what I'd like to do is just talk a little bit about my the way I operate and the way I operate is to try and take really complicated stuff really understand it and then distill the essence of that and I find it works really well as a consultant when I'm an architect if I can actually explain things but I try and make things as simple as it possibly can and yet leave the technical depth in there um and I always aim for the Charles Mingus quote of coming up as much creativity as possible the other thing I've absolutely loved over the years is actually doing really big presentations at ID forums and Tech ads and I know I I recognize a lot of names from people at those different events and um I was thinking about this the other day and thinking um you know wouldn't it be fun to do a really big presentation of some time again um you know and I've just seen that they've announced ignite and it's sort of partially digital and there's they say that a group of people I don't know how big the group is I'm going to meet up at Redmond by the sound of it um but I got a call the other day from my son actually was about the Thursday and he said oh can I come and see you this weekend and I thought what on Earth is this about he's never asked that short notice to come down and see me I said what's it about he said I want to go to the Fat Boy Slim concert and then he said do you want to come too and much to my surprise and I think even more to his surprise I said yes so I ended up at the Fat Boy Slim concert in on Brighton Beach um this guy is the most amazing uh presenter you know Eat Sleep Rave Repeat and he was going on and on Eat Sleep Rave Repeat and I thought eat sleep identity repeat no it doesn't quite work but I did make it um to his video wall so I almost got on stage with him um but not quite so I'm going to start off with looking at um repetition repeat repeat and we've gone through life repeating things when we're involved with digital identity and if we go back and think about you know when we join a school um we will need to be provisioned in the to the school's identity store and that might involve at that stage our parents getting involved to prove that they are our parents might and prove where we where I live and so on so we get added to the school saw now as Eric and I'm using the example of Eric as Eric goes through his school life uh he'll pass exams and everything else and that will be added into the school identity store and then um Eric goes to college or goes to University and again he's proofing who he is to that particular um College again if he passes when he passes his degree past his diploma does his projects Etc all of that is stored in the identity store and we know it as we go through life we go to work again we're providing the same sort of information to work and then the next job we go to the next one and so on and then working with financial institutions were forever providing proofs of identity and other details and you know if you think about it is how many times do you need to prove the same thing to yet another organization the other thing is we are leaving as we go through life leaving these silos of our identity so our you know our diploma or a degree results are siled in the college identity store um exams we passed at school are siled in that school store and as we go through work uh we'll have other bits and pieces siled and what we need is complete paradigm shift and our Paradigm Shift would be where we can have an issuer and an issuer issues a credential about us and this credential is then bound to our identity the identity is owned by ourselves it's not owned by any particular organization so an issuer binds this credential to our identity and then we hold that credential and we can hold credentials from multiple issuers now some of the issues could be government organizations some of them could be the college um another one might be for instance an identity proofing service has actually interviewed us found out about our um you know academic achievements put them all together and issued a credential which is now bound to our identity and it's an identity we hold and then what we do is we can present those credentials as needed to verifiers now verifier is the sort of term that's used but if you want to use the term relying party that will work as well so we can issue them to relying parties now what I want to do is actually do a little demo of onboarding a new employee so we'll start off and we've arrived at Woodgrove and uh we've got our first name is Matthew so Matthew is uh going to be on board in now what wood grave has decided to do is actually to leverage Fair viable credentials and they're going to send Matthew over to their identity proofing service which happens to be true identity so we end up going over to true identity and again they'll be collecting their name maybe taking a picture here we're taking a selfie uploading it um getting government documents and putting those together and anything else that you want in that service so we could we can actually say that Matthew has to come in for an interview and we're actually going to interview him and check him out so whatever needs to be gathered we can gather and then what will happen is when Matthew clicks next it's going to verify all the information and it's going to build this credential that Matthew can pick up and tie to his identity so again we're using the Microsoft authenticator we bring that out and we scan this QR code so we scan the QR code and what it will do is it will whirl away for a little bit and then it will offer the chance of picking up this credential using a pin now what's happened is the identity proofing service has pulled all the status together they've done the analysis uh maybe they've done a you know a live test all sorts of bits and pieces they've brought it together and they're saying that Matthew can pick this up with a pin now we could have a pin on the website on but probably we send it via a different method to Matthew and what he'll do is he'll enter his pin or not the pin he's been given and now what he's got he's got this Identity or verifiable credential that can prove its identity and if we look at it um there there it is with um and notice the age verification uh we didn't put his age in there we just said he's over 21 because we checked that out and it means we don't have to have personal identity information in here um and then you know the documents that have been scanned um and when this thing was issued and then very very importantly issued by um and we've got the domain name there of the issuer and notice it says verified and what I'll do is I will come back to that later on so if we look at the activity well we just got this thing so let's now return to Woodrow so this is we've gone to the identity service that Woodrow uses now we're back at Woodrow and what we're going to do is present that credential to Woodrow so Woodrow has now produced a QR code which we can scan and we're going to scan that QR code and what will it will do is ask us to present this credential so we're going to share it and we've now shared it so um we've actually given Woodrow now our identity and we can see we've got receipts of what we do with our credentials um and then we can go on and go back to a drove and we could then have go through they can have provision an account for us and then we can retrieve a proof that we are a woodrove employee so once again we scan that and this happens to use a pin again to pull the data but what we could do is actually authenticate um with Woodrow providing our accounts being provisioned we could authenticate and when we authenticate we can build this credential but we're just using a pin in here again so we do that next on there and now we've got a verify employee credential all we nearly have which say we want that again we can check its use but we're going to visit a company that allows Woodrow staff to have a discount so we're going to go and access uh the discount and we're going to verify the credential which is proof that we are a wardrobe employee and I'll just scan it again it's and present the credential so we're sharing it and again if you want you can check and look at the receipts so there we are the initial issuing of it by Woodrow and then we present it to proseware and then we've got our discounts so that is sort of basically a process of using the verified potentials who is the custodian of the very high potential the person that owns that wallet and that wallet is um in this example here is using the Microsoft Authenticator so but if we think about it isn't this the way that we've always done it just imagine Sally's driving along in her sports car and suddenly a policeman or a police person stops her and she's probably been speeding or done something wrong and the police officer wants proof that she is allowed to drive so what Sally does is she looks in her wallet and brings out the driving license and presents it to the police officer and what the police officer does is looks at that and says Okay um so you're allowed to drive well it says you're allowed to drive and I trust that because the photo matches you it's been issued by the driving license Authority and the sort of envelope it's in has not been tampered with and probably has a hologram on it and so on so it accepts that the beauty of this is that Sally is the custodian of that driving license she holds it in her wallet and can present it in different situations so if she goes in goes shopping and she's got a very high value a purchase she's doing maybe the shop wants additional proof of identity so she can present her driving license they don't care that she can drive but what they've got is a photo ID of her and maybe they can verify her dress she can use it to present to a nightclub to prove that she's over 21. so we've got different uses of this verifiable credential that she holds in her wallet now if we look at the components on that what we've got is a subject we've got claims and we've got the issuer who has asserted those claims about the subject right and I'm using this little analogy of a driving license but of course this could apply to absolutely everything so with Woodrow the subject was we we had our subject and the true identity vouched for checking the details about that particular subject and of course we need a tamper evident envelope now we've got the issue we've got the holder we've got the verifier if we want to go digital what we need to do is give everyone a digital identity and this is where um digital uh these the sorry it should be um decentralized identifiers come in and this is where we can give the issuer one I did the holder another did the verifier another did and for each did we generate a private public keypad the private key never leaves the possession of the entity and that's really really important we need to absolutely secure that private key and it's only available to us and then the private key is used to sign messages now if you're not familiar with public private keys and how they use for signing what we have private key private key absolutely we mustn't lose it so we securely store that using some crypto maths we can derive a public key and then we can distribute that public key to anyone take the public key there is no way that you can use any maths at all to go from the public key back to the um a private key so you can't go in the other direction so we can then assemble a message and sign it we can sign it with our private key anyone that's receives that message can then validate that message using our public key and it proves two things and two things only it proves the message was created by the owner or if you want possessor of the private key and it proves that the message has not been tampered with so that's two very very important proofs so it arrives we say okay the person that signed this had the private key that corresponds to this public key and it's not been tampered with okay so we need to make our public key available to absolutely anyone all right so if we're going to verify a credential that's passed to us we're going to have to get hold of the public key so this is a way that that dids operate and what we have is a unique identifier and then a did document that goes with that unique identifier and that did document contains um the actual public key so down down here in the the document um down here is the public key information uh it can also contain other metadata and references for instance or a linked domain again I'll come back and exactly what a linked domain is and also um identity hubs it can have reference to those as well okay um and so we've got unique identifier and the did document now what you do with the did document you need to put it somewhere um where it can be recovered from and typically we did documents what you did is um you actually the idea was The Proposal was that you stored them on some form of decentralized Ledger technology typically a blockchain of some kind but there are other decentralized Ledger Technologies available um the the idea of decentralized Ledger technology is nobody owns the The Ledger and an entry onto The Ledger becomes immutable when there's enough entries that follow it so um I'm not going to go into the details of blockchain here that's one method of doing it another thing is we could rely on DNS and your domain namespace so if you've got a DNS name um you could store on your website right an actual did document obviously or https protected but you could store the did document on your website so in your domain namespace Microsoft currently support two methods of storing dead documents one is it does it on What's called the identity overlay Network or iron and the idea of iron is that it's a sort of side tree technology and rather than storing every single did as a transaction on a blockchain what it does is it sort of batches did documents together and then anchors them um and on the Bitcoin blockchain at the moment it's not doing the anchoring it's when we store something in on it's sitting within the on network as in the identity overlay Network it will be anchored into the Bitcoin blockchain at some point so it actually stores it in in an ipfs or the internet interplanetary file system but the anchoring is on to uh uh onto a blockchain and in this particular case I'm anchors into Bitcoin or can anchor into Bitcoin Microsoft also support what's called did web and we did web what you do is you publish your um your actual did document into your DNS namespace you stick it on your website basically um the I did it consist of a unique identifier and then the document the we've got unique identifier which I'll come back to in one second and the document the document is stored somewhere okay and what we've got is it's the this identifier starts or did we then have a method the method is really where the document is stolen and then we have a method specific identifier so for instance the method we could store it on Bitcoin in which case the method would be btcr all right and then you'd have a unique identifier that would find it on bitcoin it could be on Sovereign in which case your method is at sov Microsoft uses iron or the identity overlay Network so the method is Ion and they also do uh did web and therefore the method here is web okay um and um we'll see how those uh those dids look in moment um so we look at Dead web then they did document is actually stored in entries in the DNS namespace literally think about it you did document is stored on your website your website how do you access it uh an https to your domain name so you know we trust um domain verification for all sorts of things well this is just another use of that trust the format of the Dead is always starts did so it's did colon web colon domain name so for instance if my domain name is hr.xtub.com the actual did identifier is did colon web colon hr.xtub.com and where's the did document well it's in a subdirectory or a subfolder which is dot well-known and the actual document itself is did.json um it's possible to specify paths so what we can do is we can have multiple dead docs published in our space and what we to do that we could actually have different paths where the documents stored it's also possible to use port numbers as well now there's two sort of flavors that when you're talking about dids um you've got the short version short versus the long form did so um a long form did consists of the unique identifier so did colon iron Etc followed by the actual did document and that is an uh Json web token all right so the actual did document it's the the uh that did document is a in a Json web token there's a short form did just consists of the um the Dead the method and the method specific identifier and then the document is resolved appropriately and the long form did and the long form did is actually used by the Microsoft authenticator it's also is referred to as unanchored did it's not published in the future uh we'll have Universal did resolvers that we can use um so basically you go to a dead resolver and whatever method you were using it would find your um your did document on whatever platform it was sitting but for the moment um Microsoft have set up a resolver and at the moment it resolves did Iron and it resolves did web so their resolver at the moment is a beta.discover.dead.microsoft.com forward slash 1.0 forward slash identifiers all right so um and what we can do is here you can see that I just add the um this the did web entry in there and it will get back the did document I can also add the did Iron entry in there again it will bring back the document there's also if you want to experiment there's the on Explorer um to look with so um and I'm going to show you this in one second but do you remember when I said to you um look it says verified and there was a little verified tick what it means is it is verified that the dead belongs to a particular domain and the way that we do that is we put a link to the domain inside our did document and then proof that that delete did belongs to us is by publishing a did-configuration.json file um in our DNS namespace all right so we publish that again on our website and this is not the did document this is just proof that this did the one that's being referenced here belongs to us and that way we can in the authenticator when it says verified it means that the DNS and the did have been matched up together and we know that that particular did is owned by that particular DNS domain foreign so what I'm going to do is look at resolving some debts and what I'm looking at here is I'm actually inside the organizational settings for verified ID and uh this particular organization is using a decentralized identifier which is did colon web colon HR dot xshub.com so I'm going to grab that and I'm going to go and just pop that on there which is so I can actually use the Microsoft resolver I'm also going to pop it in here so I can just show you that this is sitting on my website so let's start off with the actually using the resolver so grab that and I'll use an incognito window here to do this so we'll pop that in and it's a result that did document and what you can see is the uh the actual public Keys you can also see the linked domain and that's very important that we've got the link domain let's just show that that document just exists on my website uh so I'm going to drop that in there and it's brought back exactly what we saw from the resolver okay so my did document when I'm using did web is stored on my website effectively now if we if we go back and uh actually look at another organization this organization here is using iron so we've got a did sitting here which begins did colon iron so I'm going to grab that and I'm going to pop that into notepad and notice the the first part here up to the colon um is actually up to the colon is actually the short form did I'm going to grab that and then I'm going to actually pop it in over here so I can test the resolver okay and so we're going to go across to the Microsoft resolver and we'll drop that in and what we'll find is we get back the did document this time it has come from Iron so if we look we've got the link domain in there and if we go down we've also got the public Keys available to us all right and then and then what I can do is I can use an explorer and I can come up here go to an Explorer and it gives you a sample did and if we search uh what it says is actually not published so it's actually not published on the network but it's because it starts iron and it's the long form did it will break it up in and display the Dig document what I want to do is go and get my did for my organization and I'm going to add that in here so we'll go back over we'll grab my did for my organization this is the short form did all right so to get back the did document is going to have to go to the on network and it has and yes it's published and uh what we can see is we've got link domains that we've also got in here our public key and if we check on the link domain this is masterclass.xtub.com so this is the owner of the did so now um The Entity generates the private key and the entity includes the holder so our user effectively has a did generated for them which is a private key and the public key can be published onto either iron or the actual um dead web um if it were if we're looking at um the actual Authenticator they oh with the authenticator it uses long form dids okay let's um let's uh now have a look at our digital driving license again now if any of you are familiar with the the mobile driver license or mdl um there's uh you know there's that's under sort of development it's a way of having a driving license which is you know digital stored on a mobile device uh this is nothing to do with that I'm purely using my driving license as a way of showing how it can be represented as a verifiable credential and that that's all I'm trying to show here so what we've got is we take our subject and our subject goes inside an envelope along with the claims that the issuer has put together for that subject so when we went to true identity the issuer which was true identity gathered together lots of claims about the subject so it then signs that so that is signed by the issuer it has the did of our user inside it all right now that's fine we could present it but how do we know let's say it's still Sally how do we know it's Sally presenting it well what we can do is wrap that verifiable credential inside another envelope and inside there we can put the presenter we can say the presenter is Sally and then the wallet can digitally sign that so now everything is um basically we've got the the claims that have been asserted by the issuer um in our example it's the dla um we then got the um subject is built in there we then said the person presenting this is the same as the subject which is good which is so the driving license got stolen and someone else presented it uh he had rejected so we can now check that the correct person is presenting their driving license now one of the things when Sally got stopped by the police officer um she sort of looked and thought Oh yeah it's police officer wearing a hat got a uniform on and everything else but what we can do we can get a stage further um when the police officer makes a presentation request asking for a credential to actually be presented that presentation request can be digitally signed and digitally signed by the verifier so now we know who we are presenting the credential to um so this gives us a really nice solution so what are Microsoft doing they are giving us the Microsoft intro verified ID service um they will allow it to be an issuer a verifier the holder is going to be the Microsoft authenticator and um here we can hold the credentials and we can also present the credentials so remember true identity we presented that credential back to Woodrow and then we took the Woodrow credential and presented it to the store that was going to give us a discount there's integration with Azure ad obviously um and um there's been lots and lots of changes over time you have to have you have to have an app um to maybe issue a credential an app to actually verify a credential and at one time you had to do all the crypto maths and if you think think about it is signed by this signed by that and you need to verify all of this and create it it was a lot of work um and a lot of heavyweight crypto maths so what Microsoft have done is they've moved all of that into a verifiable credential service request API so all we need to do is call that service request API with the right format and we can get that to actually issue and verify credentials the VC is defined using a display and rule definition files and originally we needed an Azure storage account to hold those files in and fairly recently Microsoft remember it's in preview at the moment it will go ga in the not too distant future um Microsoft um you know you had to create and see a storage account to hold the display in rule files right now they're integrated into the verified ID service and I'll show you that in one second so if we look at what we've got is we've got the the components so the verifiable credentials service request API that will build um issuance and it will also build verification for us uh we've got the verifiable credential service and then we've got our own tenant and in our tenant what we'll need is a keyboard that's where our signing keys are held for the service okay so we need a keyboard and then we'll need a service principle that will represent the API that we're going to call and then we'll need a service principle that will actually represent the verifiable credential service and both of those service principles are will need access to keyboard so they will need to be provisioned with access to key wolf itself now we want to call the verifiable credential API okay we want to be able to actually call that particular API to do that we're going to need an access token right to get an access token uh we're going to have to create and register an app inside our tenant and we're then going to have to permission that app to the service principle right now if you're not familiar with app registration managing permissions uh Magic managing consent because we have to Grant consent as well um what you might like to do is think about coming on my um identity master class I'll tell you a little bit more about it later but we go into a phenomenal amount of detail about app registration open ID connect oauth 2 etc etc and also the next thing is having done this what we'll have is a a client ID which is application ID and a secret which will allow us to provision that into the application so the application can actually request an access token which will allow it to authenticate to the actual service API so so that's um that's basically that's the uh um the configuration in terms of understanding the apps um one of the the good there are good code samples and if you have a look up on GitHub that's one place to look and what I'll do is I will just pop into the um I'll actually just pop into the chat window um in here pop those in and uh those are the samples and also I've got a Blog uh the blog is a little bit out of date um I know it's got to be updated and I'm reluctant to do so until it Go the service goes GA so no doubt I'll be updating the blog before too long um and and the samples are in.net Java node or python whichever takes your fancy in terms of uh creating these apps so that's the issuer and the verifier app and for some reason my screen won't move on okay so what I want to do is look at um when we set up the organization um this is how we set up the service so this is the verified ID service um we need to give an organization name uh that's changeable and we need to um choose a key Vault so we create a new key Vault if we want to so we need an Azure subscription to have the the key Vault and um we can also um decide what we're going to use as our trust anchor now notice this thing saying trusted domain this is the domain that where we're going to prove the linkage of our did to that DNS name right and it's also if we're going to use did web um it will be where we're going to publish our document and so if we click on Advanced what we've got is the ability to choose uh to go for web or iron in terms of the trust anchor that we're going to use and if we go back to what I did earlier what we can see is after we've configured uh we've got the keyboard that's in there we've got the signing Keys our recovery update keys they will be they're there for future use and they're not too distant future um and we see it's generated and iron did and um that's it if you want to opt out of the service and clean out all your credentials uh you can do that you can delete delete the credentials and then reset the service as well okay so it gives you a little bit of an idea of how that gets set up next question you can ask yourself is where do the claims come from well how do we get them into the how does the issuer get hold of them well we've seen one method uh which is statically defining all right those credentials so this is where our identity proofing service has gathered all the information about us statically defined those uh claims and then given a PIN to the user to get those particular that particular VC another method is we could log in so for instance in the woodrove scenario rather than once we provisioned the account rather than um Matthew having to pick up the um the employee thing saying is a is actually an employee of wood drove what he could have done is he could have picked it picked that up rather than using the pin picked it up by signing in that would be another option if you want you can get a user to assert claims themselves so we can actually type in our claims inside the authenticator app and and it might be that you need a user to prove that they've done some things and they picked up you know numbers or codes and they can put those in themselves the other thing is we can take from other VCS so you could take claims out of a couple of different VCS bring them together amalgamate them into a new VC and then the verifier could request the presentation of a single PC or multiple VCS so the verifier can actually do that now in terms of creating a credential how do we do it well if you remember I said there's a display definition and there's a rules definition this you now do in the ux um and if we look at the display definition what it is and a lot of it's fairly obvious background color all right um the description that's in there um and uh actually I just realized I changed the background color on this after I uh copied that but never mind it's not zero zero zero zero zero zero zero would be black um and actually yes I've changed color as well so it's not quite right in terms of the color so ignore the colors but you can see there's a description issued by there's a logo that goes in a title and then below the actual card what you've got is the uh details that have come out of the VC so what we've got in there is this has come from the VC and the claim in the VC was first name and we're displaying that as James and then we can decide what label we put on in so here we're just using the label name so the actual in the credential it was called first name but when we display in the authenticator it's just name the rules definition is how you get the actual claims into the verifiable credential and um this particular example here is using an ID token hinge and there's various ways remember we can take it we can statically Define them and take it with a pin uh we could cite sign in with an open ID connect sign in we could do that as well and the other methods that we can use and that's defined in the rules files the rule definition and the display definition get combined and they get combined into what's called a manifest or a contract and there's a URL where this can be picked up so the authenticator when it's told to get a particular credential what it will do is it will get the Manifest and then it knows how to display the card and it need knows what to do in in terms of getting uh the the claims there's quick starts now this is fairly new um and I've got a verified employee quick start which will create me a credential with a display name a given name a job title you know a surname Etc and what we can do is change the look and feel of the card in terms of the logo the text color and the background color so that's quite a nice way of starting um so we look at the issuance uh this is from the the Microsoft uh sample application uh it throws up a web page which is get has get credential verified credential on it click on get credential and then it's uh running um it's going from index.html to issuer.html and then it's just displaying a page which says get credential click on get credential and it caught the we trigger code flow in issuer.js which is our actual code so we're going to get an access token for the API we cannot call the API without an access token the next thing we do is assemble an API request which is basically what we want to do we're issuing so we're going to tell the API what uh actual uh token uh what verifiable credential we want issued and we'll Supply a manifest URL for doing that with then call the API and the API comes back with a response and as part of that response it can give you back a QR code or it can give you back a link and you can generate your own QR code and then oh it sits there the front end front-end web page polling um issuer.js to see if there's been a callback because once the um you scan the QR code what will happen is the verifiable credential service request will do a queue callback saying the QR code has been scanned so now we can actually say that and then it's going to be sitting polling again waiting for the results so if this was successfully issued and accepted then we get success and we complete the process now the the only difficult bit in your code is knowing what um you know what the the body should look like in terms of assembling the API request data and um that looks something like that I just cite uh highlighted we have the authority which is who is going to issue this thing uh we have the the type of the credential which in this particular case is alumni and then we have the Manifest URL all right then we've got information about callback whether we get a QR code Etc now the nice thing about it well Microsoft have done is they give you the issuance API request body so you can just cut and paste that into your application so that's available uh coming soon and this will look very exciting um users can actually be notified by the Microsoft authenticator that a credential is ready for them to actually pick up um so you can decide that you know a particular group of users needs a particular credential type you publish it it gets notified by the Microsoft authenticator app or sorry notified to the Microsoft authenticator app the user will see it and then can go through the issuance process and you don't have to write any code to get that issued um the product group we're very kind uh you won't see this today but they were very kind said I could actually use this in my presentation so that's great thank you um so in terms of the uh presentation verification request it's a sort of similar process so we go we then build a uh using verify.js we assemble an API request data um having got the access token we make the call and then what it does covers back with the QR code and then yes you guessed it it's polling for results so it gets informed the QR code has been scanned and what the QR code doing is allowing the authenticator to pick up a presentation request having picked it up it then submits that back to the verifiable credential service or the credential service request API and and then and and then what will happen is that can then validate the credentials so there's no heavy work in terms of checking signatures or anything else in your application so now we're listening again for callback success and we can display the success of that callback so that that's that now um again uh if we look at what we need to do in the request body uh we need to basically specify the alumni as the type that we want and then we say who will accept that particular card from again um there's help so number one there's a published directory of issuers um and you can decide whether you publish something or not but if you if you publish a quick start credential that credential automatically gets published so I can find my issuer so here uh regus.com it's an issuer published it's publicly available and then what I can do is find the verifiable credential and now if I uh go through that so I go verification request find what I want and then continue on from there and I will get the API body to call so that's again a very nice uh integration and simplifying uh dealing with verification there's a management API so to call the API you will need an access token so in exactly the same way as we configured the call to the um this the other Service uh we can we need an app registration so we can get an access token to the management API and then obviously call the API to configure the service um how do we use VCS this is really open to uh a lot of thought and you can start thinking about how you can use feces here's our fully verified uh user um who's been maybe true identity but you know what we want to know whether the user has a diploma or a degree so what we can do is we can have the user present a verifiable credential from their college that proves that they actually have this academic achievement um and then we can have our organizations identity access management system and we could have a user that is fully verified that presents a credential what can we do we can onboard them based on that uh we could use it um for some sort of verification service um before someone's allowed to do a self-service password reset so we could use it for that before we issue them with the temporary access pass so they can update um their configuration uh for their security details you know in their 502 keys and their phone and all the rest of it we can get their temporary access pass and then what we could do is we could have an app and say you are only allowed to use this app uh or other resources if you can present to me the fact that you have done the cyber security awareness training so I can go to training facilitator I could get a certificate back and present it um so interoperability absolutely crucial and um again what I'll do is I'll drop this into the chat so just pop that over there and um so have a look at that profile uh also have a look at the appendix and profile there's lots of references to the other standards there's a lot of Standards involved uh decentralized uh identity Foundation is working the you know www is working on it as well um and get involved you know for your organization uh think about your industry sector your vertical uh what type of schemas and what type of specs would you want for VCS could you get them adopted so you could take a VC from any issuer and use that um and that would be a very interesting scenario the other thing I do is I try and encourage people to start conversations in their own organization and it's not just about I.T it's very much about involving all your departments because your legal department users could your marketing department use it could your you know the the um oh I don't know any any department just just um get everyone involved uh you may wonder about backup well that's uh that's taken care of as well so what we've got is uh the ability to export your credentials and it sort of does it in an industry standard way you have to uh create a 12 word recovery phrase all right which is going to be your seed which will allow you to basically get back in um to recover the VCS and then what you do is you put them in the words so they're in order so you need to put in rancid abstract uh really and and of course these are regenerated each time um that you do the backup and then you uh can export your credentials and then to import them uh what you'll have to do is supply that recovery phrase to bring them in so you'll end up with an encrypted file with all your credentials from your wallet in it plus all the receipts you know the receipts that we we used um to say that we've got the credential that we presented the credential and so on uh coming soon and uh again thank you very much the product group uh to allow me to to show this um you will find that it is going to integrate uh with entitlement management um now if you're not familiar with entitlement management it's part of governance which is part of a P2 license in Azure ad um and I just got a couple of slides just introducing the idea and concept behind an access package so in your tenant you've got lots of resources right applications groups and sites and what you can do is you can gather those together into an access package right and if someone is given access to that access package they'll automatically have access to at one app to group one and site one and you can have policies that Define our users how guests can gain access to the access package that's been around for a long time it's absolutely super I I love access packages what I really like about access packages is the way they're designed for delegation so I can have a department which creates a catalog of their resources it's just the resources that that department uses and then you could have a project manager who creates access packages for different projects all right so and those what the resources that go in there are going to be picked from the catalog um and then what we can do is we can sign an access package to someone or we can allow them to actually ask for the access package so there there's a access package the thing that you may notice down here is issuer a decentralized ID um and what and it's also the credential try is true identity and if we go on um what you'll be asked for is to get access to this access package when we're using my access so this is the how the user gets access to an access package uh goes to my access it's being asked to present a proof um you know a particular VC so the scan the QR code exactly as we've seen now they've got access to the access package um that that is is coming in the not too distance future if you'd like to be informed by Microsoft I've got a link to a form you can fill in and they will let you know when the entitlement management and the integration with uh the the verified ID goes into uh public preview I I will give you that in one second now as we've gone through this um a lot of it also all depends on Azure ad authentication underlying securing access to apps um and if you want to know more about this or registering your apps in ad application protocols you know the Federated protocols including open ID connect North two um the proxy and and a whole lot more than if that's of interest to you then have a look at my identity masterclass um the next run of it is actually in October there are two events in October um one uh in Eastern Standard Time and one in Central European Time and you know what when I just saw the announcements of Microsoft ignite I thought oh no we're going to clash but we're not so I'm very pleased to say it doesn't clash with Ignite um it's always got absolutely rave reviews um have a look at the full spec it's on learn.xcseminars.co.uk um and uh I'm so confident you'll like it we're doing money back guarantee um I I've never had anyone that has been dissatisfied with the event there are some minor terms and conditions like you have to change turn up you have to attempt the Hands-On Lads and things like that um there's an awful lot of Hands-On Labs I think you'll find it a really really useful week so um I'm going to drop the uh evaluation week I I've spent um I don't know you might be able to guess I have spent a phenomenal amount of time actually putting this together um and I've been working on this since uh 2018 really not on this slide deck obviously and what I'd like to do is just you know it's a free event um and I know there was about two minutes of marketing but what I'd love you to do is fill in the evaluation and just spend a few minutes of your time uh to give me feedback and um and also if you want to sign up for the um extra uh VCS I can put that and what it will do is it will inform you when entitlement management and VCS or verified ID uh will go public that brings us to the end of the webinar um I I know I've seen some questions what I'll do um is I will uh maybe answer them on Twitter um or if um they won't fit on Twitter I will answer them via uh LinkedIn and you you'll be able to so what I'll do is I'll I'll tweet thanks for watching my channel subscribe for more free training you might like to join me for my identity masterclass hopefully see you soon [Music]

Info

Channel: John Craddock Identity and Access Training

Views: 904

Rating: undefined out of 5

Keywords: John Craddock Identity and Access Training, Verified IDs, Verified Credentials, VC, VCs, Azure AD, Identity, Microsoft Entra, Deep-dive, Microsoft Authenticator, Issuing, Verifying, How Verified IDs work, Wallet, Verify once, John Craddock, John_Craddock

Id: xLTBPui7e4g

Channel Id: undefined

Length: 63min 18sec (3798 seconds)

Published: Fri Feb 17 2023