d-bis/the_order
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3bf47efa2bace8530fab2e55aa219ec02329fd3c
the_order/docs/training/ENTRA_VERIFIEDID_TRAINING.md
defiQUG 92cc41d26d Add Legal Office seal and complete Azure CDN deployment 
- Add Legal Office of the Master seal (SVG design with Maltese Cross, scales of justice, legal scroll)
- Create legal-office-manifest-template.json for Legal Office credentials
- Update SEAL_MAPPING.md and DESIGN_GUIDE.md with Legal Office seal documentation
- Complete Azure CDN infrastructure deployment:
  - Resource group, storage account, and container created
  - 17 PNG seal files uploaded to Azure Blob Storage
  - All manifest templates updated with Azure URLs
  - Configuration files generated (azure-cdn-config.env)
- Add comprehensive Azure CDN setup scripts and documentation
- Fix manifest URL generation to prevent double slashes
- Verify all seals accessible via HTTPS
2025-11-12 22:03:42 -08:00

242 lines
6.1 KiB
Markdown
Raw Blame History

# Entra VerifiedID Integration - Team Training Guide
## Training Overview
This guide provides training materials for the operations and development teams on the Entra VerifiedID integration.
## Training Objectives
By the end of this training, team members should be able to:
1. Understand Entra VerifiedID integration architecture
2. Deploy and configure the integration
3. Monitor and troubleshoot issues
4. Perform common operations
5. Handle emergencies
## Training Modules
### Module 1: Architecture Overview (30 minutes)
#### What is Entra VerifiedID?
- Microsoft's managed service for verifiable credentials
- Issues W3C-compliant verifiable credentials
- Provides QR codes for mobile wallet integration
- Handles credential lifecycle management
#### Integration Architecture
```
Client → Identity Service → Entra VerifiedID API
Database (tracking)
Event Bus (notifications)
Monitoring (metrics)
```
#### Key Components
- **EntraVerifiedIDClient**: Base client for API communication
- **EnhancedEntraVerifiedIDClient**: Enhanced with retry and multi-manifest
- **Webhook Handler**: Processes status updates
- **Metrics**: Prometheus metrics for monitoring
### Module 2: Deployment (45 minutes)
#### Prerequisites
- Azure subscription access
- Kubernetes cluster access
- Key Vault access
#### Deployment Steps
1. **Azure Configuration**
```bash
./scripts/deploy/setup-entra-automated.sh
```
2. **Environment Setup**
```bash
./scripts/deploy/configure-env-dev.sh
```
3. **Staging Deployment**
```bash
./scripts/deploy/deploy-staging.sh
```
4. **Production Deployment**
```bash
./scripts/deploy/deploy-production.sh
```
#### Hands-On Exercise
- Deploy to staging environment
- Verify deployment
- Test credential issuance
### Module 3: Operations (45 minutes)
#### Daily Operations
- Health checks
- Monitoring dashboards
- Log review
#### Common Operations
- Issue credential manually
- Check credential status
- Verify credential
- View metrics
#### Hands-On Exercise
- Issue a test credential
- Monitor metrics
- Check logs
### Module 4: Monitoring & Troubleshooting (60 minutes)
#### Key Metrics
- Issuance success rate
- API latency
- Error rates
- Webhook processing
#### Common Issues
1. **Credential Issuance Failing**
- Check Entra credentials
- Verify API permissions
- Check network connectivity
2. **Webhooks Not Received**
- Verify webhook URL configuration
- Check firewall rules
- Review webhook logs
3. **High Latency**
- Check network connectivity
- Review retry configuration
- Check Entra API status
#### Troubleshooting Workflow
1. Check service health
2. Review logs
3. Check metrics
4. Verify configuration
5. Test connectivity
#### Hands-On Exercise
- Simulate common issues
- Practice troubleshooting
- Use diagnostic commands
### Module 5: Emergency Procedures (30 minutes)
#### When to Disable Integration
- Critical security issue
- Entra API outage
- Data corruption
#### Disable Procedure
```bash
# Scale down service
kubectl scale deployment identity-service -n the-order-prod --replicas=0
# Or disable routes
kubectl set env deployment/identity-service ENTRA_TENANT_ID="" -n the-order-prod
```
#### Rollback Procedure
```bash
kubectl rollout undo deployment/identity-service -n the-order-prod
```
#### Hands-On Exercise
- Practice disable procedure
- Practice rollback
- Verify service recovery
## Training Materials
### Documentation
- [Deployment Checklist](../deployment/ENTRA_VERIFIEDID_DEPLOYMENT_CHECKLIST.md)
- [Operational Runbook](../operations/ENTRA_VERIFIEDID_RUNBOOK.md)
- [Integration Guide](../integrations/MICROSOFT_ENTRA_VERIFIEDID.md)
### Scripts
- `scripts/deploy/setup-entra-automated.sh`
- `scripts/deploy/deploy-staging.sh`
- `scripts/test/test-all-entra-features.sh`
- `scripts/validation/validate-entra-config.sh`
### Test Environment
- Staging environment for hands-on practice
- Test credentials for safe experimentation
## Assessment
### Knowledge Check
1. What are the required environment variables?
2. How do you check if Entra integration is working?
3. What metrics indicate a problem?
4. How do you disable the integration in an emergency?
### Practical Assessment
1. Deploy to staging
2. Issue a test credential
3. Troubleshoot a simulated issue
4. Perform a rollback
## Resources
### Internal
- Runbook: `docs/operations/ENTRA_VERIFIEDID_RUNBOOK.md`
- Troubleshooting: See runbook troubleshooting section
- On-call procedures: [Contact Information]
### External
- [Microsoft Entra VerifiedID Docs](https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/)
- [Azure Portal](https://portal.azure.com)
- [Azure Support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade)
## Training Schedule
### Recommended Training Plan
- **Week 1**: Architecture and Deployment (2 hours)
- **Week 2**: Operations and Monitoring (2 hours)
- **Week 3**: Troubleshooting and Emergencies (2 hours)
- **Week 4**: Assessment and Certification (1 hour)
### Follow-Up
- Monthly review sessions
- Quarterly updates on new features
- Annual recertification
## Questions & Answers
### Common Questions
**Q: What happens if Entra API is down?**
A: The integration will retry automatically. If all retries fail, errors are logged and metrics are updated. Consider disabling integration if outage is prolonged.
**Q: How do we rotate client secrets?**
A: Create new secret in Azure Portal, update in Key Vault, restart service. See runbook for detailed steps.
**Q: Can we use multiple credential types?**
A: Yes! Configure `ENTRA_MANIFESTS` environment variable with JSON mapping. Use `manifestName` parameter in API calls.
**Q: How do we monitor success rates?**
A: Use Grafana dashboard or Prometheus queries. Alert on success rate < 95%.
## Certification
To be certified on Entra VerifiedID operations, team members must:
1. Complete all training modules
2. Pass knowledge check (80% or higher)
3. Successfully complete practical assessment
4. Demonstrate ability to troubleshoot common issues
---
**Training Version**: 1.0
**Last Updated**: [Current Date]
**Next Review**: [Date + 3 months]
Reference in New Issue View Git Blame Copy Permalink