1Kosmos and Microsoft Entra Verified ID unite to deliver trusted, privacy-preserving identity verification that empowers secure, passwordless access across ecosystems.
Integration type
Auth/IDP
Overview
1Kosmos is a listed identity verification partner in the Microsoft Entra Verified ID partner gallery. The integration connects 1Kosmos as the identity proofing engine for issuing verifiable credentials through the Entra Verified ID platform.
What we solve
Verifiable credential programs depend on strong identity proofing at issuance—otherwise organizations risk issuing trusted credentials to the wrong person. This integration uses 1Kosmos as the identity proofing layer for Microsoft Entra Verified ID, helping teams verify identities with high assurance before credentials are issued, improving trust, compliance, and cross-ecosystem interoperability.
During enrollment or onboarding, a user completes a government ID scan and biometric selfie through 1Kosmos. Upon successful verification, 1Kosmos generates a verifiable credential that is provisioned directly into the user's Microsoft Authenticator wallet.
This gives organizations a high-assurance, privacy-preserving digital credential backed by document verification and liveness-checked biometrics, meeting NIST IAL2 standards. The issued credential is user-controlled and stored only in the Authenticator wallet, not server-side.
Prerequisites
Active 1Kosmos tenant with IDV enabled: Contact your 1Kosmos representative to confirm IDV is active on your tenant and that the sample VerifiedID application has been deployed.
Microsoft Entra ID tenant: With Entra Verified ID enabled. Configuration is done in the Entra portal at entra.microsoft.com.
Microsoft Authenticator app: Required on end-user mobile devices for verifiable credential wallet provisioning. Other wallet apps are not supported for this issuance flow.
App registration permissions: An administrator must have rights to register applications in Entra ID and assign API permissions for the Verifiable Credentials Service Request.
Configuration values
Values to collect from Entra after app registration:
Field | Where to find it |
|---|---|
Tenant ID | Entra portal → Overview |
Client ID | Generated during app registration |
Client Secret | App registration → Certificates & secrets |
Issuer DID | Entra Verified ID → Organization settings |
Values to collect from 1Kosmos after tenant configuration:
Field | Where to find it |
|---|---|
ID proofing flow URL | Provided by your 1Kosmos representative |
Verification journey | KYC with Selfie or Document Verification Only |
Integration steps
Step 1: Register the 1Kosmos app in Entra In the Entra portal, navigate to Azure Active Directory → App registrations → New registration. Name the application (e.g., "1Kosmos VerifiedID"), set the redirect URI, and assign the Verifiable Credentials Service Request API permission under API permissions → Add a permission.
Step 2: Retrieve the Client ID and Client Secret After registration, copy the Application (Client) ID from the app overview. Navigate to Certificates & secrets → New client secret, set an expiry, and copy the generated value immediately. Provide both the Client ID and Client Secret to your 1Kosmos representative.
Step 3: Configure the verification journey in 1Kosmos In the 1Kosmos AdminX portal, navigate to Verification Flows and create a new verification journey. Select the journey type based on your assurance requirements:
KYC with Selfie: User scans a government-issued ID and captures a selfie for biometric comparison with liveness detection. Delivers NIST IAL2.
Document Verification Only: Standalone document scan without a biometric selfie.
Step 4: Complete the Entra integration setup In the 1Kosmos admin portal, enter your Entra Tenant ID and issuer configuration to establish the communication channel between 1Kosmos and Entra Verified ID. Your 1Kosmos representative will confirm the connection is active.
Step 5: Test credential issuance Navigate to the sample VerifiedID application. Enter a test user email address, select the document type and device, and complete the verification steps: submit the identity document → capture selfie → scan the generated QR code with Microsoft Authenticator. The verifiable credential will appear in the user's Authenticator wallet under "Verifiable credentials."
Step 6: Deploy to end users Configure the verification flow as the identity proofing step for your onboarding or enrollment journey. To verify issued credentials during access events, use the Microsoft Entra Verified ID Presentation Request API to send a presentation request to users and receive back their signed credential proof.
Integration notes
Verifiable credentials issued through this flow are stored exclusively in the user's Microsoft Authenticator wallet. Neither Microsoft nor 1Kosmos retains the credential server-side after issuance, consistent with the W3C Verifiable Credentials data model and privacy-by-design principles.
For presentation and verification flows post-issuance, refer to Microsoft's Entra Verified ID documentation at learn.microsoft.com. Organizations requiring credential verification across multiple relying parties can configure additional presentation request flows within the same Entra Verified ID setup.
