-
-
+
+
* Any other attribute can be fetched by the app itself using [IDIM Web Services](https://sminfo.gov.bc.ca/)
diff --git a/wiki/Our-Partners-and-Useful-Information.md b/wiki/Our-Partners-and-Useful-Information.md
index 6e1865f7..ab4bb1d8 100644
--- a/wiki/Our-Partners-and-Useful-Information.md
+++ b/wiki/Our-Partners-and-Useful-Information.md
@@ -1,17 +1,17 @@
## Navigation
-- [What are identity providers, and which are available to BC Government?](#What-are-identity-providers)
-- [Azure IDIR and IDIR - What's the difference?](#Azure-IDIR-and-IDIR)
+- [What are identity providers, and which are available to BC Government?](#what-are-identity-providers)
+- [Azure IDIR and IDIR - What's the difference?](#azure-idir-and-idir)
- [Common Login Errors](#common-login-errors)
-- [BC Service Card Integration](#BC-service-card-integration)
-- [Identity Provider Attribute Mapping](https://github.com/bcgov/sso-keycloak/wiki/Identity-Provider-Attribute-Mapping)
+- [BC Service Card Integration](#bc-service-card-integration)
+- [Identity Provider Attribute Mapping](Identity-Provider-Attribute-Mapping)
- [BC Government Identity Standards aka IM/IT Identity Standards](https://www2.gov.bc.ca/gov/content/governments/services-for-government/policies-procedures/im-it-standards/find-a-standard#id_mgt)
-## What are identity providers?
+## What are Identity Providers?
-[Identity providers](https://github.com/bcgov/sso-keycloak/wiki/Useful-References#identity-provider) are directories of user accounts with details about those users, called attributes. The ones available to Pathfinder SSO Clients are:
+[Identity providers](Useful-References#identity-provider) are directories of user accounts with details about those users, called attributes. The ones available to Pathfinder SSO Clients are:
- **IDIR** IDIR accounts are given to individuals who work for the B.C. government. Each account has an IDIR username and password for logging in. [reference](https://www2.gov.bc.ca/gov/content/governments/services-for-government/information-management-technology/identity-and-authentication-services/login-best-practices/language-consistency)
- **Azure IDIR** IDIR accounts with the added the benefit of MFA (multi-factor authentication). This is a step up security-wise from regular IDIR. [reference](https://intranet.gov.bc.ca/thehub/ocio/ocio-enterprise-services/information-security-branch/information-security-mfa/mfa-registration)
@@ -26,7 +26,7 @@
- **GitHub associated with BC Gov Org** Allows login of GitHub BC Gov Org member. At the time of writing, production approval for this requires you to obtain an exemption to the IM/IT standards. [IM/IT Standards Frequently Asked Questions](https://www2.gov.bc.ca/gov/content/governments/services-for-government/policies-procedures/im-it-standards/im-it-standards-faqs)
-## Azure IDIR and IDIR?
+## Azure IDIR and IDIR
Using Azure IDIR adds the benefit of MFA (multi-factor authentication). This is a step up security-wise from regular IDIR.
You may have to educate your end users on MFA and please take note if your IDIR is not tied to a gov.bc.ca email address, please use idir_username@gov.bc.ca when prompted for your email.
@@ -34,7 +34,8 @@ You may have to educate your end users on MFA and please take note if your IDIR
You can **learn** [here from our IDIR Partner](https://intranet.gov.bc.ca/thehub/ocio/ocio-enterprise-services/information-security-branch/information-security-mfa/mfa-registration)
Also note if you get an error message similar to the one below, please ensure the end user has an BC Gov Azure IDIR account in order to gain access.
- 
+
+{: style="width:320px;height:400px"}
## Common Login Errors
@@ -46,16 +47,15 @@ Please use a private browser by either using incognito or clearing your cache.
### Other issues
-Please ensure you have tested with an incognito browser as mentioned above. If it is still an issue, reachout to use on [rocketchat](https://chat.developer.gov.bc.ca/channel/sso)
+Please ensure you have tested with an incognito browser as mentioned above. If it is still an issue, reachout to us on [rocketchat](https://chat.developer.gov.bc.ca/channel/sso).
## Digital Credential Configuration
This defines which credential (or combinations of credentials) will be requested at user authentication.
-Please work with the DITP team ditp.support@gov.bc.ca to define whether an existing configuration can be used, or a new one should be created for the specific use-case. Additionally, some best practices that need to be implemented at the application level can be found [here](https://github.com/bcgov/vc-authn-oidc/blob/main/docs/BestPractices.md)
+Please work with the DITP team ditp.support@gov.bc.ca to define whether an existing configuration can be used, or a new one should be created for the specific use-case. Additionally, some best practices that need to be implemented at the application level can be found [here](https://github.com/bcgov/vc-authn-oidc/blob/main/docs/BestPractices.md).
## BC Service Card Integration
-Join an Existing Dedicated Custom Realm
-- With approval from IDIM, it is possible to join an existing realm that shares the same security context as your application and already has BCSC set up. This generally means that the existing clients are all from the same ministry or sector and have the same requirements for personal information through the login process. There are very few instances of this pattern at this time, but it is an option that is possible with the help and approval of IDIM. @@ -78,7 +76,6 @@ Be that as it may, if there is a closely related project in your ministry or sec
Integrate Directly with BCSC
-Since IDIM provides an OIDC service for BCSC, your app can integrate directly with that service instead of brokering through Pathfinder SSO. Their security practices usually require a client per application in any case, so your architecture might not require using Pathfinder SSO as a proxy authentication service anyway. In addition, this pattern removes one possible point of failure from the application architecture. @@ -89,16 +86,12 @@ Be mindful however that the SSO (Keycloak) product does offer token and session
Configure and Manage Your Own Dedicated KeyCloak Server
-- - KeyCloak runs on JBoss quite happily in a Docker container with a PostgreSQL backend. If you really need features provided by KeyCloak and you want to integrate with BCSC, it's possible to run your own KeyCloak server and configure your connection to BCSC by setting up your own OIDC IDP.
Obtain a Dedicated KeyCloak Realm on the Pathfinder SSO service
-If the service gets to the point where there are "slots" to create new dedicated realms, a BCSC identity provider can be securely configured within a realm dedicated to your team. For now, we are unable to offer new realms while we work to reduce the number down to a manageable size.
Other?
-Things are always evolving and the BC Government Open Source community is constantly innovating and solving problems together. Don't be afraid to jump into the #SSO RocketChat channel and see what the community recommends if you have an unusual use case or an innovative idea. Thank you for your collaboration! @@ -114,11 +106,11 @@ Things are always evolving and the BC Government Open Source community is consta
- 
+
+ 
---------------------------- -#### *Have any questions? We would love to hear from you.* [][2]
+#### *Have any questions? We would love to hear from you.* [][2] 
[2]: https://chat.developer.gov.bc.ca/channel/sso
[3]: https://[mail](mailto:bcgov.sso@gov.bc.ca)[email](mailto:bcgov.sso@gov.bc.ca)
diff --git a/wiki/SSO-Onboarding.md b/wiki/SSO-Onboarding.md
index 03a0918c..d234c97c 100644
--- a/wiki/SSO-Onboarding.md
+++ b/wiki/SSO-Onboarding.md
@@ -2,7 +2,7 @@
* [START USING OIDC CLIENT CONFIGURATION](#start-using-your-OIDC-client-configuration)
-
+
----------------------------------
@@ -24,6 +24,6 @@ Please visit [BCGov Cloud Services](https://digital.gov.bc.ca/cloud/services/)
Once you have your client details, you can configure your application to use the service for your application login. For helpful advice on integration see [Using Your SSO Client](https://bcgov.github.io/sso-docs/category/getting-started) or **if you are eager**, check out our [keycloak example apps](https://github.com/bcgov/keycloak-example-apps)
-#### *Have any questions? We would love to hear from you.* [][2]
+#### *Have any questions? We would love to hear from you.* [][2] 
[2]: https://chat.developer.gov.bc.ca/channel/sso
[3]: https://[mail](mailto:bcgov.sso@gov.bc.ca)[email](mailto:bcgov.sso@gov.bc.ca)
diff --git a/wiki/Useful-References.md b/wiki/Useful-References.md
index 70beccef..7f850eae 100644
--- a/wiki/Useful-References.md
+++ b/wiki/Useful-References.md
@@ -1,10 +1,10 @@
-* [Intro to terms](#Intro-to-terms)
+* [Intro to terms](#intro-to-terms)
* [How we describe Keycloak](#keycloak-how-we-describe-it)
* [Newbie Guide: Concepts and Terms](#newbie-guide)
-* [Learn about the Open ID connect and OAuth Protocols](#Learn-about-the-Open-ID-connect-and-OAuth-Protocols)
+* [Learn about the Open ID connect and OAuth Protocols](#learn-about-the-open-id-connect-and-oauth-protocols)
* [Our Youtube videos on OIDC 101](#oidc-101)
-* [Learn about Keycloak and its APIs](#Learn-about-Keycloak-and-its-APIs)
-* [How to set up and use your KeyCloak Client](#How-to-set-up-and-use-your-KeyCloak-Client)
+* [Learn about Keycloak and its APIs](#learn-about-keycloak-and-its-apis)
+* [How to set up and use your KeyCloak Client](#how-to-set-up-and-use-your-keycloak-client)
* [Q&A with Us](#qa-with-us)
@@ -26,7 +26,7 @@ An "Identity Provider" is the holder of the identity that is used to log in with
[Visit this FAQ](https://github.com/bcgov/sso-keycloak/discussions/256) on which Identity Provider might be best for you
-### [Keycloak how we describe it](https://github.com/bcgov/sso-keycloak/wiki/What-is-Keycloak-@-BC-Government%3F#what-is-keycloak)
+### [Keycloak how we describe it](What-is-Keycloak-at-BC-Government#what-is-keycloak)
### Newbie Guide
@@ -72,8 +72,6 @@ The following links are a good introduction or refresher to the OIDC standard.
[Stackover flow Collection 2 on Custom Realms](https://stackoverflow.developer.gov.bc.ca/search?q=custom+realm)
-
-
-#### *Have any questions? We would love to hear from you.* [][2]
+#### *Have any questions? We would love to hear from you.* [][2] 
[2]: https://chat.developer.gov.bc.ca/channel/sso
[3]: https://[mail](mailto:bcgov.sso@gov.bc.ca)[email](mailto:bcgov.sso@gov.bc.ca)
diff --git a/wiki/Using-Your-SSO-Client.md b/wiki/Using-Your-SSO-Client.md
index 230ed309..72640e85 100644
--- a/wiki/Using-Your-SSO-Client.md
+++ b/wiki/Using-Your-SSO-Client.md
@@ -1,6 +1,3 @@
-- - ## Table of Contents - [Introduction to key concepts and terms (newbie guide)](#Introduction-to-key-concepts-and-terms) - [Openshift Clusters](#openshift-clusters) diff --git a/wiki/What-is-Keycloak-at-BC-Government.md b/wiki/What-is-Keycloak-at-BC-Government.md index 8c659416..7d7604d5 100644 --- a/wiki/What-is-Keycloak-at-BC-Government.md +++ b/wiki/What-is-Keycloak-at-BC-Government.md @@ -2,10 +2,7 @@ Keycloak is an open source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code. [Keycloak - About](https://www.keycloak.org/) In BC Government, the Pathfinder SSO Keycloak server acts as an Open ID Connect [OIDC](https://openid.net/connect/) based Identity Provider, mediating with an enterprise user directory or 3rd-party SSO providers for identity information and applications via standards-based tokens and identity assertions. -
+{: style="width:65%;height:50%"}
-
+{: style="width:65%;height:50%"}
## Why a Custom Realm?
-
+{: style="width:65%;height:50%"}
# Authentication vs Authorization
-
[Useful terms can be found here](https://github.com/bcgov/sso-keycloak/wiki/Useful-References#intro-to-terms)
@@ -35,5 +31,5 @@ New customers will now be added to one of the specially configured standard real
The Pathfinder SSO service is build on the foundations of Keycloak /Redhat SSO.
* [Request an integration](https://bcgov.github.io/sso-requests/)
-* [An overview of our CSS App](https://github.com/bcgov/sso-keycloak/wiki)
-* [Additional References](https://github.com/bcgov/sso-keycloak/wiki/Useful-References)
+* [An overview of our CSS App](index)
+* [Additional References](Useful-References)
diff --git a/wiki/img/azureidir-error.png b/wiki/img/azureidir-error.png
new file mode 100644
index 00000000..b0ef5059
Binary files /dev/null and b/wiki/img/azureidir-error.png differ
diff --git a/wiki/img/chat-bubble.png b/wiki/img/chat-bubble.png
new file mode 100644
index 00000000..93f7c2f3
Binary files /dev/null and b/wiki/img/chat-bubble.png differ
diff --git a/wiki/img/css-app-on-laptop.png b/wiki/img/css-app-on-laptop.png
new file mode 100644
index 00000000..2a8186bf
Binary files /dev/null and b/wiki/img/css-app-on-laptop.png differ
diff --git a/wiki/img/css-overview.png b/wiki/img/css-overview.png
new file mode 100644
index 00000000..2dd1834a
Binary files /dev/null and b/wiki/img/css-overview.png differ
diff --git a/wiki/img/custom-realm.png b/wiki/img/custom-realm.png
new file mode 100644
index 00000000..e2eab81c
Binary files /dev/null and b/wiki/img/custom-realm.png differ
diff --git a/wiki/img/email.png b/wiki/img/email.png
new file mode 100644
index 00000000..a71f3c63
Binary files /dev/null and b/wiki/img/email.png differ
diff --git a/wiki/img/gh-idp-mappers.jpg b/wiki/img/gh-idp-mappers.jpg
new file mode 100644
index 00000000..f4c3cb13
Binary files /dev/null and b/wiki/img/gh-idp-mappers.jpg differ
diff --git a/wiki/img/idp-graph.png b/wiki/img/idp-graph.png
new file mode 100644
index 00000000..56089038
Binary files /dev/null and b/wiki/img/idp-graph.png differ
diff --git a/wiki/img/idp-mappers.jpg b/wiki/img/idp-mappers.jpg
new file mode 100644
index 00000000..a0200a74
Binary files /dev/null and b/wiki/img/idp-mappers.jpg differ
diff --git a/wiki/img/services-card.png b/wiki/img/services-card.png
new file mode 100644
index 00000000..0401ae7a
Binary files /dev/null and b/wiki/img/services-card.png differ
diff --git a/wiki/img/standard-realm.png b/wiki/img/standard-realm.png
new file mode 100644
index 00000000..a14443f8
Binary files /dev/null and b/wiki/img/standard-realm.png differ
diff --git a/wiki/img/standard-vs-custom.png b/wiki/img/standard-vs-custom.png
new file mode 100644
index 00000000..3854d0e0
Binary files /dev/null and b/wiki/img/standard-vs-custom.png differ
diff --git a/wiki/img/total-downtime.png b/wiki/img/total-downtime.png
new file mode 100644
index 00000000..87056f4d
Binary files /dev/null and b/wiki/img/total-downtime.png differ
diff --git a/wiki/img/uptime-range.png b/wiki/img/uptime-range.png
new file mode 100644
index 00000000..cc5bd338
Binary files /dev/null and b/wiki/img/uptime-range.png differ
diff --git a/wiki/index.md b/wiki/index.md
index d72c03f5..dc4b0b24 100644
--- a/wiki/index.md
+++ b/wiki/index.md
@@ -9,24 +9,17 @@
* [More on our Standard Service](#more-on-our-standard-service)
* [Limitations](#limitations)
* [History](#history)
-* [For Additional Help](https://github.com/bcgov/sso-keycloak/wiki/Additional-Help)
+* [For Additional Help](Additional-Help)
* [Placeholder on Custom Realms](#placeholder-on-custom-realms)
-
-
- 
-
-
-#### *Have any questions? We would love to hear from you.* [][2]
-
+#### *Have any questions? We would love to hear from you.* [][2] 
[2]: https://chat.developer.gov.bc.ca/channel/sso
@@ -38,12 +31,12 @@
The Pathfinder SSO service (also known as "KeyCloak" or "RedHat SSO") consists of two offerings: Standard and Custom.
-Over the years, we’ve engaged and learned that the majority of our clients can make use of our standard service, so we created the [Common hosted Single Sign on (CSS) App](https://bcgov.github.io/sso-requests/). It’s a simple way for application development teams to set up login functionality for their app from approved [identity providers](https://github.com/bcgov/sso-keycloak/wiki/Useful-References#identity-provider) over a standard and secure protocol aka to help you obtain the technical details for your login component. Learn more about [onboarding with us here](https://bcgov.github.io/sso-docs/category/getting-started).
+Over the years, we’ve engaged and learned that the majority of our clients can make use of our standard service, so we created the [Common hosted Single Sign on (CSS) App](https://bcgov.github.io/sso-requests/). It’s a simple way for application development teams to set up login functionality for their app from approved [identity providers](Useful-References#identity-provider) over a standard and secure protocol aka to help you obtain the technical details for your login component. Learn more about [onboarding with us here](SSO-Onboarding).
## Our Partners
-We provide our service with the support of our Identity Provider Partners. An "Identity Provider" is the holder of the identity that is used to log in with. [Learn more about our partners and relevant identity provider information](https://github.com/bcgov/sso-keycloak/wiki/Our-Partners-and-Useful-Information).
+We provide our service with the support of our Identity Provider Partners. An "Identity Provider" is the holder of the identity that is used to log in with. [Learn more about our partners and relevant identity provider information](Our-Partners-and-Useful-Information).
Note: It is totally possible for your application to integrate with any or all of the identity providers directly instead of using the Pathfinder SSO service.
@@ -57,7 +50,7 @@ Here’s some reasons as to why this might work for your digital product:
- **Easy setup.** We've made this the #1 feature of this service. You can get your DEV, TEST, and PROD instances running against most of the available identity providers right away. The Pathfinder SSO service already has integrations to the following identity providers:
- IDIR (BC Common Logon Page)
- - [Learn about Azure IDIR ](https://github.com/bcgov/sso-keycloak/wiki/Useful-References#azure-idir-and-idir---whats-the-difference)
+ - [Learn about Azure IDIR ](Our-Partners-and-Useful-Information#azure-idir-and-idir)
- BCeID Basic (BC Common Logon Page) -- Allows login only with BCeID _Basic_
- BCeID Business (BC Common Logon Page) -- Allows login only with BCeID _Business_
- BCeID Basic & Business(BC Common Logon Page) -- Allows login with BCeID _Basic_ or BCeID _Business_
@@ -66,18 +59,18 @@ Here’s some reasons as to why this might work for your digital product:
- **OIDC protocol.** Where certain identity providers (BCeID in particular) support SAML protocol when used directly, Pathfinder SSO brokers the SAML connection and lets you use OIDC instead. OIDC is more common and simpler to set up in modern programming stacks.
- **Session Management.** Some identity providers don't offer advanced session management capabilities.
-- **High Availability Requirements.** The Pathfinder SSO service is working on a formal published service level agreements (see [BC Government SSO Service Definition](https://digital.gov.bc.ca/common-components/pathfinder-sso/). This service is available 24/7 with questions and answers addressed during business hours only. [Uptime Monitoring](https://github.com/bcgov/sso-keycloak/wiki/Pathfinder-Uptime-Monitoring)
+- **High Availability Requirements.** The Pathfinder SSO service is working on a formal published service level agreements (see [BC Government SSO Service Definition](https://digital.gov.bc.ca/common-components/pathfinder-sso/). This service is available 24/7 with questions and answers addressed during business hours only. [Uptime Monitoring](Pathfinder-Uptime-Monitoring)
#### More on our Standard Service
Our standard service makes use of one "standard" realm. When you complete a request in our [common hosted single sign on app](https://bcgov.github.io/sso-requests), you receive a pre-configured client inside an existing realm.
-* If you need authorization ie role based access controls, we allow for client level roles to be created. [Learn more](https://github.com/bcgov/sso-keycloak/wiki/Creating-a-Role)
-* [Are you Part of GitHub BC Gov Org](https://github.com/bcgov/sso-keycloak/wiki/Are-you-part-of-the-GitHub-BC-Gov-Org-%3F)
-* [Situations where you use our service](https://github.com/bcgov/sso-keycloak/wiki/Using-Your-SSO-Client#usecases)
-* [If you need to interact with the CSS App in a RESTful way](https://github.com/bcgov/sso-keycloak/wiki/CSS-API-Account)
-* [CSS APP my Teams](https://github.com/bcgov/sso-keycloak/wiki/CSS-App-My-Teams)
-* [CSS APP valid redirect URI Format](https://github.com/bcgov/sso-keycloak/wiki/CSS-App-Valid-Redirect-URI-Format)
+* If you need authorization ie role based access controls, we allow for client level roles to be created. [Learn more](Creating-a-Role)
+* [Are you Part of GitHub BC Gov Org](Are-you-part-of-the-GitHub-BC-Gov-Org)
+* [Situations where you use our service](Using-Your-SSO-Client#usecases)
+* [If you need to interact with the CSS App in a RESTful way](CSS-API-Account)
+* [CSS APP my Teams](CSS-App-My-Teams)
+* [CSS APP valid redirect URI Format](https://bcgov.github.io/sso-docs/integrating-your-application/redirects#valid-redirect-format)
* [Gold Migration Q&A](https://github.com/bcgov/sso-keycloak/discussions/categories/gold-q-a)
### Limitations
@@ -86,17 +79,17 @@ It is technically possible to integrate directly with the various identity provi
- **High Volume Expectations.** The service is shared by many dozens of applications. If one application starts sending millions of login requests, the service itself can experience service degradation which is felt by all the users of all the applications. Pathfinder SSO is managed on the OpenShift Platform and scales fluidly, but there are limits to the resources it can consume.
- **Unique Configuration Needs.** New customers no longer receive a dedicated realm where they can experiment and invent on top of the platform (see "What's Changed" below).
-- **BC Services Card Integration Requirements.** Because of the high-security nature of the BC Services Card identity and the private information that is available in the context of a login, BCSC is not allowed to be shared between applications. In a dedicated realm the BCSC integration, once approved and configured by IDIM, can be set up. Since we are not offering dedicated realms at this time, teams that need to integrate with BCSC will need to find another solution (see [BC Services Card Integration](https://github.com/bcgov/sso-keycloak/wiki/Our-Partners-and-Useful-Information#bc-service-card-integration) for useful advice).
+- **BC Services Card Integration Requirements.** Because of the high-security nature of the BC Services Card identity and the private information that is available in the context of a login, BCSC is not allowed to be shared between applications. In a dedicated realm the BCSC integration, once approved and configured by IDIM, can be set up. Since we are not offering dedicated realms at this time, teams that need to integrate with BCSC will need to find another solution (see [BC Services Card Integration](Our-Partners-and-Useful-Information#bc-service-card-integration) for useful advice).
## Placeholder on Custom Realms
-[Custom Realm ](https://github.com/bcgov/sso-keycloak/wiki/Understanding-the-Difference-Between-Custom-and-Standard-Realms)
+[Custom Realm ](Understanding-the-Difference-Between-Custom-and-Standard-Realms)
## History
### 2022
-• In early 2022, we consulted with teams using our custom service and are working with them to migrate to our new keycloak instance. If you think you need our custom service, please be advised we will ask you a few questions as we do not take provisioning a new custom service lightly. Read more on the way we work with our [Custom Service/Custom Realm community](https://github.com/bcgov/sso-keycloak/wiki/Gold-Custom-Realm-Community-Ways-of-Working)
+• In early 2022, we consulted with teams using our custom service and are working with them to migrate to our new keycloak instance. If you think you need our custom service, please be advised we will ask you a few questions as we do not take provisioning a new custom service lightly. Read more on the way we work with our [Custom Service/Custom Realm community](Gold-Custom-Realm-Community-Ways-of-Working)
• In mid 2022, we moved our services from the Platform Services Silver Openshift cluster to their Gold Openshift cluster. We have mechanism in place for disaster recovery and we are an enterprise service. We ensure that clients in our gold service have their service up 24/7.