The BC Government Pathfinder SSO service, based on the Open Source Keycloak (aka Red Hat SSO) product, provides an industry standard (OIDC) and enterprise-policy compliant means of implementing authentication within applications that are also simple for development teams to provision and utilize.
Development teams are provisioned a set of clients within a multi-tenant instance of Keycloak running in the OpenShift Container Platform (OCP) platform that provide a simple authentication mechanism suitable for web and mobile applications.
Each client exists in one of the "standard" realms based on the needs of the team. Each "standard" realm is configured with a set of centrally-managed identity providers (such as BCeID and IDIR).
Users of this service gain access to the following:
Development teams are provided with a set of clients (an isolated configuration within Keycloak), corresponding to their deployment environments (dev, test, and prod). Clients come configured out-of-the-box with an appropriate combination of the following identity providers:
- BC Government IDIR
- BCeID Business and/or Basic (Personal BCeID is no longer supported)
- GitHub (in the DEV and TEST environments for rapid prototype testing)
Note: BCeID requires additional steps for SSO implementation. Details will be provided during onboarding. Note: BC Services Card integration is not available through OCP-SSO through the "standard" realms. See BC Services Card Integration for explanation and tips.
There is an online chat community around the SSO service that can be found on the #sso channel within the BC Government’s Pathfinder RocketChat. This online forum is used for asking questions, resolving possible issues and following developments on the service.
The Pathfinder SSO service is offered to BC Government teams who are building cloud native web or mobile applications. Teams wishing to use this service should initially connect with the SSO Product Owner to discuss their needs and ensure alignment prior to making an SSO implementation request.
Note: The Pathfinder SSO service is undergoing upgrades in 2021 and is currently not recommended for critical applications. Support is currently available only during business hours and only on a best efforts basis. If your application is critical, please contact Web Access Management (WAM) and/or Provincial Identity Information Management Program (IDIM).
The SSO solution is deployed in a high-availability configuration within the highly-available BC Government OpenShift cluster.
Client provisioning requests will be reviewed and handled during normal business hours.
SSO support is currently available through the previously mentioned RocketChat on the channel called "#sso".
This SSO solution is an open-source solution with no associated costs.
SSO only interfaces with other BC Government services to provide authentication via IDIR, BCeID or (potentially) other IDPs. These services are separately managed by dedicated identity provider (IDP) teams. For these services contact support via the standard BC Government 7-7000 support channel.
RocketChat (#sso channel) is the primary mode of communication as related to the SSO solution. Use this channel to engage the community for best practices, configuration and troubleshooting questions.
For cluster-wide service notifications that may impact SSO monitor the #devops-alerts channels in RocketChat.
For teams without RocketChat access please send us an email to the Pathfinder SSO Product Owner.
Please refer to SSO Onboarding on the wiki.
Any service change will be communicated via the #sso RocketChat channel. For major service updates, the SSO operations team will reach out to primary contacts for all implemented SSO organizations.
SSO service improvements can include system upgrades, feature integrations, issue resolution and more. The SSO Operations team carry out change operations at a scheduled time with advanced notice communicated through the #sso RocketChat channel. If disruptions or downtimes are expected during service improvement implementation, one of the following standard change windows will be selected. Tuesday or Thursday - 7:00 PM PST to 9:00 PM PST
Further, if the change is more significant a Technical Information Bulletins (TIBs) will be posted in the BC Gov My Service Center located at Service Now.
Corporate PIA The Corporate Privacy Impact Assessment (PIA) is completed and signed off. This means basic deployments can refer to the corporate PIA avoiding re-work. Teams must still detail in their program PIA how they are using identity providers in their application context.
If you intend to use BCeID, you must contact the Identity Information Management (IDIM) team prior to a production launch. This is required so that your project can get added to the BCeID catalogue and to understand available identity provider authentication options.
Copyright 2019 Province of British Columbia
This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.