Keycloak is an open-source identity and access management solution that secures applications and services easily. In BC Government, the Pathfinder SSO Keycloak server acts as an OpenID Connect (OIDC) based identity provider.
CHEFS is hosted using a Custom Keycloak realm on the Silver OpenShift cluster. In order to access the admin panel of the Keycloak realm, contact Jason Chung.
User Groups
To gain admin access, the user must be added to both the “Realm Admin” and “Operations Team” user groups. The operations-team
provides access to the UI admin panel and the realm-administrator
allows for access to the Keycloak console under groups.
Dual Tenancy
CHEFS is currently dual tenant within the realm.
Duplicate Emails
The realm has the “Duplicate Emails“ setting within the admin console turned on to ensure that BCeID and IDIR are always treated as two separate entities and never merged. This means that if one user has both a BCeid and an IDIR account, they must be treated as two separate users.
Refined Roles
CHEFS uses composites to create roles that can be associated with multiple roles, allowing for grouping and cross-client roles without explicitly choosing roles.
Permissions
CHEFS permissions are handled through the backend database. Keycloak only verifies whether one is a “user” or an “admin.”
Forward Propagating Design
CHEFS is constrained with a forward-propagating design, meaning that all changes to an environment can only be deployed forwards, never backwards. A new migration file must be created in order to make a change and it can’t be removed. Due to this, ensure that the changes you are implementing are correct.
KeycloakID VS GUID
Migration to Gold
Continuity Management Consideration
CHEFS Admin Role requires to access admin panel
verify-token-audience