Set Up BC Services Card IDP
Overview
BC Services Card (BCSC) is a government-issued identity credential that enables high-assurance authentication for BC residents. It is available through Standard Realm but if you have a custom realm and unique needs of BCSC, then follow this guide to configure BCSC as a whole new IDP.
This guide covers the three components required for a functional BCSC integration in your custom realm:
- Identity Provider (IDP) — connects your realm to the BCSC OIDC service
- IDP Mappers — imports BCSC user attributes into Keycloak user records
- Client Mappers — exposes those attributes in the tokens returned to your application
Before You Begin — On-Boarding with IDIM
Before configuring anything in Keycloak, your team must complete the BCSC on-boarding process with IDIM (Identity Information Management).
Contact IDIM to initiate on-boarding. Once the process is underway, IDIM will provide you with:
| Credential | Description |
|---|---|
| Client ID | Your integration's unique identifier |
| Client Secret | The shared secret for authenticating to the BCSC token endpoint |
| Discovery Endpoint | The OIDC well-known configuration URL for your IDIM environment |
The discovery endpoint exposes all the URLs you need (authorization, token, userinfo, JWKS). Example for the test environment:
https://idtest.gov.bc.ca/login/.well-known/openid-configuration
Keep these credentials secure. You will enter them directly into the Keycloak admin console in the steps below.
Step 1 — Create the BC Services Card IDP
-
In your realm's Keycloak admin console, click Identity Providers in the left navigation.
-
Click Add provider… and select OpenID Connect v1.0.
-
Set Alias to a short identifier for the IDP (e.g.
bcsc). -
Fill in the following fields using the URLs provided by your IDIM discovery endpoint:
Field Value Authorization URL https://<IDIM_ENVIRONMENT>/login/oidc/authorizeToken URL https://<IDIM_ENVIRONMENT>/oauth2/tokenUser Info URL https://<IDIM_ENVIRONMENT>/oauth2/userinfoIssuer https://<IDIM_ENVIRONMENT>/oauth2/JWKS URL https://<IDIM_ENVIRONMENT>/oauth2/jwkClient Authentication Client secret sent as post Client ID Provided by IDIM Client Secret Provided by IDIM Default Scopes openid profile email addressValidate Signatures Enabled Use JWKS URL Enabled -
Click Save.
Replace
<IDIM_ENVIRONMENT>with the hostname for your environment (e.g.idtest.gov.bc.cafor test). Confirm exact URLs against your discovery endpoint document.
Step 2 — Create IDP Mappers
IDP mappers tell Keycloak which BCSC claims to import and store as user attributes. Because every BCSC integration has a different approved attribute set, the mappers you need will vary. Refer to the BCSC OIDC specification provided by IDIM for the full list of available claims.
To create a mapper:
- In your realm, navigate to Identity Providers and open the BCSC IDP you created.
- Click the Mappers tab, then click Add mapper.
- Configure the mapper fields and click Save.
The examples below illustrate two common mappers:
Directed Identifier (DID)
Maps the OIDC sub (subject) claim to a stored user attribute named did. The directed identifier is a privacy-preserving unique identifier assigned per-service by BC Services Card.
| Field | Value |
|---|---|
| Name | did |
| Sync Mode Override | Force |
| Mapper Type | Attribute Importer |
| Claim | sub |
| User Attribute Name | did |