Gold Custom Realm Community Ways of Working
--- Our gold custom service and how we work
Welcome community member, we have this page broken down into the following sections:
- Standard vs Custom Service
- Custom Service
- Guidelines
- Best practices
- Common tool set
Standard Realm: SSO team configures it for you
Services we provide:
- Self-registration
- 20-minute access to a development,test, and production environment
- Continuous improvement & bug fixes
- Default settings
- Architecture best practices
- Access to developer support
- 24/7 site reliability monitoring
Custom Realm: Your team configures it youself
Your responsibilities include:
- Governance model & decisions
- Infrastructure code for environment promotion
- Access considerations
- Migration of project teams that move ministries
- Dev-ops/ technical support- have a long term plan for it
Custom service guidelines
Follow guidelines for:
- Everyone in the space understands business requirements for privacy (IDs, authorizations, personal attributes)
- For sharing purposes, need to review the STRA/security & PIA/privacy & legislation/policy for the space
- Rely on out of the box configuration for Keycloak integrations entirely.
- Ensure logs not are stored or only store for a short period of time.
- Try to avoid using realm-level resources such as groups and roles to share the realm with multiple application teams.
- Use of GUID vs KC ID. Don't use local users.
- Make sure the user username has a suffix with `@IDP` and is based on the source of truth of the user type.
- Offline validation (public key validation)
- Automation
- Session and realm configuration and token timeouts
- Ensure offline tokens are revoked after use or set the maximum time.
- Validate the token at the application level rather than using an introspection endpoint
- Synchronization of changes between environments
Best practices
Do's
- Create instruction for realm usage setup and basic problem solving
- Use cypress to automate login test
- Documentation around how to getaccess to different tiers of support
- Create a clear disaster recovery plan
Don'ts
- Introspection
- Using the IDIR/ BCeID user ID as the Keycloak username
- Manually promote Keycloak configuration through the environments
Common tools
- Automated testing (we recommend cypress)
- Visit our Example Repo: https://github.com/bcgov/keycloak-example-apps