Skip to main content

Gold Custom Realm Community Ways of Working

--- Our gold custom service and how we work

Welcome community member, we have this page broken down into the following sections:

  • Standard vs Custom Service
  • Custom Service
    • Guidelines
    • Best practices
    • Common tool set

Standard Realm: SSO team configures it for you

Services we provide:

  1. Self-registration
  2. 20-minute access to a development,test, and production environment
  3. Continuous improvement & bug fixes
  4. Default settings
  5. Architecture best practices
  6. Access to developer support
  7. 24/7 site reliability monitoring

Custom Realm: Your team configures it youself

Your responsibilities include:

  1. Governance model & decisions
  2. Infrastructure code for environment promotion
  3. Access considerations
  4. Migration of project teams that move ministries
  5. Dev-ops/ technical support- have a long term plan for it

Custom service guidelines

Follow guidelines for:

  1. Everyone in the space understands business requirements for privacy (IDs, authorizations, personal attributes)
  2. For sharing purposes, need to review the STRA/security & PIA/privacy & legislation/policy for the space
  3. Rely on out of the box configuration for Keycloak integrations entirely.
    • Ensure logs not are stored or only store for a short period of time.
  4. Try to avoid using realm-level resources such as groups and roles to share the realm with multiple application teams.
  5. Use of GUID vs KC ID. Don't use local users.
  6. Make sure the user username has a suffix with `@IDP` and is based on the source of truth of the user type.
    • Offline validation (public key validation)
    • Automation
  7. Session and realm configuration and token timeouts
    • Ensure offline tokens are revoked after use or set the maximum time.
    • Validate the token at the application level rather than using an introspection endpoint
  8. Synchronization of changes between environments

Best practices

Do's

  1. Create instruction for realm usage setup and basic problem solving
  2. Use cypress to automate login test
  3. Documentation around how to getaccess to different tiers of support
  4. Create a clear disaster recovery plan

Don'ts

  1. Introspection
  2. Using the IDIR/ BCeID user ID as the Keycloak username
  3. Manually promote Keycloak configuration through the environments

Common tools

Common Questions

  • Visit our FAQs on BCGOV Stack Overflow: Visit here for some FAQs on Custom Realms

    • Have any questions? We would love to hear from you. Rocketchat OR Email