Identity Providers
Overview
The SSO service works with several identity provider (IDP) partners. An identity provider is the authoritative system where users authenticate and where their identity attributes originate.
For attribute-level details used in tokens and user mapping, see Identity Mappers.
Available Identity Providers
| Identity Provider | Typical Users | Notes |
|---|---|---|
| IDIR - MFA | BC Government employees and contractors | Recommended option for employee sign-in with MFA support. Learn more about MFA registration. |
| BCeID | Residents and businesses accessing government services | Supports Basic and Business BCeID. Learn more about BCeID Authentication Service. |
| BC Services Card (BCSC) | BC residents | Available through SSO with additional approval requirements. See BC Services Card Login. |
| Digital Credential | Verifiable credential users | Available for OIDC integrations. Learn more about Digital Credentials. |
| GitHub BC Gov | Members of BC Government GitHub organizations | Production use may require policy or standards review. See IM/IT Standards FAQs. |
| OTP (One-Time Passcode) | Email-based sign-in use cases | Users authenticate with a one-time passcode delivered by email. |
If you are deciding which IDP to use, these references may help:
IDIR - MFA (MFA) Notes
IDIR - MFA includes multi-factor authentication and is more secure than legacy on-prem IDIR flows.
If a user's IDIR account is not tied to a gov.bc.ca email address, they may need to use the format idir_username@gov.bc.ca when prompted for email.
If users see an IDIR - MFA sign-in error, confirm they have an active BC Government IDIR - MFA account.

Common Login Issues
I can't login to both on-prem IDIR and BCeID in the same browser?
When using legacy on-prem IDIR (not IDIR - MFA), browser session conflicts can occur if one tab is logged in with IDIR and another with BCeID.
Use an incognito/private browser window, or clear browser cache and cookies before testing.
Other Issues
If the issue persists after private-mode testing, contact the SSO team in the Microsoft Teams Keycloak How-to Channel.
Digital Credential Configuration
Digital Credential integration defines which credential (or credential combination) is requested during authentication.
Work with the DITP team to confirm whether an existing configuration can be reused or whether a new configuration is required for your use case.
For implementation guidance, see vc-authn-oidc best practices.
BC Services Card Integration
BC Services Card provides an OIDC authentication service and is available in production. Because of the sensitivity of BCSC identity data, integrations require approval from the IDIM team before BCSC can be enabled as a login option.

Options for Teams with BCSC Requirements
1. Integrate with Standard Service (Recommended)
Most teams should request BCSC through the Standard service using the CSS.
If your ministry or sector is not listed, contact IDIM Consulting to discuss onboarding.
2. Join an Existing Custom Realm
With IDIM approval, some teams can join an existing custom realm that already has BCSC enabled and shares the same security context (typically within the same ministry or sector).
This is less common, but can be appropriate for closely related programs with compatible privacy and identity requirements.
3. Run a Dedicated Keycloak Deployment
For rare cases requiring full ownership of authentication infrastructure, teams can run their own Keycloak deployment and configure a direct OIDC integration with BCSC.
This option has the highest operational overhead and should be considered only when Standard or existing Custom Realm options cannot meet requirements.
Restricted Identity Providers
IDIRandGitHub Publicare not available for self-service selection. Contact the SSO team if you need to integrate with either provider.Basic BCeIDandBasic or Business BCeIDare being discontinued. Even DEV and TEST environments require explicit approval from the IDIM team. For more information, contact the IDIM team.- The OTP identity provider is currently being piloted by a single team and is not yet generally available. Contact the SSO team if you are interested in joining the pilot.
Need Help?
Questions about IDP selection or integration setup:
- Teams: Keycloak How-to Channel
- Email: SSO Team