Integration Credentials
Once your integration in CSS has been provisioned, you can download an Installation JSON file for each environment (dev / test / prod). This file contains the client-specific configuration your application needs to communicate with the SSO service — including the realm name, the Keycloak server URL, your client ID, and (for confidential clients) your client secret.
The Installation JSON is environment-specific, meaning the values for dev, test, and production are different. You should download and configure each environment separately to ensure your application points to the correct Keycloak instance and uses the correct credentials.
Approvals
Production Approval Required for Certain IDPs
For the following identity providers, production provisioning is not automatic. Instead, the respective IDP owner must manually approve your production integration before it becomes active:
- BCeID (Basic, Business, or Both variants)
- BC Services Card
- GitHub (BC Gov or Public)
For dev and test environments, these IDPs are provisioned immediately upon CSS submission. Production, however, requires an explicit approval step from the IDP owner.
The Approval Process
- Submit your integration in CSS with the desired IDP(s) and select the production environment.
- If the integration request includes
BCeID / BC Services Card / GitHubIDP(S), then the request enters a pending approval state for production environment. - The respective IDP owner reviews your request (usually within 1–2 business days, though integration status update after approval itself takes less than a few minutes).
- Once approved, the production environment is automatically provisioned and your Installation JSON becomes available for download.
Expediting Approval
If you have tight timelines or deadlines, do not wait passively for approval. Proactively reach out to the IDP owner directly to inform them of your approval request and ask them to prioritize it. This significantly reduces approval delays.
IDP Contact Information
| IDP | Contact Method |
|---|---|
| BCeID | Reach out to IDIM Consulting |
| BC Services Card | Reach out to IDIM Consulting |
| GitHub BC Gov | Contact the SSO team |
Important: Approved IDP Restrictions
Once an IDP variant has been approved for production, you cannot add additional related IDP variants to the same integration, though you may remove the approved one if needed and re-add right IDP(S) and wait for approval from IDP owners.
Examples:
- If
bceidbasic(Basic BCeID) is approved for production, you cannot addbceidbusiness(Business BCeID) orbceidboth(Both variants) to the same integration. You can always de-selectbceidbasicand selectbceidbusinessorbceidbothand wait for approval. - If
githubbcgov(GitHub BC Gov) is approved for production, you cannot addgithubpublic(GitHub Public) to the same integration, and vice versa. You can always de-selectgithubbcgovand selectgithubpublicand wait for approval.
To use a different IDP variant in production, you will need to request a new integration through CSS.
This restriction is in place to prevent IDP confusion and to ensure that teams maintain clear governance over which identity provider is authorized for each application's user base.
Client Types
- Confidential clients include a
credentials.secretfield. This secret must be stored securely on your back end and never exposed to the browser or end users. - Public clients omit the client secret entirely and set
"public-client": true. They must use PKCE to secure the Authorization Code Flow.
For more details, see client types.
Below is an example of an installation JSON for a public client.
{
"realm": "<standard_realm_name>",
"auth-server-url": "https://<env>.loginproxy.gov.bc.ca/auth/",
"ssl-required": "external",
"resource": "<client_id>",
"public-client": true,
"verify-token-audience": true,
"use-resource-role-mappings": true,
"confidential-port": 0
}
Below is an example of an installation JSON for a confidential client.
{
"realm": "<standard_realm_name>",
"auth-server-url": "https://<env>.loginproxy.gov.bc.ca/auth/",
"ssl-required": "external",
"resource": "<client_id>",
"credentials": {
"secret": "<client_secret>"
},
"confidential-port": 0
}