Merge branch 'wiki' of https://github.com/bcgov/sso-keycloak into wiki

bcgov · Dec 4, 2023 · 334620e · 334620e
2 parents 91a42eb + 2258170
commit 334620e
Show file tree

Hide file tree

Showing 26 changed files with 61 additions and 102 deletions.
diff --git a/.tool-versions copy b/.tool-versions copy
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -1,9 +1,10 @@
 site_name: BC Gov Common Hosted Single Sign-on
 docs_dir: wiki
-edit_uri: edit/main/wiki/
+# TODO: change branch on dev merge
+edit_uri: https://github.com/bcgov/sso-keycloak/edit/wiki/wiki/
 
 nav:
-  - Home: Home.md
+  - Home: index.md
   - SSO Onboarding: SSO-Onboarding.md
   - Using Your SSO Client: Using-Your-SSO-Client.md
   - What is Keycloak at BC Government: What-is-Keycloak-at-BC-Government.md
@@ -12,12 +13,15 @@ nav:
   - Handling Authorization/Create a Role: Creating-a-Role.md
   - Useful References: Useful-References.md
   - Pathfinder SSO Uptime: Pathfinder-Uptime-Monitoring.md
-  - Our Service Level: Alerts-and-Us.md#/service-levels
+  - Alerts and Us: Alerts-and-Us.md
+  - Our Service Level: Alerts-and-Us#service-levels
   - Additional Help: Additional-Help.md
+
 plugins:
   - techdocs-core
   - ezlinks
 markdown_extensions:
+  - attr_list
   - markdown_inline_mermaid
   - md_in_html
   - mkpatcher:

diff --git a/wiki/Additional-Help.md b/wiki/Additional-Help.md
@@ -2,14 +2,8 @@ Many development teams have gone through similar processes in exploring Pathfind
 - FAQ's - The Pathfinder SSO team tracks some frequently asked questions and with answers are made available through the following link: [FAQ's](https://github.com/bcgov/sso-keycloak/discussions/categories/gold-q-a).
 - We encourage you to join the Pathfinder SSO community on [RocketChat](https://chat.developer.gov.bc.ca/channel/sso) and post questions there. Be specific and clear when raising questions or issues and include your user case and expected results.
 - If you find a problem, issue or a bug, please create a GitHub issue [here](https://github.com/bcgov/sso-keycloak/discussions/new?category=q-a) first, and let the team know by posting in RocketChat.
-- The team prefers the channels described above, but if you need to send a message to the team, please email the [Product Owner](mailto:[email protected]).
+- The team prefers the channels described above, but if you need to send a message to the team, please email the <a href="mailto:[email protected]">Product Owner</a>.
 
 Within RocketChat if you see someone asking questions or have issues for which you may have a solution, please feel free to help out and contribute in RocketChat. We very much appreciate your contributions.
 
-</details>
-
-</details>
-<!-- <p align="Center">
-  <img width="800" height="350" src="blobs-in-forest.png">
-</p> -->
 ![Blobs in Forest](./img/blobs-in-forest.png)
diff --git a/wiki/Alerts-and-Us.md b/wiki/Alerts-and-Us.md
@@ -1,5 +1,6 @@
+# Alerts and Us
 Here's an overview of our Service Levels and Metrics on our acknowledge and response times:
-# Service Levels
+## Service Levels
 We often get questions about our Service Level Agreement and over the years we've come to realize the answer is not that simple. This an attempt to plain language the our Service Levels, other systems that impact our SLA as we are a subset of a larger system, our approach to keeping systems stable and reliable, and our future thinking.
 
 ## What is our Service
@@ -67,7 +68,7 @@ As of writing (April 2023) we define our service levels as:
 
 •	Our regular business hours are weekdays from 9:00 am to 5:00 pm Pacific Time, excluding statutory holidays. Client provisioning questions and requests will be reviewed and handled during normal business hours.  After hours support is provided by the Pathfinder SSO team, and is only available for service outages and other incidents that impact the service
 
-•	To learn more about our service uptime monitoring, please [visit our uptime page on our wiki](https://github.com/bcgov/sso-keycloak/wiki/Pathfinder-Uptime-Monitoring) and join our [newsletter](https://subscribe.developer.gov.bc.ca/) to receive important updates on the service and any outages.
+•	To learn more about our service uptime monitoring, please [visit our uptime page](Pathfinder-Uptime-Monitoring) and join our [newsletter](https://subscribe.developer.gov.bc.ca/) to receive important updates on the service and any outages.
 
 
 **Our approach to stability and reliability (Support Incident Response Times)**
@@ -83,7 +84,7 @@ The team responds to all service incidents through our 24/7 process where our te
 > P4 - Low - respond within 45 mins
 >
 
-As a very responsive team, you will see our metrics over the years and that we respond  very quickly [2022 and 2023 Recap of Alerts/Incidents](https://github.com/bcgov/sso-keycloak/wiki/Alerts-and-Us#metrics)
+As a very responsive team, you will see our metrics over the years and that we respond  very quickly [2022 and 2023 Recap of Alerts/Incidents](Alerts-and-Us.md#metrics)
 
 It should be noted that our current version of Redhat SSO does not enable us to offer zero downtime aka [blue green deployments](https://docs.aws.amazon.com/whitepapers/latest/introduction-devops-aws/blue-green-deployments.html). As a result, when we need to upgrade our Redhat SSO version or need to apply a patch, we advise our clients in advance via [RocketChat](https://chat.developer.gov.bc.ca/channel/sso) with a note that active sessions may be lost ie: end users may have to login again.
 
@@ -125,9 +126,9 @@ Join our monthly open demos as we share where we are going.
 ## Historic Uptime
 
 The uptime for a given alert over a range by using a custom range on the alert screen:
-![image](https://github.com/bcgov/sso-keycloak/assets/9705602/d7c3492b-af1f-451d-bcec-f415d563a0ef)
+![Uptime range](./img/uptime-range.png)
 Uptime will calculate the total downtime for the alert
-![image](https://github.com/bcgov/sso-keycloak/assets/9705602/7892e68c-8534-4f56-87d9-1a42aac60003)
+![image](./img/total-downtime.png)
 
 
 ### Gold Keycloak SSO Prod End User Access Uptime

diff --git a/wiki/Creating-a-Role.md b/wiki/Creating-a-Role.md
@@ -1,6 +1,3 @@
-
-***
-
 You've asked and we've listened, we've created the ability for you to create roles for your SSO integration.
 
 ### What are roles in the Common Hosted Single Sign On (CSS) App?

diff --git a/wiki/Identity-Provider-Attribute-Mapping.md b/wiki/Identity-Provider-Attribute-Mapping.md
@@ -1,7 +1,6 @@
-<img width="1224" alt="IDP mappers_ June2023" src="https://user-images.githubusercontent.com/56739669/248904590-78a7f83f-aed1-47eb-a5c3-a7dfc815eace.png" >
-
-<img width="1224" alt="GitHub_IDP_Mappers _ June2023" src="https://user-images.githubusercontent.com/56739669/248904606-af43720e-7264-40cb-9844-a651bf6ca213.png" >
+![IDP Mappers](./img/idp-mappers.jpg)
 
+![Github IDP Mappers](./img/gh-idp-mappers.jpg)
 
 * Any other attribute can be fetched by the app itself using [IDIM Web Services](https://sminfo.gov.bc.ca/)
 

diff --git a/wiki/Our-Partners-and-Useful-Information.md b/wiki/Our-Partners-and-Useful-Information.md
@@ -1,17 +1,17 @@
 
 
 ## Navigation
-- [What are identity providers, and which are available to BC Government?](#What-are-identity-providers)
-- [Azure IDIR and IDIR - What's the difference?](#Azure-IDIR-and-IDIR)
+- [What are identity providers, and which are available to BC Government?](#what-are-identity-providers)
+- [Azure IDIR and IDIR - What's the difference?](#azure-idir-and-idir)
 - [Common Login Errors](#common-login-errors)
-- [BC Service Card Integration](#BC-service-card-integration)
-- [Identity Provider Attribute Mapping](https://github.com/bcgov/sso-keycloak/wiki/Identity-Provider-Attribute-Mapping)
+- [BC Service Card Integration](#bc-service-card-integration)
+- [Identity Provider Attribute Mapping](Identity-Provider-Attribute-Mapping)
 - [BC Government Identity Standards aka IM/IT Identity Standards](https://www2.gov.bc.ca/gov/content/governments/services-for-government/policies-procedures/im-it-standards/find-a-standard#id_mgt)
 
 
-## What are identity providers?
+## What are Identity Providers?
 
-[Identity providers](https://github.com/bcgov/sso-keycloak/wiki/Useful-References#identity-provider) are directories of user accounts with details about those users, called attributes. The ones available to Pathfinder SSO Clients are:
+[Identity providers](Useful-References#identity-provider) are directories of user accounts with details about those users, called attributes. The ones available to Pathfinder SSO Clients are:
 - **IDIR** IDIR accounts are given to individuals who work for the B.C. government. Each account has an IDIR username and password for logging in. [reference](https://www2.gov.bc.ca/gov/content/governments/services-for-government/information-management-technology/identity-and-authentication-services/login-best-practices/language-consistency)
 
 - **Azure IDIR** IDIR accounts with the added the benefit of MFA (multi-factor authentication). This is a step up security-wise from regular IDIR. [reference](https://intranet.gov.bc.ca/thehub/ocio/ocio-enterprise-services/information-security-branch/information-security-mfa/mfa-registration)
@@ -26,15 +26,16 @@
 - **GitHub associated with BC Gov Org**	 Allows login of GitHub BC Gov Org member. At the time of writing, production approval for this requires you to obtain an exemption to the IM/IT standards. [IM/IT Standards Frequently Asked Questions](https://www2.gov.bc.ca/gov/content/governments/services-for-government/policies-procedures/im-it-standards/im-it-standards-faqs)
 
 
-## Azure IDIR and IDIR?
+## Azure IDIR and IDIR
 Using Azure IDIR adds the benefit of MFA (multi-factor authentication). This is a step up security-wise from regular IDIR.
 
 You may have to educate your end users on MFA and please take note if your IDIR is not tied to a gov.bc.ca email address, please use [email protected] when prompted for your email.
 
 You can **learn** [here from our IDIR Partner](https://intranet.gov.bc.ca/thehub/ocio/ocio-enterprise-services/information-security-branch/information-security-mfa/mfa-registration)
 
 Also note if you get an error message similar to the one below, please ensure the end user has an BC Gov Azure IDIR account in order to gain access.
- <img width="380" height="300" src="https://user-images.githubusercontent.com/56739669/234470765-f3250a0a-7a62-4c42-b532-682351c0e103.png">
+
+![Azure IDIR error](./img/azureidir-error.png){: style="width:320px;height:400px"}
 
 ## Common Login Errors
 
@@ -46,16 +47,15 @@ Please use a private browser by either using incognito or clearing your cache.
 
 ### Other issues
 
-Please ensure you have tested with an incognito browser as mentioned above. If it is still an issue, reachout to use on [rocketchat](https://chat.developer.gov.bc.ca/channel/sso)
+Please ensure you have tested with an incognito browser as mentioned above. If it is still an issue, reachout to us on [rocketchat](https://chat.developer.gov.bc.ca/channel/sso).
 
 ## Digital Credential Configuration
 
 This defines which credential (or combinations of credentials) will be requested at user authentication.
 
-Please work with the DITP team [email protected] to define whether an existing configuration can be used, or a new one should be created for the specific use-case. Additionally, some best practices that need to be implemented at the application level can be found [here](https://github.com/bcgov/vc-authn-oidc/blob/main/docs/BestPractices.md)
+Please work with the DITP team [email protected] to define whether an existing configuration can be used, or a new one should be created for the specific use-case. Additionally, some best practices that need to be implemented at the application level can be found [here](https://github.com/bcgov/vc-authn-oidc/blob/main/docs/BestPractices.md).
 
 ## BC Service Card Integration
-<br>
 
 *BC Services Card provides an Open ID Connect authentication server. Integration to this service is not available in the *standard* realms.*
 
@@ -67,8 +67,6 @@ The IDIM team that manages BCSC integration is responsible for safeguarding the
 
 <details>
 <summary><b>Join an Existing Dedicated Custom Realm</b></summary>
-<br>
-
 With approval from IDIM, it is possible to join an existing realm that shares the same security context as your application and already has BCSC set up. This generally means that the existing clients are all from the same ministry or sector and have the same requirements for personal information through the login process.
 
 There are very few instances of this pattern at this time, but it is an option that is possible with the help and approval of IDIM.
@@ -78,7 +76,6 @@ Be that as it may, if there is a closely related project in your ministry or sec
 
 <details>
 <summary><b>Integrate Directly with BCSC</b></summary>
-<br>
 
 Since IDIM provides an OIDC service for BCSC, your app can integrate directly with that service instead of brokering through Pathfinder SSO. Their security practices usually require a client per application in any case, so your architecture might not require using Pathfinder SSO as a proxy authentication service anyway. In addition, this pattern removes one possible point of failure from the application architecture.
 
@@ -89,36 +86,31 @@ Be mindful however that the SSO (Keycloak) product does offer token and session
 <details>
 <summary><b>Configure and Manage Your Own Dedicated KeyCloak Server
 </b></summary>
-<br>
-
-
 KeyCloak runs on JBoss quite happily in a Docker container with a PostgreSQL backend. If you really need features provided by KeyCloak and you want to integrate with BCSC, it's possible to run your own KeyCloak server and configure your connection to BCSC by setting up your own OIDC IDP.
 </details>
 
 <details>
 <summary><b>Obtain a Dedicated KeyCloak Realm on the Pathfinder SSO service
 </b></summary>
-<br>
 
 If the service gets to the point where there are "slots" to create new dedicated realms, a BCSC identity provider can be securely configured within a realm dedicated to your team. For now, we are unable to offer new realms while we work to reduce the number down to a manageable size.
 </details>
 
 <details>
 <summary><b>Other?
 </b></summary>
-<br>
 
 Things are always evolving and the BC Government Open Source community is constantly innovating and solving problems together. Don't be afraid to jump into the #SSO RocketChat channel and see what the community recommends if you have an unusual use case or an innovative idea. Thank you for your collaboration!
 
 
 </details>
 
 
-<p align="right">
-  <img width="400" height="200" src="https://user-images.githubusercontent.com/87393930/133848225-13dfcb95-7a2e-46b4-ace7-edc436473905.png">
+<p align="right" markdown>
+  ![Services Card](./img/services-card.png)
 </p>
 
 ----------------------------
-#### *Have any questions? We would love to hear from you.* [![Semantic description of image](https://user-images.githubusercontent.com/87393930/133688357-09f82374-ba18-4402-8089-c0a989dde882.png)][2]   <a href="mailto:[email protected]?"><img src="https://user-images.githubusercontent.com/87393930/133690650-b706e658-27bf-4066-92ba-3a7d8a4593ef.png"/></a>
+#### *Have any questions? We would love to hear from you.* [![Chat Bubble](./img/chat-bubble.png)][2]   <a href="mailto:[email protected]">![Email](./img/email.png)</a>
 [2]: https://chat.developer.gov.bc.ca/channel/sso
 [3]: https://[mail](mailto:[email protected])[email](mailto:[email protected])
diff --git a/wiki/SSO-Onboarding.md b/wiki/SSO-Onboarding.md
@@ -2,7 +2,7 @@
 * [START USING OIDC CLIENT CONFIGURATION](#start-using-your-OIDC-client-configuration)
 
 
-![Group 1491](https://user-images.githubusercontent.com/87393930/134225781-e899275c-781e-4979-8884-03ebb4fc7f51.png)
+![Group 1491](./img/idp-graph.png)
 
 ----------------------------------
 
@@ -24,6 +24,6 @@ Please visit [BCGov Cloud Services](https://digital.gov.bc.ca/cloud/services/)
 
 Once you have your client details, you can configure your application to use the service for your application login. For helpful advice on integration see [Using Your SSO Client](https://bcgov.github.io/sso-docs/category/getting-started) or **if you are eager**, check out our [keycloak example apps](https://github.com/bcgov/keycloak-example-apps)
 
-#### *Have any questions? We would love to hear from you.* [![Semantic description of image](https://user-images.githubusercontent.com/87393930/133688357-09f82374-ba18-4402-8089-c0a989dde882.png)][2]   <a href="mailto:[email protected]?"><img src="https://user-images.githubusercontent.com/87393930/133690650-b706e658-27bf-4066-92ba-3a7d8a4593ef.png"/></a>
+#### *Have any questions? We would love to hear from you.* [![Chat Bubble](./img/chat-bubble.png)][2]   <a href="mailto:[email protected]">![Email](./img/email.png)</a>
 [2]: https://chat.developer.gov.bc.ca/channel/sso
 [3]: https://[mail](mailto:[email protected])[email](mailto:[email protected])
diff --git a/wiki/Useful-References.md b/wiki/Useful-References.md
@@ -1,10 +1,10 @@
-* [Intro to terms](#Intro-to-terms)
+* [Intro to terms](#intro-to-terms)
 * [How we describe Keycloak](#keycloak-how-we-describe-it)
 * [Newbie Guide: Concepts and Terms](#newbie-guide)
-* [Learn about the Open ID connect and OAuth Protocols](#Learn-about-the-Open-ID-connect-and-OAuth-Protocols)
+* [Learn about the Open ID connect and OAuth Protocols](#learn-about-the-open-id-connect-and-oauth-protocols)
 * [Our Youtube videos on OIDC 101](#oidc-101)
-* [Learn about Keycloak and its APIs](#Learn-about-Keycloak-and-its-APIs)
-* [How to set up and use your KeyCloak Client](#How-to-set-up-and-use-your-KeyCloak-Client)
+* [Learn about Keycloak and its APIs](#learn-about-keycloak-and-its-apis)
+* [How to set up and use your KeyCloak Client](#how-to-set-up-and-use-your-keycloak-client)
 * [Q&A with Us](#qa-with-us)
 
 
@@ -26,7 +26,7 @@ An "Identity Provider" is the holder of the identity that is used to log in with
 
 [Visit this FAQ](https://github.com/bcgov/sso-keycloak/discussions/256) on which Identity Provider might be best for you
 
-### [Keycloak how we describe it](https://github.com/bcgov/sso-keycloak/wiki/What-is-Keycloak-@-BC-Government%3F#what-is-keycloak)
+### [Keycloak how we describe it](What-is-Keycloak-at-BC-Government#what-is-keycloak)
 
 ### Newbie Guide
 
@@ -72,8 +72,6 @@ The following links are a good introduction or refresher to the OIDC standard.
 
 [Stackover flow Collection 2 on Custom Realms](https://stackoverflow.developer.gov.bc.ca/search?q=custom+realm)
 
-
-
-#### *Have any questions? We would love to hear from you.* [![Semantic description of image](https://user-images.githubusercontent.com/87393930/133688357-09f82374-ba18-4402-8089-c0a989dde882.png)][2]   <a href="mailto:[email protected]?"><img src="https://user-images.githubusercontent.com/87393930/133690650-b706e658-27bf-4066-92ba-3a7d8a4593ef.png"/></a>
+#### *Have any questions? We would love to hear from you.* [![Chat Bubble](./img/chat-bubble.png)][2]   <a href="mailto:[email protected]">![Email](./img/email.png)</a>
 [2]: https://chat.developer.gov.bc.ca/channel/sso
 [3]: https://[mail](mailto:[email protected])[email](mailto:[email protected])
diff --git a/wiki/Using-Your-SSO-Client.md b/wiki/Using-Your-SSO-Client.md
@@ -1,6 +1,3 @@
-<br>
-
-
 ## Table of Contents
 - [Introduction to key concepts and terms (newbie guide)](#Introduction-to-key-concepts-and-terms)
 - [Openshift Clusters](#openshift-clusters)