KC Migration from Silver to Gold [#3002]

[sumathi-thirumani]

Migration of KC (Gold-Dev)

• [x] Setup of the identity provider GitHub
• [x] Setup of the identity Provider IDIR
• [x] Setup of the identity provider BCSC
• [x] Migration of client forms-flow-bpm
• [x] Migration of client forms-flow-web
• [x] Migration of client forms-flow-analytics
• [x] Migration of client foi-web
• [x] Migration of client foi-lob-api
• [x] Migration of client foi-help-frontend
• [x] Migration of client AXISFOIAPI
• [x] Migration of client foi-document-redaction
• [x] Migration of saml client for reports
• [x] Migration of Groups
• [x] Migration of Users
• [x] Migration of existing User Group Mappings
• [x] Admin Setup

NOTE: forms-flow-bpm needs its dependencies to be upgraded for supporting the new KC.

forms-flow-bpm

• [x] Upgrade of forms-flow-bpm dependencies to support Gold KC

foi-web

• [x] Upgrade of keycloak-js to support Gold KC
• [x] Changes in userservice to reference identity provider specific mapper

forms-flow-ai-web

• [x] Upgrade of keycloak-js to support Gold KC

request-management-api

• [x] Changes in userservice to reference identity provider specific mapper

Migration of Users

• [x] IDIR
• [x] Test Accounts [Basic]
• [x] BCSC [Not Applicable - Need Confirmation]

Supported Authentication mechanism - Dev

• [x] IDIR
• [x] Github
• [x] BCSC
• [x] Basic

Supported Authentication mechanism - Test

• [x] IDIR
• [x] Github
• [x] BCSC
• [x] Basic

Supported Authentication mechanism - Prod

• [x] IDIR
• [ ] BCSC

Unit Testing

• [x] FOI Reports
• [x] FOI Web
• [x] FOI Backend
• [x] FOI BPM
• [x] FOI formsflow.ai

Integration Testing - Dev Marshal

• [x] FOI Reports
• [x] FOI Web
• [x] FOI Backend
• [x] FOI BPM
• [x] FOI formsflow.ai
• [x] FOI Angular
• [x] Axis

Integration Testing - Test Marshal

• [x] FOI Reports
• [x] FOI Web
• [x] FOI Backend
• [x] FOI BPM
• [x] FOI formsflow.ai (Deferred to support test env)
• [x] FOI Angular
• [x] Axis

Integration Testing - Dev

• [x] FOI Reports
• [x] FOI Web
• [x] FOI Backend
• [x] FOI BPM
• [x] FOI formsflow.ai
• [x] Redaction app
• [x] FOI Angular
• [x] Axis

Integration Testing - Test

• [x] FOI Reports
• [ ] FOI Web
• [ ] FOI Backend
• [ ] FOI BPM
• [ ] FOI formsflow.ai
• [ ] Redaction app
• [ ] FOI Angular
• [ ] Axis

[sumathi-thirumani]

Migration Entities (In order to approach)

1. IDP
2. Clients
3. Groups
4. Users
5. User – Group mapping

[sumathi-thirumani]

How is it Done ?

1. Step-1 : Got admin access to realms: dev, test, prof : Completed
2. Step-2: Submitted request to get IDPs (IDIR & BCGov github) using link https://bcgov.github.io/sso-requests/my-dashboard/integrations : Completed
3. Step-3: Setup IDP & send email to get setup completed for BC Services Card a. Reference to reach team to have a new redirect URI setup https://stackoverflow.developer.gov.bc.ca/questions/512/515#515
4. Import Clients - Leverage admin privilege to export and import [Ensure to remove all IDs with are random generated]
5. Import Groups - Leverage admin privilege to export and import [Ensure to remove all IDs with are random generated]
6. Import Users a. IDIR : Leverage the script given by the sso -> reference : https://github.com/bcgov/sso-keycloak/tree/dev/scripts/custom-realm-users b. Local Accounts : Leverage postman API c. BCSC : Not required
7. User-Group Mapping : Leveraged custom plugin (.jmx) to do it

[sumathi-thirumani]

Issues Faced:

1. Unable to logout from the session (Tested in browsers – Edge, Chrome and FF) -> Resolved Root cause – SSO request to have logout URI configured
2. Variation in the value format of preferred_username -> Resolved Resolution - Custom mapper in IDP & client
3. Migration of users with script -> Resolved Observations: a. ##Script enforces to give PAT; even though the silver has only IDIR and BASIC users. Note: Giving PAT is mandatory (The script is driven by IDP and not .env) b. ##Script did not run with user ID with admin privileges whereas; it requires a service account with realm administration c. ##Script creates the user with “Provider User ID” in upper case. [ Blocker -> New user gets created every time with the additional setting of “Duplicate emails” enabled]. Resolution: Deleted all users and re-ran the modified script.

[sumathi-thirumani]

Realm Settings

Not advisable to have "Duplicate emails" at the realm level. Turned it off !!!! Logically, it does not make sense to authenticate and create a duplicate with no permissions. -Sumathi

[sumathi-thirumani]

MANUAL

For BPM: The client service account is to be manually provided with realm user and group related permissions.

[sumathi-thirumani]

MANUAL

For client "forms-flow-web". Manually add the mapper "Preffered_username".

[sumathi-thirumani]

MANUAL

Setup session management properties

[sumathi-thirumani]

MANUAL

Set password for local accounts.

[m-prodan]

QA Testing Notes:

• Make sure we test BCSC Sign-In on angular web form

[sumathi-thirumani]

Migration Activity - Test

• [x] FOI Reports
• [x] FOI Web
• [x] FOI Backend
• [x] FOI BPM
• [x] FOI formsflow.ai
• [x] FOI Angular
• [x] Axis