Teams can log in to OpenShift with either a GitHub ID or IDIR. IDIR authentication is enabled in the Silver cluster of the OpenShift platform. You must have multi-factor authentication (MFA) enabled to log in with either GitHub or your IDIR. This access mechanism links to Azure Active Directory (AD). You get instructions on how to enable MFA for your IDIR account during onboarding.
You have to log in with IDIR into the OpenShift console before you can associate any role bindings with the IDIR account.
When you log in to the Silver cluster OpenShift console, you have the option of using GitHub or your Azure AD IDIR.
GitHub accounts are still the default authentication mechanism for our developers.
We will update the Platform Project Registry to use IDIR user accounts and B.C. government email identifiers for product owners and technical leads to ensure that namespace administrative-level controls are tied to an account that we have more control over. There is not yet a target date for this change. Make sure all contractors listed as technical leads for projects on the platform have active IDIR accounts.
Some teams may choose to have all team members migrated to IDIR account use for OpenShift platform access. This isn't required.
We want teams to migrate their role bindings from their GitHub accounts to IDIR on their own, and de-provision the GitHub accounts, if necessary.
We're investigating IDIR security groups integration, but it's not in place yet. This requires a synchronization between our data centre active directory and the Azure Active Directory that is not fully in place yet.
We don't intend to leverage SSO integration for IDIR onto GitHub at this time. You'll still use GitHub accounts to access GitHub content.
Note: There won't be automated migration for the namespace access role bindings created for the GitHub ID to the IDIR accounts performed by the Platform Services team. Any such migrations would have to be done by product teams themselves.
If you have any questions or concerns about this change, post your question in #devops-security channel in Rocket.Chat.