Rotate Mircosoft Secrets
Context
MOJ Forms uses the Microsoft services:
- SSO – Single Sign-On for accessing MOJ Forms Editor
- Sending submission data to MS SharePoint Lists
These have Application Registrations (app reg) to enable this.
Prerequisites
- Access to the fb-editor-deploy repo
- Added GPG key to the git-crypt in the fb-editor-deploy repo
- Permissions to the app in MS Azure for both live and devl tenants
- Access to the moj-forms Auth0 tenant
Note: The TA for the team is the owner for the app registrations
SSO - Authentication Connection
MOJ forms uses Auth0 to manage the SSO into MOJ Forms.
Note: SSO into MOJ Forms did include via Google, this has migrated, the auth may not work or auth via MS.
There are 4 Enterprise Azure ADs, with domains they cover:
| AD | Domain |
|---|---|
| Azure-CICA | cica.gov.uk |
| CCRC-Azure | ccrc.gov.uk |
| HMCTSnet-Azure | hmcts.net |
| moj-azure | justice.gov.uk |
| digital.justice.gov.uk - uses MOJ MS Entra ID now | |
| ospt.gov.uk | |
| judicialappointments.gov.uk | |
| judicialombudsman.gov.uk | |
| ospt.gov.uk | |
| publicguardian.gov.uk |
We have access to only the moj-azure connection to create a new secret.
For CICA, CCRC and HMCTS.net you will need to raise a request or post a slack message in #staff-identity-authentication-services channel for help to manage these.
Rotating
Azure
- Open portal.azure.com
- Find the SSO application in the portal
- Secrets & tokens
- Client secrets tab and New client secret
- Name, add an expiry date then copy the secret (store in 1Password if using it later)
Auth0
- moj-forms tenant
- Authentication
- Enterprise
- Microsoft Azure AD
- moj-azure
- Edit client secret
- Add new secret
- save
If the tokens between Auth0 and the Editor need changing, these will be in the fb-eeditor-deply repo.
Add New Domain
In some cases you may need to add a domain, currently this involves adding the domain to the long list of buttons on the Auth0 log in screen.
Add to allow list
Auth0
- moj-forms tenant
- Actions
- Library
- Email_domain_allowlist
- Add the new domain into the list
- Save draft, deploy
fb-editor
Add into the MOJ Form Editor Repo
Update login screen
This is to add the domain into the long list of buttons to log in.
Auth0
- moj-forms tenant
- Branding
- Universal Login
- Advanced Login
- Login
- Customise Login Page
- Update the javascript with the new connection and button.
WARNING: This changes both test and live. Update with caution.
MS SharePoint Lists
Editor
Set up for the Test Editor and Environments
Azure
- Open portal.azure.com
- Log in with the devl account (name@devl.justice.gov.uk)
- moj-forms-development
- Manage > certificates & secrets
- Client secrets > + new client secret
- Add name and expiry date
- Copy Value - Add to 1Passwoird for safe keeping
Update the deploy repo
fb-editor-deploy
git pull
git checkout –b rotate-lists-secret-test-yymm
git-crypt unlock
echo thesecretfromabove | base64
Update secrets/test-secrets-values.yaml > ms_admin_app_secret
git add [the files]
git commit –m “Updated the list test secret”
git-crypt lock
git push
Submitter
fb-submitter-deploy
git pull
git checkout –b rotate-lists-secret-test-yymm
gGit-crypt unlock
echo thesecretfromabove | base64
Add secrets/test-dev-secrets-values.yaml > ms_admin_app_secret
Add secrets/test-production-secrets-values.yaml > ms_admin_app_secret
git add [the files]
git commit –m “Updated the list test secret”
git-crypt lock
git push
Live environment
Exactly the same process but log in with justice account for portal.azure.com.
Use live-dev and live-production for the enviroment secrets.