DfE sign-in has the following environments:
- Dev
- Test: used by Apply qa
- Preprod
- Production: used by Apply staging, sandbox, production
The Provider interface at /provider
and Support interface at
/support
are both protected by DfE's SSO provider DfE Sign-in.
In development and QA we use the Test environment of DfE Sign-in:
# .env
DFE_SIGN_IN_ISSUER=https://test-oidc.signin.education.gov.uk
In staging, production and sandbox we use the Production environment of DfE Sign-in:
# .env
DFE_SIGN_IN_ISSUER=https://oidc.signin.education.gov.uk
The configuration is done via the DSI "Manage" application:
Request access via the DSI service-now form.
- Service name: Used to display the service name in the Manage app list of services. It is also included in the JWT token.
- "Manage Teacher Training Applications"
- Description: Displayed on the Manage app, on the Support app, on the DSI homepage
- Home Url: Main site URL, used as landing page from DSI and after sign out
- Client Id: Can be chosen, must be unique, alphabetical, 8 characters maximum.
- "apply"
- Client secret: generated, must be stored as secret and provided to the Apply webapp. It is sent in requests to DSI.
- Redirect Urls: Whitelist of post # URLs
- Logout redirect Urls: Whitelist of post sign out URLs
- authorization_code
- refresh_token
See OAuth 2.0 Multiple Response Type Encoding Practices
- none selected
Defines whether client sends encrypted post. This is mostly for dotnet apps.
- "none"
- Secret: Access to DSI public API which is specific to DSI, not OAuth. It is generated, must be stored as secret and provided to the Apply webapp.
DFE_SIGN_IN_SECRET
: Secret string used to encode/decode the payload when communicating with DSI. It it generated on the manage service page in OpenID Connect / Client secretDSI_API_URL
: DSI API endpoint to access extra data from the API. May point to preprod or prod DSI environment.DSI_API_SECRET
: Secret string used to decode the payload from DSI API. It it generated on the manage service page in API / Secret.DFE_SIGN_IN_CLIENT_ID
: Client ID used to connect to DSI via OIDC. It it set on the manage service page in OpenID Connect / Client Id.DFE_SIGN_IN_ISSUER
: DSI OIDC environment endpoint for authentication. May point to preprod or prod DSI environment.
DfE Sign-In is used for support users as well as provider users. Apply connects to the DSI API to add the users.
They can be added by another support user from the support page. The user must already be registered with DfE Sign-In. Their email and DSI id are required.
They can be added to an existing provider by a support user or by another provider user. First name, Last name and email are required.