Skip to content

Secrets & Credential Rotation

The MaxConf API authenticates consumers via Microsoft Entra ID service principals. Each environment (Test and Production) has its own service principal (sec_bcgov_v1).

  • Client secrets expire 180 days after creation.
  • Maximus administrators generate new secrets every 3 months (90 days), providing a 90-day overlap window before the old secret expires.
  • New secrets are delivered to IDIM via email to the IDIM Technical Operations team.
EnvironmentOAuth2.0 Client ID
Test/Edge (DEV, DEV2, SIT)d802c929-6984-48f9-81d1-ff8770c65bde
Test (QA, PREPROD, Test)9f0c40e1-6c03-40c1-8035-78bfcd8fed1b
Productiona154a158-92d0-4d3c-a756-95d811001574

All service principals authenticate against the same OAuth2.0 token endpoint:

https://login.microsoftonline.com/953fc14a-00c7-4452-a2fb-0a73070de7f3/oauth2/v2.0/token
  1. Generate a new client secret in Microsoft Entra ID for the appropriate service principal.
  2. Store the new secret in the corresponding Azure Key Vault (kvlt-maxconf-test or kvlt-maxconf-prod).
  3. Email the new secret to the IDIM Technical Operations team and individual contacts (see Support & Contacts).
  4. After confirming IDIM has updated their configuration, verify the old secret is no longer in use.
  5. Allow the old secret to expire naturally (do not delete early - it serves as a rollback path).

The API uses HTTPS with Azure-managed certificates via API Management custom domains. These are automatically renewed by Microsoft - no manual intervention required.

The Pexip management and conference nodes use HTTPS with customer-managed certificates signed by DigiCert. These require manual renewal before expiry.

CertificateCoversSigned by
Pexip Management (Test)Management node FQDNDigiCert
Pexip Management (Prod)Management node FQDNDigiCert
Pexip Conference (Test)conference.test.vc.maxconf.caDigiCert
Pexip Conference (Prod)conference.vc.maxconf.caDigiCert
Key VaultEnvironmentConsumers
kvlt-maxconf-testTestFunction App, API Management
kvlt-maxconf-prodProductionFunction App, API Management

Secrets are accessed via Managed Identity - the Function App and API Management service have identity-based access policies on their respective Key Vaults. No connection strings are stored in application configuration.