Secrets & Credential Rotation
Client secret lifecycle
Section titled “Client secret lifecycle”The MaxConf API authenticates consumers via Microsoft Entra ID service principals. Each environment (Test and Production) has its own service principal (sec_bcgov_v1).
Rotation schedule
Section titled “Rotation schedule”- Client secrets expire 180 days after creation.
- Maximus administrators generate new secrets every 3 months (90 days), providing a 90-day overlap window before the old secret expires.
- New secrets are delivered to IDIM via email to the IDIM Technical Operations team.
Service principals by environment
Section titled “Service principals by environment”| Environment | OAuth2.0 Client ID |
|---|---|
| Test/Edge (DEV, DEV2, SIT) | d802c929-6984-48f9-81d1-ff8770c65bde |
| Test (QA, PREPROD, Test) | 9f0c40e1-6c03-40c1-8035-78bfcd8fed1b |
| Production | a154a158-92d0-4d3c-a756-95d811001574 |
All service principals authenticate against the same OAuth2.0 token endpoint:
https://login.microsoftonline.com/953fc14a-00c7-4452-a2fb-0a73070de7f3/oauth2/v2.0/tokenRotation procedure
Section titled “Rotation procedure”- Generate a new client secret in Microsoft Entra ID for the appropriate service principal.
- Store the new secret in the corresponding Azure Key Vault (
kvlt-maxconf-testorkvlt-maxconf-prod). - Email the new secret to the IDIM Technical Operations team and individual contacts (see Support & Contacts).
- After confirming IDIM has updated their configuration, verify the old secret is no longer in use.
- Allow the old secret to expire naturally (do not delete early - it serves as a rollback path).
Certificate management
Section titled “Certificate management”MaxConf API (Azure API Management)
Section titled “MaxConf API (Azure API Management)”The API uses HTTPS with Azure-managed certificates via API Management custom domains. These are automatically renewed by Microsoft - no manual intervention required.
Pexip Infinity nodes
Section titled “Pexip Infinity nodes”The Pexip management and conference nodes use HTTPS with customer-managed certificates signed by DigiCert. These require manual renewal before expiry.
| Certificate | Covers | Signed by |
|---|---|---|
| Pexip Management (Test) | Management node FQDN | DigiCert |
| Pexip Management (Prod) | Management node FQDN | DigiCert |
| Pexip Conference (Test) | conference.test.vc.maxconf.ca | DigiCert |
| Pexip Conference (Prod) | conference.vc.maxconf.ca | DigiCert |
Key Vault inventory
Section titled “Key Vault inventory”| Key Vault | Environment | Consumers |
|---|---|---|
kvlt-maxconf-test | Test | Function App, API Management |
kvlt-maxconf-prod | Production | Function App, API Management |
Secrets are accessed via Managed Identity - the Function App and API Management service have identity-based access policies on their respective Key Vaults. No connection strings are stored in application configuration.