OIDC Secret Renewal Process

Purpose

This document defines the process for renewing the OIDC client secret used by Pexip Infinity Management Nodes for Single Sign-On (SSO) with Microsoft Entra ID. Proper renewal ensures that administrative access to Pexip is STRA-compliant, auditable, and secured through Entra-based authentication rather than shared local credentials. The renewal process is periodically required according to app registration secrets expiration timelines.

Roles & Responsibilities

Role	Person(s)	Responsibility
Azure Operations	CCaaS Team	Initiate, coordinate, and execute renewal.
CCaaS Operations	CCaaS Team	Support the operation of the solution and update documentation
CCaaS Oversite	CCaaS Manager	Verify by Video Product owner and Oversite
Solutions Development	Solutions Developers and Architects	Solutions team developed the integration but does not provide routine support.
Soultions Oversite	Solutions Director	Oversight and approval. Escalates support request to Solutions if required

App Registrations

The OIDC configuration is based on two App Registrations in Microsoft Entra ID:

Test: Verify-by-Video Platform - Test - Pexip Administration OICD

• Client ID: 33758b54-a9cb-48ef-a363-5aaf10888f80
• Management Node URL: https://management.test.vc.maxconf.ca/

Production: Verify-by-Video Platform - Prod - Pexip Administration OICD

• Client ID: 849cca37-34d6-42d9-bb7d-4d8592b385c5
• Management Node URL: https://management.vc.maxconf.ca/

The Enterprise App view of these app registrations indicates users and groups that can access the Pexip Management portals for those environments respectively. Any user with the Application Administrator Entra PIM enabled can access the Pexip Infinity management portal whether or not they are listed in the users/groups of those enterprise apps.

Renewal Procedure

The renewal procedure is a subset of the “Configuration summary for OIDC authentication” in Pexip’s documentation on Managing administrator access via OIDC. For details, review that reference document.

Prerequisites

• Application Administrator role activated in Entra ID (via PIM).
• In case OIDC login fails during renewal, confirm the ability to enable temporary local admin access to Pexip Management Nodes is available (requires VM serial console admin user access, as well as the local admin username and password for the web portal).

1. Generate Secret in Entra ID

1. Log into Entra ID portal.
2. Navigate to the appropriate App Registration (Test or Prod).
   • Verify-by-Video Platform - Test - Pexip Administration OICD
   • Verify-by-Video Platform - Prod - Pexip Administration OICD
3. Select “Certificates & Secrets → Client secrets” and generate a new client secret.
4. Record the new secret value securely.
5. Record the expiration date to facilitate scheduling and notification processes for the next renewal.

2. Update Secret in Pexip Management Node

1. Sign into the Pexip Management Node web portal:
   • Test Management Node: https://management.test.vc.maxconf.ca/
   • Production Management Node: https://management.vc.maxconf.ca/
2. Navigate to Users & Devices → Administrator Authentication → OIDC.
3. Replace the old secret with the new value.
4. Save and test login via OIDC.

Emergency Access Procedure

OIDC Secret is already expired

1. Connect to the Azure Serial Console for the relevant VM:

   • Test: vm-node-mgmt-test
   • Production: vm-node-mgmt-core

2. Log in as the local admin user (login details for both test and prod are in the serial-console-user-and-password secret stored in kvlt-maxconf-test).

3. Enable both OIDC and local login:

   • authset OIDC BOTH

4. Sign in to the Management Node web portal using the shared local admin account. pexip-user and pexip-pass under the kvlt-maxconf-test or kvlt-maxconf-prod key vaults contain those credentials.

5. Update the OIDC secret in the portal to a valid (non-expired) value.

6. Once OIDC login is confirmed working, return to sign-in to a normal state (see below).

Return sign-in to a normal state (disable local admin login)

For Security Threat Risk Assessment (STRA) compliance, local administrator login must remain disabled under normal operating conditions. Only OIDC-based logins should be permitted for management node administration.

Normal State (required): Local access disabled. This can be managed in the Administrative portal itself with the Users & Devices > Administrator authentication page by selecting “Open ID Connect service” as the Authentication Source.

Alternatively, this serial console command will also enable only the configured OIDC service for sign-in to the Pexip Infinity admin portal: authset OIDC REMOTE

Post-Renewal Activities

• Verify OIDC access to Pexip Management portal works.
• Confirm shared local account access is disabled.
• Update the vault with the new expiry date.
• Schedule the next secret refresh in a group calendar.

Risks & Mitigations

Risk	Mitigation
Secrets have an expiration date that can impact operations	Set calendar reminders; rotate before expiry
Secret exposed during transfer	A single administrative user should complete the process without sharing values. If for some reason sharing values is required, use a secure vault and encrypted channels. If unsure whether or not a secret has been compromised, expire the secret and begin again.
Incorrect secret applied to node	Validate in test before production; peer review changes by testing access by expected users.
Loss of local admin access	Maintain emergency access procedure (OIDC BOTH)
Secret expires without renewal and there is lockout from Pexip portal	Alerting as expiry approaches; vault entry with date tracking. Emergency serial console enablement of local admin database for non OIDC-access (which should be turned off ASAP after correcting the expired secret to a non-expired one).
Over-reliance on Solutions for operational support on CCaaS components.	Clear ownership of the process by CCaaS Ops.