Skip to main content

New Service This is a new service – your feedback (opens in a new tab) will help us to improve it.

OFQ-00018 Identity broker usage

Last updated: 27 November 2025
Relates to (tags): Digital

A unified identity across the Ofqual estate will provide:

  • Standard protocol for authentication, authorisation and single sign-on (SSO)
  • Maintain a separation of concerns by using distinct Identity Providers (IdPs) for internal and external users
  • Ensuring back-end services are authenticated from a centralised identity source

Currently used Identity Providers with the Ofqual estate:

  • Azure Entra: Internal Ofqual users and Approved Organisations (AOs)
  • Azure B2C: Prospective Approved Organisations (PAOs)
  • UK One Gov Login: Citizens, centrally managed by UK Gov

Requirement(s)

Use Keycloak as an identity broker for authentication and authorisation

Keycloak MUST be used to federate the multiple identity providers and provide a single authentication and authorisation point to back-end services.

Content version permalink (GitHub) (opens in a new tab)