Deploying a Partner Service Provider Config to Production

Here is a list of items that need to be completed to deploy the configuration for a partner SP (Service Provider) to Production.

Note to AppDev: You should probably work with the Partnership team to ensure that steps 1-4 are complete.

  1. Ensure that the IAA is signed for the hubspot deal. You should see a “IAA Approved” with an “IAA Number” on the deal. Please contact Silke if unsure. If the IAA is not approved, then let the partner know that the app cannot be deployed to production until the IAA is signed.

  2. Ensure that the hubspot deal has been populated with information that comes from this hubspot template email. If the email was not sent, then send this template from the hubspot deal to Program Management POC.

  3. Ensure that the Contact Center Fact Sheet was sent from the hubspot deal. Click on the Emails tab and search for the “NOTICE: A new Login.gov app is launching” email. If the email was not sent, then send this template form the hubspot deal. This template email should go to the Contact Center Fact Sheet Email List (see handbook appendix)

  4. Ensure that the production app has been created on the Dashboard. The partner should be responding with a link to an app in the dashboard with “Production” in the name. The partner may provide the Issuer for the app instead. In this case you can search for the issuer here. You can also check the Dashboard Team URL on the hubspot deal to see if the prod config was created. If not, then send this template from the hubspot deal to the Technical POC:

  5. Make sure the app meets the following criteria:
    • All production urls should have .gov, .mil or a dedicated .com address and point to an ATO’d environment. It should not be a local IP or have things like “dev”, “qa”, or “mikes-macbook” in the urls.
    • If the app does not have a logo, then the partner will need to upload one before it can be deployed. You can find the logo guidelines here.
    • If this is an SAML integration (Not OpenID Connect), then please ensure that SAML Assertion Encryption is enabled and Assertion Consumer Logout Service URL is defined.
  6. Create a PR on the identity-idp-config repo that consists of:
  7. After merging the above PR you will need to deploy the configuration change by migrating and recycling the IDP in both:
  8. Open the hubspot deal for this partner and Inform the Technical POC and Program Management POC that the app has been deployed to production. You should also tell them to:

    Change your production endpoint urls to https://secure.login.gov/