Migrating UGRC apps off of Forgerock

[chriswnek]

Benefit

DTS is in the process of migrating existing on-prem authentication to either EntraID (for internal user-base authentication) or PingOne Identity Cloud/IDC (for external user-base authentication). Overall, the goal of this project is to migrate all apps using legacy UtahID/OpenAM by June 30th, 2026.

These migration efforts are for the authentication aspect of the applications only. An ApAdmin/AppProfile 2.0 is in the works - those applications will be saved for the end of phase 1 as the replacement is a dependency for them.

Acceptance Criteria

• Update our list of UGRC apps in ServiceNow: Business Applications and identify the authentication used for each, specifically those that are using UtahID - OpenID Connect.
• Fill out a SSO Migration Project: Single Sign-On (SSO) Request Form for all impacted UGRC apps (Bri will be helping with this)
• Build a POC to determine compatibility and level of effort
• Apps to migrate
  • plss.utah.gov & plss-review.utah.gov
  • UIC
  • roadkill
  • developer.mapserv.utah.gov
  • parole
  • electrofishing & electrofishing-query
  • moonwalk
  • TURN GPS Billpay
  • DTS-UGRC-TURN GPS Network - Payment Gateway (Utah Interactive)

Notes

• Bri Lifferth is heading up this project on the DTS side and is our point of contact for questions.
• Application Migrations to Entra/Forgerock IDC Slide Deck
• UGRC's preference is to migrate all apps to PingOne, even if they are internal only

Risks

• This was brought to the attention of UGRC in January 2026. Devs are currently at capacity for FY26 Q3, with a major focus on meeting Website Accessibility standards by the Federal deadline of April 26, 2026. We may not be able to put forth a major effort into this migration until FY26 Q4, which greatly shortens the timeline.
• Compatibility with UGRC Firebase OIDC apps is still an unknown

Issue Reference

[jacobdadams]

I don't think I've got anything worthwhile to add/work on for this project- none of the scripts I've written use any user authentication.

[steveoh]

FY26 Q3 Sprint 3 Notes

I’m working with Dave Crim and Brandon Thomas on the Google Identity Platform (IdP) integration with PingOne.

I successfully validated the app and Firebase setup using Entra credentials, but I am currently troubleshooting issues with Ping. This is the solution we need for our mixed user audience.

You can view the POC at https://plss.dev.utah.gov/, which now allows you to choose different login providers. Note that because we aren't merging accounts, existing UtahID users will trigger an account-exists error. This confirms the credentials work, but you will need to delete the user in Firebase/Firestore to clear the error.

[stdavis]

Steve got the POC working this morning. I think that we have a fairly good plan of how to move forward with this. Does anyone have a list of the apps that need to be migrated? Here is what I came up with:

• plss.utah.gov & plss-review.utah.gov
• UIC
• roadkill
• developer.mapserv.utah.gov
• parole
• electrofishing & electrofishing-query
• moonwalk
• TURN GPS Billpay

I'm not sure what these two apps are in apadmin:

[chriswnek]

@stdavis Comparing your list to the spreadsheet that we were working on with Bri, this is the one that is missing DTS-UGRC-TURN GPS Network - Payment Gateway (Utah Interactive). It's listed separately from TurnGPS Bill Pay, and I'm not sure of how much it differs.

The other two apps in apadmin, not sure about Esri, but IbisphView is a DHHS application and I have no idea why it would be showing up for you. I can ask about it if you'd like, and have your access to it removed.

[stdavis]

I can ask about it if you'd like, and have your access to it removed.

It's not a big deal since ApAdmin is going away anyways.