Merge pull request #324 from bcgov/sso-login-changes

Update login-to-openshift.md

Author: GurkamalBC

src/docs/openshift-projects-and-access/login-to-openshift.md

@@ -20,27 +20,24 @@ sort_order: 3
 
 # Log in to OpenShift Web Console
 
-Teams can log in to OpenShift with either a GitHub ID or IDIR. IDIR authentication is enabled in the Silver cluster of the OpenShift platform. You must have multi-factor authentication (MFA) enabled to log in with either GitHub or your IDIR. This access mechanism links to Azure Active Directory (AD). You get instructions on how to enable MFA for your IDIR account during onboarding.
+Teams can log in to OpenShift with either IDIR or GitHub ID. IDIR is the preferred login method. Each login method is treated as a separate account on OpenShift and access must be managed independently. IDIR authentication is enabled in the Silver cluster of the OpenShift platform. You must have multi-factor authentication (MFA) enabled to log in with either GitHub or your IDIR. This access mechanism links to Azure Active Directory (AD). You get instructions on how to enable MFA for your IDIR account during onboarding.
 
-You have to log in with IDIR into the OpenShift console before you can associate any role bindings with the IDIR account.
+When you log in to the Silver cluster OpenShift console, you have the option of using GitHub or your Azure AD IDIR. Github login requires membership of the `bcgov` or `bcgov-c` organisations and [linking to an IDIR account](https://developer.gov.bc.ca/docs/default/component/bc-developer-guide/use-github-in-bcgov/bc-government-organizations-in-github/#organizations-in-github). 
 
-When you log in to the Silver cluster OpenShift console, you have the option of using GitHub or your Azure AD IDIR.
+You have to log in with IDIR into the OpenShift console once before you can associate any role bindings with the IDIR account.
 
 ![Image of authorization options](../../images/OCP4%20cluster%20authentication%20login%20page%20showing%20github%20and%20azure%20ad%20idir%20as%20options.png)
 
 ## Information for developers
-GitHub accounts are still the default authentication mechanism for our developers.
 
-We will update the [Platform Product Registry](https://registry.developer.gov.bc.ca/) to use IDIR user accounts and B.C. government email identifiers for product owners and technical leads to ensure that namespace administrative-level controls are tied to an account that we have more control over. There is not yet a target date for this change. Make sure all contractors listed as technical leads for projects on the platform have active IDIR accounts.
+The [Platform Product Registry](https://registry.developer.gov.bc.ca/) now uses IDIR user accounts and B.C. government email identifiers for product owners and technical leads. This ensures that namespace administrative-level controls are linked to accounts we can manage. Make sure all contractors listed as technical leads for projects on the platform have active IDIR accounts.
 
 Some teams may choose to have all team members migrated to IDIR account use for OpenShift platform access. This isn't required.
 
 We want teams to migrate their role bindings from their GitHub accounts to IDIR on their own, and de-provision the GitHub accounts, if necessary.
 
 We're investigating IDIR security groups integration, but it's not in place yet. This requires a synchronization between our data centre active directory and the Azure Active Directory that is not fully in place yet.
 
-We don't intend to leverage SSO integration for IDIR onto GitHub at this time. You'll still use GitHub accounts to access GitHub content.
-
 **Note**: There won't be automated migration for the namespace access role bindings created for the GitHub ID to the IDIR accounts performed by the Platform Services team. Any such migrations would have to be done by product teams themselves.
 
 If you have any questions or concerns about this change, post your question in [#devops-security channel](https://chat.developer.gov.bc.ca/channel/devops-security) in Rocket.Chat.