Search


Cloud customer?
Upgrade in MyJFrog >


Working with an older version?

JFrog Artifactory 6.x
JFrog Xray 2.x
JFrog Mission Control 3.x
JFrog Distribution 1.x
JFrog Enterprise+ (Pre-Platform Release)




Overview

Access Federation gives you control over access to all, or any subset of your services from one location by synchronising all security entities (users, groups, permissions and access tokens) between the federated services. Once access federation has been set up, you can manage all security entities in the federated services from one place.

Access Federation supports setting up the security entities you want to synchronise across different federated services, and provides quick and easy configuration to set up a Full Mesh or Star topology. The synchronisation process is moderated by a variety of different parameters whose default values have been set to satisfy most installations. 

Requirements

  • Enterprise+ license
  • Admin permissions

Page Contents


Setting Up Access Federation

Before configuring access federation topologies

Before you proceed to the next step of configuring your access federation topologies, make sure to configure Base URL on the Artifactory side.

Setting up access federation requires the following main steps:

  1. Configuring Access to allow remote calls from Mission Control 
    In this step, you will enable Mission Control to send commands to any of the Access services in the JFrog Platform Deployment.
  2. Establishing the Circle of Trust 
    In this step, you will establish the basis for your access federation topology by providing synchronization target services with the root certificate of the synchronization source service. 
  3. Configuring Access Federation Topologies 
    In this step, you will establish the connections required so that the Access service in the Source platform deployment will be able to synchronize security entities to the Access service in the target platform deployment (i.e. those that have been furnished with the source service's root certificate). 

Establishing the Circle of Trust

You can only configure synchronization of security entities from a source to a target Platform Deployment, if the source is trusted by the target. This trust is established by providing the Access in the target Platform Deployments with the source Platform Deployments's root certificate. Read more about Setting up a Circle of Trust

Before configuring access federation topologies

Before you proceed to the next step of configuring your access federation topologies, make sure that your target Access service is furnished with the required root certificates from the source Access service.

$JFROG_HOME/artifactory/var/etc/access/keys/trusted folder

Sample Toplogies 

Example 1: Setting Up a Star Topology

Consider the scenario where three Access services that should be set up in a Star topology where Access-A synchronizes to Access-B and Access-C.

In this case, you need to provide Access-B and Access-C the root certificate of Access-A so that A becomes trusted by B and C.

Example 2: Setting Up A Full Mesh Topology

Consider the scenario where three Access services that should be set up in a Full Mesh topology where each service should be able to synchronize changes to security entities to both other services.

In this case, you need to provide each Access service with the root certificates of both other services so that both are trusted.

Configuring Access Federation Topologies

Once your circle of trust is established by providing target Platform Deployments with the root certificates of source Platform Deployments, you need to configure the topology by setting up the relationship in Access Federation.

To configure Access Federation topologies, from the Administration module in the Platform Deployment where Mission Control is installed, expand Identity and Access and select Access Federation. The list of Platform Deployments managed is displayed.

Mesh Topology

To set up Mesh topology, click Apply Topology | Mesh. The wizard that will take you through the following steps:

  1. Selecting Platform Deployments

  2. Selecting security entities to synchronize

  3. Summary

1. Selecting Platform Deployments

In this step, you select the Platform Deployments that will be part of the federated group. To include Platform Deployments in the federated group, select them from the Available Platform Deployments list and use the arrows to transfer them to the Selected Platform Deployments list.

2. Selecting Security Entities

Once you have set the Access services that are in the federated group, you select the set of security entities that should be synchronized out of the following:

  • Users

  • Groups

  • Permissions 

  • Access tokens

Simply check the entities that should be synchronized (by default, they are all checked) and click Next.

3. Summary

Finally, the wizard displays a summary of your configuration. To apply, click Finish

A summary of the results is displayed.


Star Topology

To set up access federation, click Apply Topology and select Star. A wizard will take you through the steps of the process which are:

  1. Selecting services

  2. Selecting security entities to synchronize

  3. Summary

This example shows setting up a star topology to allow synchronization of security entities from the Home-JPD to artifactory-edge1. Prior to setup, artifactory-edge1 was provided with the root certificate of Home-JPD and Mission Control was setup to make calls to the Access service in artifactory-edge1.

1. Selecting Services

In this step, you select the services that will be part of the federated group. To include services in the federated group, select them from the Available Platform Deployments list and use the arrows to transfer them to the Selected Platform Deployments list.

2. Selecting Security Entities

To sync security entities:

  1. Select the method for assigning entity types to targets.

    • Manually assign entities to different targets: This provides flexibility as it allows you to assign different entity types to different targets. For example: You decide to synchronize users and groups from Access A to Access B,  choose to only synchronize users, groups and permission from Access A to Access C, and synchronize all the entities from Access A to Access E. 

    • Apply on all Targets:Any selection made applies to all targets and selecting Permissions applies to all permissions. This option is enabled when selecting the Star Topology.

  2. Select the entity types to be synced.

    • Users

    • Groups

    • Permissions 

    • Include/exclude Patterns: When assigning entity types to targets, you can assign specific permissions to be synchronized using the Include/Exclude regular expressions.

    • Tokens

3. Summary

Finally, the wizard displays a summary of your configuration. To apply, click Finish.

A summary of the results is displayed.


REST API

Mission Control supports managing Access Federation through the REST API. 

  • No labels
Copyright © 2020 JFrog Ltd.