Managing Access Federation

Overview

Access Federation gives you control over access to all, or any subset of your global JFrog Artifactory, JFrog Xray, and JFrog Distribution services from one location by synchronizing all security entities (users, groups, permissions and access tokens) between the federated services. Once access federation has been set up, you can manage all security entities in the federated services from one place.

JFrog Mission Control lets you set up the security entities you want to synchronize across different federated services, and provides quick and easy configuration to set up a Full Mesh or Star topology. The synchronization process is moderated by a variety of different parameters whose default values have been set to satisfy most installations. To learn about these different parameters and how to modify them, please refer to Access Federation in the JFrog Artifactory User Guide.

Requirements

Requires an Enterprise+ license.
The Artifactory service bundled with the Access service you would like to federate needs to be online and managed by Mission Control.
Access Federation is supported on Artifactory 6.0 and above.
Requires Mission Control Admin permissions.
Requires configuring Access for authentication from Mission Control.

Page Contents

Setting Up Access Federation

Setting up access federation through Mission Control requires the following main steps:

Configuring Access for Authentication from Mission Control
In this step, you will enable Mission Control to send commands to any of the Access services connected to Artifactory services under its control.
Establishing the Circle of Trust
In this step, you will establish the basis for your access federation topology by providing synchronization target services with the root certificate of the synchronization source service.
Configuring Access Federation Topologies
In this step, you will establish the connections required so that source Artifactory services will be able to synchronize security entities to target services (i.e. those that have been furnished with the source service's root certificate).

Configuring Access for Authentication from Mission Control

Configuring Access Federation through Mission Control requires setting an Artifactory service as an authentication provider. The Access service installed with that Artifactory is the one that Mission Control sets up when you configure Access Federation through the Mission Control UI.

Configure JFrog Access for authentication from a different server

By default, the Access service will only accept configuration commands when those are issued from the same server on which the Access service resides, however, Mission Control and Artifactory (and therefore, the corresponding Access service) are usually installed on different servers. Therefore, to allow configuring Access Federation through Mission Control, you first need to configure the corresponding Access service for authentication from Mission Control by following the steps described in Setting Up Authentication in the JFrog Access User Guide, and set the IP address of the server on which Mission Control resides.

Establishing the Circle of Trust

Mission Control can only configure synchronization of security entities from a source Artifactory service to a target service, if the source is trusted by the target. This trust is established by providing the target service with the source service's root certificate.

Before configuring access federation topologies

Before you proceed to the next step of configuring your access federation topologies, make sure that your target services are furnished with the required root certificates from the source service.

Copy the source service's root certificate, $ARTIFACTORY_HOME/access/etc/keys/root.crt to each target service's $ARTIFACTORY_HOME/access/etc/keys/trusted folder

Examples

Setting Up a Star Topology

Consider the example of three Access services that should be set up in a Star topology where Access-A synchronizes to Access-B and Access-C.

In this case, you need to provide Access-B and Access-C the root certificate of Access-A so that A becomes trusted by B and C.

Setting Up A Full Mesh Topology

Consider the example of three Access services that should be set up in a Full Mesh topology where each service should be able to synchronize changes to security entities to both other services.

In this case, you need to provide each Access service with the root certificates of both other services so that both are trusted.

Configuring Access Federation Topologies

Once your circle of trust is established by providing target access services with the root certificates of source access services, you need to configure the topology by setting up the relationship in Mission Control.

To configure Access Federation topologies in Mission Control, from the Admin module, select Access Federation | Configuration. Mission Control will display the list of Access (Artifactory) services it manages.

Topologies

To learn more about the topologies, please refer to Sample Topologies.

Mesh Topology

To set up access federation, click Add Mesh Topology. Mission Control will display a wizard that will take you through the steps of the process which are:

Selecting services
Selecting security entities to synchronize
Summary

Selecting Services

In this step, you select the services that will be part of the federated group. To include services in the federated group, select them from the Available Access Services list and use the arrows to transfer them to the Selected Access Services list.

Access Federation - Selecting Services

Selecting Security Entities

Once you have set the Artifactory services that are in the federated group, you select the set of security entities that should be synchronized out of the following:

Users
Groups
Permissions
Access tokens

Simply check the entities that should be synchronized (by default, they are all checked) and click Next.

Access Federation - Selecting Security Entities for Synchronization

Summary

Finally, Mission Control displays a summary of your setup. To apply the configuration, click Finish.

Mission Control will display the results of the action.

Access Federation Results

The example above shows that a mesh topology that was set up allowing synchronization of security entities from artifactory1 to artifactory-edge1, artifactory-edge2 and artifactory-edge3. In other words, artifactory-edge1, artifactory-edge2 and artifactory-edge3 were all furnished with the the root certificate of artifactory1 and therefore trust it as a source. The red message at the end does not indicate an error, but rather that artifactory1 was NOT furnished with the root certificate of artifactory-edge1, so you cannot synchronize security entities from artifactory-edge1 back to artifactory1 which is consistent with the star topology in this example.

Star Topology

To set up access federation, click Apply Topology and select Star. Mission Control will display a wizard that will take you through the steps of the process which are:

Selecting services
Selecting security entities to synchronize
Summary

Selecting Services

In this step, you select the services that will be part of the federated group. To include services in the federated group, select them from the Available Access Services list and use the arrows to transfer them to the Selected Access Services list.

Selecting Security Entitiies

Once you have set the Artifactory services that are in the federated group, proceed Select Entity Types tab to set the entity types to be synched from the source site to the target sites.

From Mission Control version 3.2, you have more flexibility when setting entity types from source services to target services.

To sync security entities:

Select the method for assigning entity types to targets.
- Manually assign entities to different targets: This provides flexibility as it allows you to assign different entity types to different targets. For example: You decide to synchronize users and groups from Access A to Access B, choose to only synchornize users, groups and permission from Access A to Access C, and synchrnize all the entities from Access A to Access E. Available only for source Artifactory with version 6.3 and above.
- Apply on all Targets: For versions below Artifactory 6.2, the Targets list is disabled and only the Entity Types selection is available for configuration. Any selection made applies to all targets and selecting Permissions applies to all permissions. This option is enabled when selecting the Star Topology.
Select the entity types to be synched.
- Users
- Groups
- Permissions
- Include/exclude Patterns: Applies on Artifactory above version 6.2. When assigning entity types to targes, you can assign specific permissions to be synchronized using the Include/Exclue regular expressions.
- Tokens

The following example shows how to manually select specific Entity types to target services:

The following example shows how to automatically apply the selected Entity types automatically to all the targets:

Summary

Finally, Mission Control displays a summary of your setup. To apply the configuration, click Finish.

Mission Control will display the results of the action.

The example above shows that a star topology that was set up allowing synchronization of security entities from artifactory1 to artifactory-edge1, artifactory-edge2 and artifactory-edge3. In other words, artifactory-edge1, artifactory-edge2 and artifactory-edge3 were all furnished with the the root certificate of artifactory1 and therefore trust it as a source.

REST API

Mission Control supports managing Access Federation through the REST API.