Access Federation

JFrog Platform Administration Documentation

ft:sourceType
Paligo

Subscription Information

This feature is supported with the Enterprise+ license.

Access Federation gives you control over access to all, or any subset of your services from one location by synchronizing all security entities (users, groups, permissions, and access tokens) between the federated services. Once Access Federation has been set up, you can manage all security entities in the federated services from one place.

Access Federation supports setting up the security entities you want to synchronize across different federated services, and provides quick and easy configuration to set up a Full Mesh or Star topology. The synchronization process is moderated by a variety of different parameters whose default values have been set to satisfy most installations.

You need the following requirements to set up Access Federation.

  • Enterprise+ license

  • Admin permissions

Before you configure Access Federation topologies

Before you proceed to the next step of configuring your Access Federation topologies, make sure to configure the Base URL on the Artifactory side.General System Settings

The following steps are involved in setting up Access Federation.

  1. Configuring Access to allow remote calls from Mission Control

    In this step, you will enable Mission Control to send commands to any of the Access services in the JFrog Platform Deployment.

  2. Establishing the Circle of Trust

    In this step, you will establish the basis for your Access Federation topology by providing synchronization target services with the root certificate of the synchronization source service.

  3. Configuring Access Federation Topologies

    In this step, you will establish the connections required so that the Access service in the Source platform deployment will be able to synchronize security entities to the Access service in the target platform deployment (i.e. those that have been furnished with the source service's root certificate).

Establish the Circle of Trust

You can only configure the synchronization of security entities from a source to a target Platform Deployment if the source is trusted by the target. This trust is established by providing the Access to the target Platform Deployments with the source Platform Deployments' root certificate. For more information, see Circle of Trust (Cross-Instance Authentication).

Before configuring access federation topologies

Before you proceed to the next step of configuring your Access Federation topologies, make sure that your target Access service is furnished with the required root certificates from the source Access service.

$JFROG_HOME/artifactory/var/etc/access/keys/trusted folder

For establishing circle of trust in a helm installation, see Add circle of trust certificates to a Helm installation.Add Circle of Trust Certificates

Configure Access Federation Topologies

Once your circle of trust is established by providing target Platform Deployments with the root certificates of source Platform Deployments, you need to configure the topology by setting up the relationship in Access Federation.

Example 1: Set Up a Star Topology

Consider the scenario where three Access services should be set up in a Star topology where Access-A synchronizes to Access-B and Access-C.

In this case, you need to provide Access-B and Access-C the root certificate of Access-A so that A becomes trusted by B and C.

Example 2: Setting Up A Full Mesh Topology

Consider the scenario where three Access services should be set up in a Full Mesh topology where each service should be able to synchronize changes to security entities to both other services.

In this case, you need to provide each Access service with the root certificates of both other services so that both are trusted.

Set up the Relationship in Access Federation

To configure Access Federation topologies, from the Administration module in the Platform Deployment where Mission Control is installed, expandUser Management and select Access Federation. The list of Platform Deployments managed is displayed.

access_federation_list.png

Mesh Topology

To set up Mesh topology, click Apply Topology | Mesh. The wizard appears that takes you through the following steps.

  1. Select Platform Deployments

    Select the Platform Deployments that will be part of the federated group. To include Platform Deployments in the federated group, select them from the Available Platform Deployments list and use the arrows to transfer them to the Selected Platform Deployments list.

    mesh_1.png
  2. Select security entities to synchronize

    Once you have set the Access services that are in the federated group, select the set of security entities that should be synchronized.

    You can select from the following entities.

    • Users

    • Groups

    • Permissions

    • Access tokens

    Select the entities to be synchronized (by default, they are all checked) and click Next.

    mesh_2.png
  3. Summary

    The wizard displays a summary of your configuration. To apply, click Finish.

    mesh_3.png

    A summary of the results appears.