How to migrate security objects from on-prem to SaaS Artifactory using Access Federation

There may be cases where an organization wishes to migrate users, groups, permissions, and access tokens from on-premises Artifactory to SaaS Artifactory. We can use the Access Federation (Supported by E+ license only) feature to accomplish this task.

Make sure that both on-prem and SaaS Artifactory are E+ subscriptions since Access Federation is an E+ only feature

NOTE: Please upgrade the on-premise Artifactory instance to the version above 7.29.7 to support this migration using Access Federation

There are two methods we can perform this migration:

Method -1: On-Premises Access Federation:

In this method, we believe Access Federation is available on-premises, and we will connect the SaaS instance to the on-premises instance. The steps that must be taken are as follows:

1. Make sure your on-premises Artifactory is at least version 7.29.7. (Below this version, we need join.key of the SaaS instance which is not possible to share due to security concerns)

2. Generate a Pairing token from the SaaS Artifactory instance by navigating to “Administration” → “Identity and Access” → “Access Tokens” → “Generate Token” → Pairing Token and copy it to a secure spot so we can use it in the next steps.

3. Go to “Administration” tab → “Platform Deployments” → “Registered JPDs” → “New platform deployments” on the on-prem Artifactory instance (version above 7.29.7) and make sure to enter the appropriate parameters of the SaaS Artifactory instance to add the SaaS instance to the platform:
Name: A logical name for this Platform Deployment that is unique (For example:- Name: saas)
Location: Choose a location where your SaaS Artifactory instance is located (for example, Sunnyvale, United States).
JFrog Platform URL: SaaS Artifactory URL (e.g., https://testing.jfrog.io (https://.jfrog.io))
After giving the Platform URL, click "Get Server Details" and paste the "pairing token" that was generated in step 2 and then click on "Add"

If your SaaS instance has the whitelist functionality enabled, make sure the on-prem instance IP addresses are added to the IP whitelist from themyjfrogsite.

4. After adding the SaaS instance, we should see the added platform in the “Registered JPDs” page:

5. Now we should Establish a circle of Trust between the on-prem and SaaS Artifactory instance and for that, open a ticket with JFrog Support and provide root.crt file from the on-prem instance that is acquired in the following ways:
a) Can be found under$JFROG_HOME/artifactory/var/etc/access/keys/root.crt (requires physical access to the server)
b) by calling theGet Root CertificateREST API
Please make sure to provide the root.crt to JFrog Support by following the steps from this article://www.si-fil.com/knowledge-base/transferring-my-sensitive-content-to-jfrog-using-public-key-encryption/

6.“JFrog支持”执行后tr的圆ust between the two instances (on-prem and SaaS), from the on-prem instance, go to “Administration” tab → “Identity and Access” → “Access Federation” → “Apply topology” → click on “Star” or “Mesh” topology (In this example, we can see star topology)

7. Now in the Access Federation setup page, select on-prem instance as source and SaaS Artifactory instance as Target

8. After selecting the source and target, click on "Select Entity Types" and select whether you want to migrate to all Targets or a specific Target by manually selecting. Then, choose which security objects you want to migrate. If you only want to migrate tokens, users, groups, and permissions are also selected by default.

9. Now click on the summary to view the summary of the configuration

10. After clicking on “Finish”, we can see migration takes place and a successful migration message is seen

We can finally see the security objects on SaaS instances successfully after the above steps.

Method 2 Access Federation on SaaS:

This method is similar to the first method except that we perform all of the steps from the SaaS instance (except step 2 where we get the pairing token from on-premises and use it when adding the on-premises Artifactory instance to the SaaS) .
In this method, we assume that Access Federation is available as a SaaS service, and we will add the on-premises instance to the SaaS instance using the same steps. However, the following factors must be considered during this process:

1. Make sure the on-premises instance is in a version higher than 7.29.7 so that when we register the on-premises platform from the SaaS Artifactory, we can use the "pairing token," which is only available by default in versions higher than 7.29.7.
2. 如果本地Artifactory防火墙,请耐心ase add the SaaS instance NAT IP address to the firewall. Follow thedocumentationto determine the IP addresses for the region in which the SaaS Artifactory is located.

Migration Of Security Objects For Enterprise subscription

NOTE: If there are any existing users, groups, permissions, and access tokens on the SaaS instance then by following the access export and import steps, the existing users on the Target SaaS instance will be removed and we will only see security objects that were imported.

For Enterprise subscription type, we support importing of users, groups, permissions and access tokens from on-prem to SaaS instance by following the steps from this article://www.si-fil.com/knowledge-base/how-to-import-access-data/. So, as mentioned in the article, we would need to export the access data from your on-prem instance by running the below command:
– Artifactory 7.x: Creates an access.backup..json file with the Access configuration as $JFROG_HOME/artifactory/var/backup/accesscurl -uadmin:password -XPOST "http://localhost:8082/access/api/v1/system/backup/export"– From release 7.12.0 and above: Requires a valid admin-scoped token. The API no longer supports basic authentication.curl -H "Authorization: Bearer " -XPOST "http://localhost:8082/access/api/v1/system/backup/export"After gathering the access data from the on-prem instance from $JFROG_HOME/artifactory/var/backup/access location, share the file with JFrog support securely by opening a ticket and transferring the file by following the steps from this article://www.si-fil.com/knowledge-base/transferring-my-sensitive-content-to-jfrog-using-public-key-encryption/.

NOTE: THE FOLLOWING STEPS ARE TO BE PERFORMED BY JFROG SUPPORT TEAM
After opening a ticket with JFrog support team and providing access.backup..json file, JFrog support team replaces the service ID in the access data backup file by following the below steps:
Will find the service ID of SaaS Artifactory instances by running the following command:curl -uadmin:password -XGET "https://.jfrog.io/artifactory/api/system/service_id"
Response:
jfrt@01e2rdwgsq8k8c1mbtvdav04xg– Replace the on-prem service ID with the SaaS service ID everywhere in the access.backup..json file i.e modifying the on-prem Artifactory's bootstrap file by replacing the on-prem Artifactory's Service ID with the SaaS using sed -i 's/jfrt@on-prem/jfrt@saas/g' access.backup..json For example,sed -i 's/jfrt@01e719bdvrxydk0s7nw96n0kb3/jfrt@01e719b6v36b2k133v4yef14zx/g' access.bootstrap.json
Permissions in this file are tied to the service ID to allow forAccess Federation, and if the swap does not occur, permissions will not be imported.

Then, JFrog support team renames the access data file to access.bootstrap.json and copy it to the SaaS Artifactory instance then, runs the below command to import the access data to SaaS instance:curl -H "Authorization: Bearer " -XPOST "https://.jfrog.io/access/api/v1/system/backup/import"A restart of SaaS Artifactory will be performed after the import and then we should be able to see all the security objects on the SaaS instance.