Skip to main content

Requirements

  • Access to your CDF project.

  • Access to your applications and services.

  • A new Azure Active Directory tenant.

 

Follow the steps carefully to plan and prepare for a successful migration:

 

Step 1: Collect project data

Collect available data for all the items that you need to migrate:

  • Applications:

    • Make a list of Cognite applications (i.e.: Remote, Infield, …) used by your CDF project.

    • Make a list of third-party applications (i.e.: Grafana, Power BI, Azure Data Factory, …) used by your CDF project.

  • Services:

    • Make a list of scheduled functions.

    • Make a list of the extractors in use.

  • Groups used with CDF:

    • Make a list of groups and their members and capabilities in your CDF project.

 

Step 2: Configure new IdP identity and access management

Step 2.1: Groups and users

  1. Create your groups in the new IdP based on the information you have collected.

  2. Add members to your groups.

  3. Save the groups' names and object IDs.

Step 2.2: Register applications and service accounts

  1. Register the CDF cluster API as an Enterprise Application.

  2. Register Cognite core applications as Enterprise Applications.

  3. Register Cognite services, extractors, and connectors as Application Registrations.

  4. Register third-party applications as Enterprise Applications.

  5. Register third-party services as Application Registrations.

  6. Create a group(s) for your service principals.

  7. Add your service principals to their respective group(s).

Step 2.3: Register the new IdP for the existing domain.

  1. Please reach out to support@cognite.com to register the new IdP for the existing domain with the following information

    1. New tenant id.

    2. New IdP label.

 

Step 3: Access Management

Important: Do not forget to have two administrator group in CDF, one linked to the old IdP CDF administrator group and one to the new IdP CDF administrator group. 
  1. In CDF (Fusion), go to Manage & Configure -> Manage Access -> Groups.

  2. Create a new admin group.

    1. Name the admin group.

    2. Add the required capabilities, actions, and scope.

      1. CDF Administrators should include (at least) groups and project capabilities with all actions and scopes.

    3. Link the admin group to the respective source admin group, and fill in the Source ID.

  3. Link each User group to their respective source user group(s), and fill in the Source ID.

  4. Link each application/service group to their respective source group(s), and fill in the Source ID.

 

Step 4: Enable new OIDC config for the project

  1. In CDF (Fusion), go to Manage & Configure -> Manage Access -> OpenID Connect, and configure as relevant. Defaults for Azure AD follow (swapping in $AAD_TENANT_ID and $CLUSTER as relevant):

    1. Enabled: ticked

    2. JWKS url: https://login.microsoftonline.com/$AAD_TENANT_ID/discovery/v2.0/keys

    3. Token url: https://login.microsoftonline.com/$AAD_TENANT_ID/oauth2/v2.0/token

    4. Issuer: https://sts.windows.net/$AAD_TENANT_ID/

    5. Audience: https://$CLUSTER.cognitedata.com

    6. Access claims: groups roles

    7. Scope claims: scp

    8. Log claims: appid (optional)

    9. skew(ms) : 0

    10. Group callback is enabled: ticked

  2. Click save configuration

 

Step 5: Update CDF transformations, Functions, Extractors, Grafana, Custom Apps, etc.

  1. All the scheduled transformations need to be updated with the new client ids and client secrets of the respective service principals.

  2. All the schedules of the existing CDF functions need to be re-scheduled with the new client ids and client secrets of the respective service principals.

  3. All the config files of the extractors need to be updated with the new tenant id and with the new client ids, and the client secrets of the respective service principals.

  4. Update the credentials in Grafana with the new tenant id and with the new client ids, and the client secrets.

  5. Update the credentials in all the custom apps related to the Cognite Client and anything that depends on sessions functionality in CDF.

Great guide, thank you for writing this!
cc @Anita Hæhre 


For Step 5. you could also add change the tenantID/clientID/client secret in any devops tool (CI/CD) that are used to deploy functions/transformations,...

 

I would add a step 6 if you are completely moving away from the previous tenant

Step 6: Unregister the previous IdP from the domain.

  1. Please reach out to support@cognite.com to unregister the previous IdP for the domain with the following information

    1. Previous tenant id.


Thank you so much @Mithila Jayalath External, your contribution is greatly appreciated! Your article is now added to our community How-To Guides section. To everyone in our vibrant community: don't hesitate to share your expertise and insights. Together, we're building an amazing how-to guide library! 🚀💡


Reply