Requirements
Access to your CDF project.
Access to your applications and services.
A new Azure Active Directory tenant.
Follow the steps carefully to plan and prepare for a successful migration:
Step 1: Collect project data
Collect available data for all the items that you need to migrate:
-
Applications:
-
Make a list of Cognite applications (i.e.: Remote, Infield, …) used by your CDF project.
-
Make a list of third-party applications (i.e.: Grafana, Power BI, Azure Data Factory, …) used by your CDF project.
-
-
Services:
-
Make a list of scheduled functions.
-
Make a list of the extractors in use.
-
-
Groups used with CDF:
-
Make a list of groups and their members and capabilities in your CDF project.
-
Step 2: Configure new IdP identity and access management
Step 2.1: Groups and users
-
Create your groups in the new IdP based on the information you have collected.
-
Add members to your groups.
-
Save the groups' names and object IDs.
Step 2.2: Register applications and service accounts
-
Register the CDF cluster API as an Enterprise Application.
-
Register Cognite core applications as Enterprise Applications.
-
Register Cognite services, extractors, and connectors as Application Registrations.
-
Register third-party applications as Enterprise Applications.
-
Register third-party services as Application Registrations.
-
Create a group(s) for your service principals.
-
Add your service principals to their respective group(s).
Step 2.3: Register the new IdP for the existing domain.
-
Please reach out to support@cognite.com to register the new IdP for the existing domain with the following information
-
New tenant id.
-
New IdP label.
-
Step 3: Access Management
Important: Do not forget to have two administrator group in CDF, one linked to the old IdP CDF administrator group and one to the new IdP CDF administrator group.
-
In CDF (Fusion), go to
Manage & Configure
->Manage Access
->Groups
. -
Create a new admin group.
-
Name the admin group.
-
Add the required capabilities, actions, and scope.
-
CDF Administrators should include (at least) groups and project capabilities with all actions and scopes.
-
-
Link the admin group to the respective source admin group, and fill in the
Source ID
.
-
-
Link each User group to their respective source user group(s), and fill in the
Source ID
. -
Link each application/service group to their respective source group(s), and fill in the
Source ID
.
Step 4: Enable new OIDC config for the project
-
In CDF (Fusion), go to
Manage & Configure
->Manage Access
->OpenID Connect
, and configure as relevant. Defaults for Azure AD follow (swapping in$AAD_TENANT_ID
and$CLUSTER
as relevant):-
Enabled: ticked
-
JWKS url:
https://login.microsoftonline.com/$AAD_TENANT_ID/discovery/v2.0/keys
-
Token url:
https://login.microsoftonline.com/$AAD_TENANT_ID/oauth2/v2.0/token
-
Issuer:
https://sts.windows.net/$AAD_TENANT_ID/
-
Audience:
https://$CLUSTER.cognitedata.com
-
Access claims:
groups
roles
-
Scope claims:
scp
-
Log claims:
appid
(optional) -
skew(ms) : 0
-
Group callback is enabled: ticked
-
-
Click
save configuration
Step 5: Update CDF transformations, Functions, Extractors, Grafana, Custom Apps, etc.
-
All the scheduled transformations need to be updated with the new client ids and client secrets of the respective service principals.
-
All the schedules of the existing CDF functions need to be re-scheduled with the new client ids and client secrets of the respective service principals.
-
All the config files of the extractors need to be updated with the new tenant id and with the new client ids, and the client secrets of the respective service principals.
-
Update the credentials in Grafana with the new tenant id and with the new client ids, and the client secrets.
-
Update the credentials in all the custom apps related to the Cognite Client and anything that depends on sessions functionality in CDF.