In the second of our series of blogs focusing on how to optimise the management of Ping Identity products in run, we will focus on the automation of staging configuration between environments on the ‘Route to Live’.
In our previous blog, we explained how most organisations maintain multiple replicated Ping environments, usually incorporating one or more development environments, a pre-production environment and finally production itself. One of the biggest challenges in managing Ping in run is migrating configuration changes between environments as the environment evolves.
Consider the following example
An organisation has a complex PingFederate deployment managing authentication against multiple back end directories, with a complex series of authentication selection rules. With this backdrop, the organisation wants to incorporate a new application for SSO. Whilst this is a seemingly simple change, in reality the configuration is quite involved; the SSO configuration, typically involving setting up a SAML connection, is only the start; we also need to map in the authentication backend and set up authentication rules. All told, this will involve working through multiple configuration screens and setting many tens of configuration options and parameters.
Typically, organisations will carry out this configuration in the development environment first, and following testing, will be faced with the challenge of transitioning the configuration through the subsequent environments on the ‘route to live’. Unfortunately, this is not as simple as simply exporting the configuration from the development system and importing it into the next environment; this is because each environment has local configuration including URLs, entity ID and certificates, to name but a few, which must be incorporated into the configuration. This means that the configuration is similar, yet different in each environment.
A manual approach to staging the configuration is likely to include producing detailed, step by step procedural documentation as to how to implement the change. ProofID has worked in this manner with many customers in the past, and such documents can stretch to upwards of fifty pages. And with any manual approach such as this, human error can be introduced – either in production of the documentation or in execution of the documented procedure. Humans lead to typos, and typos lead to errors!
The way to avoid these issues is to automate the staging of configuration between the environments. ProofID ConfigMigrator does just this. Working with the admin APIs for PingFederate and PingAccess, ConfigMigrator is able to treat configuration like code; essentially the configuration can be extracted from the development environment, stored in a version control system such as Git, and then ‘pushed’ into the next environment with required substitutions being made on the fly to address the local configuration variations outlined above. In this way, the configuration can be staged at the click of a button, with complete elimination of human error and related delays and outages. Regardless of the length of the ‘route to live’, ConfigMigrator can be used to stage the configuration from one environment to the next, until the required change has been staged into production with the minimum of fuss.
Other benefits of ConfigMigrator include the ability to build a cloned environment in minutes – this is very useful if an additional environment needs to be added to the route to live, or if a sandbox environment is required for initial development activities.
Furthermore, as a java based command line utility, ConfigMigrator is highly portable and can be integrated with common devops toolsets such as Puppet, Ansible and Chef, falling within the organisation’s existing approach to automation of infrastructure configuration.
Written by Tom Eggleston
With over 15 years industry experience, ProofID’s Tom Eggleston eats, drinks and sleeps identity and access management. A regular industry speaker in Europe and the US, Tom knows how to balance technical evangelism with the real world, finding practical solutions to the identity challenges faced by modern businesses. As CEO of ProofID Tom has been instrumental in growing the company into the leading provider of managed identity solutions, employing over 50 people across the UK and the US.
Ping Identity frees the digital enterprise by providing secure access that enables the right people to access the right things, seamlessly and securely.