Self-service promotions migration FAQ

How are promotions changing?

ForgeRock is replacing support-assisted promotions with self-service promotions. Instead of raising a support ticket to promote configuration to your tenant environments, you’ll be able to promote configuration yourself. In addition, it will be possible for you to view and edit configuration placeholders in all Identity Cloud APIs.

To introduce self-service promotions, ForgeRock needs to migrate the configuration of some customers.

Will this migration affect me?

If your development environment does not have any ESVs by the migration cutoff deadline (Tuesday, November 22, 2022), your configuration will not need to go through a migration process, and your environments will be enabled automatically for self-service promotions. You will not need to take any action, and you do not need to finish reading this FAQ.

Alternatively, if your development environment does have ESVs by the migration cutoff deadline (Tuesday, November 22, 2022), your configuration will need to go through a migration process. You will be given your own specific migration date and time. After the configuration has been migrated, your environments will be enabled for self-service promotions. Please finish reading this FAQ to fully understand the migration process and the actions you may need to take.

Why is a migration needed?

Identity Cloud handles configuration placeholders for support-assisted and self-service promotions differently:

For support-assisted promotions, the configuration contains literal values, and placeholders are substituted in by a support engineer before every promotion. This means that adding placeholders is an additional process, and that placeholders are not visible or editable in most API requests.
For self-service promotions, the configuration contains the actual placeholders instead of literal values. This means that no additional process is needed to add placeholders, and that placeholders are visible and editable in all API requests.

If your development environment has any ESVs, ForgeRock will assume that your configuration has corresponding placeholders, and that your configuration will need to be migrated so that it is compatible with self-service promotions.

During the migration process, ForgeRock will permanently substitute the actual placeholders into your configuration, then enable self-service placeholder management in your environments.

Scripts that reference ESVs are not affected by the migration and do not need to be updated.

Which environments will need to be migrated?

Your development environment will need to be migrated, as will your sandbox environment, if you have one.

What will change in sandbox environments?

Your sandbox environment will be migrated in the same way as your development environment, to make sure that all environments are consistent.

What happens to my staging and production environments?

Once the migration of your development environment is complete, self-service configuration management will also be enabled for your staging and production environments.

What if I maintain an external copy of my Identity Cloud configuration?

You may maintain an external copy of your Identity Cloud configuration using CI/CD automation, source code management, or simple scripts. If so, there is a danger that after migration, the old external copy of your configuration (which doesn’t contain literal placeholders) could accidentally overwrite the newly migrated Identity Cloud configuration (which contains literal placeholders). You will therefore need to take additional action immediately after your Identity Cloud configuration has been migrated; you will need to replace the external copy of your configuration with a download of the newly migrated Identity Cloud configuration, so that your external copy contains literal placeholders.

If you do not maintain an external copy of your Identity Cloud configuration, then you do not need to take any additional action.

Someone else set this up for me, I think we track our configuration externally, but I don’t know how to make a copy. How can I get help?

ForgeRock recommends that, in the first instance, you reach out to the third party that developed your Identity Cloud service. Failing that, for assistance from ForgeRock professional services, please raise a support ticket.

When will the migration take place?

You will be assigned a date and time for your migration. The notification will appear in a yellow box at the top of the Identity Cloud admin UI in your development and sandbox environments, with this message:

Scheduled Tenant Migration Friday, January 14, 2023 at 10:00 AM PST. View details.

Can I change the date and time of the migration?

Yes, you can raise a support ticket to change the date and time:

The day can be Monday–Friday.
The time can be from 8 AM GMT until 4 PM PDT
The date can be from Tuesday, January 10, 2023 until Friday, March 31, 2023

What happens during the migration?

ForgeRock will lock your development and sandbox environments. In this locked state, you won’t be able to make changes to your environments, but all end-user authentication journeys will continue to operate. The Identity Cloud admin UI will show the message "Tenant Locked" in the top left of the screen.
ForgeRock will perform the migration:
- Configuration placeholders will be permanently substituted into your Identity Cloud configuration.
- Self-service placeholder management will be enabled.
- Identity Cloud services will be restarted.
The migration will take 30–45 minutes.
You will be notified that the migration is complete. The notification will appear in a modal window in the Identity Cloud admin UI in your development and sandbox environments:

You will need to choose a migration completion option:
1. If you maintain an external copy of your Identity Cloud configuration:
  1. You will need to replace the external copy with a download of the newly migrated Identity Cloud configuration, so that your external copy contains literal placeholders.
  2. Then, in the Identity Cloud admin UI:
    
    Select the Configuration is managed externally option.
    
    Check I confirm I have downloaded my configuration.
    
    Click Continue.
2. If you do not maintain an external copy of your Identity Cloud configuration:
  1. In the Identity Cloud admin UI:
    
    Select the ForgeRock manages configuration option.
    
    Click Continue.
ForgeRock will unlock your development and sandbox environments. You will now be able to run self-service promotions.

How do I know whether my environment is ready for self-service promotion?

The Identity Cloud admin UI will be fully functional again, and will no longer show the message "Tenant Locked" in the top left of the screen.

Is the migration process summarized in a diagram?

Yes, refer to Self-service promotions migration process flow.

How do I insert configuration placeholders once the migration is complete?

Refer to Introduction to configuration placeholders.

Why can I only set up configuration placeholders using APIs, and not UIs?

ForgeRock has listened to Identity Cloud customers, and found that many customers want to define configuration placeholders and run promotions without a support ticket, and consider this of paramount importance. Additionally, ForgeRock found that many customers rely heavily on API, and do not use the UI as frequently.

With this in mind, ForgeRock decided to introduce self-managed promotions using API, before full UI support is available.

How do I perform configuration promotion once the migration is complete?

Refer to Introduction to self-service promotions.

How can I be assured that the new promotion process will work for me?

ForgeRock has tested the self-service promotions API internally to ensure that the transition to self-service promotions is as seamless as possible. Our support engineers have been using the API for customer promotions since 7th June 2022.