For Oracle Integration Generation 2, the primary (primordial) stripe is automatically federated using preconfigured groups. However, you can create separate environments for a single cloud service or application (for example, create one environment for development and one for production), where each environment has a different identity and security requirements. Implementing one or more secondary stripes enables you to create and manage multiple instances of Oracle Identity Cloud Service to protect your applications and Oracle Cloud services.
You can manually federate one or more secondary stripes with Oracle Cloud Infrastructure using SAML IDP federation in which multiple Oracle Identity Cloud Service stripes are associated with the same cloud account. Note that the tenant administrator administers both primary and secondary stripes, but identities within the stripes are isolated from each other.For benefits to using multiple Oracle Identity Cloud Service instances, see About Multiple Instances.
Configuring multiple identity stripes
Note:It's important that the procedures contained in the steps below be followed in their exact order.
First, define a naming convention for the striping, as described in Defining a Stripe Naming Convention. Then follow the steps below to manually federate a secondary stripe for your cloud account. You must be the tenant administrator.
- Creating an IDCS group for secondary stripe users
- Creating an OAuth client in the secondary stripe
- Creating an Oracle Cloud Infrastructure group for secondary stripe users
- Creating the federation and its group mapping
- Creating an Oracle Cloud Infrastructure policy for federated users to create instances
- Providing access to a federated stripe in the Oracle Cloud Infrastructure console group for secondary stripe users
- Creating Oracle Integration instances in the secondary stripe compartment
Defining a Stripe Naming Convention
As a best practice, define a
<stripename> for all the
entities you'll create specific to the stripe. Uniquely identifying configurations
associated with a stripe is important, especially when multiple stripes are
In the sections that follow, you'll use
<stripename> in these
Creating an IDCS group for secondary stripe users
In IDCS, create a group in the secondary stripe and add users from the secondary stripe to the group.
- Add a group in the secondary stripe, and name it
<stripename>_administrators. See Defining a Stripe Naming Convention. For example, name it
stripe2_administrators. Click Finish.For more information, see Create Groups in Administering Oracle Identity Cloud Service.
These administrators will be granted permission to create Oracle Integration instances. This IDCS group will be mapped with an Oracle Cloud Infrastructure group.
- Add users from the secondary stripe to the group.
Creating an OAuth client in the secondary stripe
Create an IDCS confidential application that uses OAuth client credentials and is assigned the IDCS domain administrator role. You must create a confidential application per secondary stripe.
- As an IDCS administrator, sign in to the secondary IDCS admin console.
- Add a confidential application.
- Navigate to the Applications tab.
- Click Add.
- Choose Confidential Application.
- Name the application
- Click Next.
- Configure client settings.
- Click Configure this application as a client now.
- Under Authorization, select Client Credentials.
- Under Grant the client access to Identity Cloud Service Admin APIs, click Add and select the app role Identity Domain Administrator.
- Click Next twice.
- Click Finish. Once the application is created, note its client id and client secret. You’ll need this information in upcoming steps for federation.
- Click Activate and confirm activating the application.
Creating an Oracle Cloud Infrastructure group for secondary stripe users
This group is needed because the OCI SAML IDP federation requires group mapping for federating users from the federated IDP (IDCS), and OCI native group membership is required for defining and granting OCI permissions (policies) for federated users.
- In the Oracle Cloud
Infrastructure console, choose Identity, then
This Oracle Cloud Infrastructure group will be mapped with the IDCS group you created.
- Create a group and name it
oci_<stripename>_administrators. For example, name it
Creating the federation and its group mapping
Now that you have the IDCS and OCI groups created and client information needed, create the IDCS identity provider and map the groups.
- Sign in to the Oracle Cloud
Infrastructure console. Select the identity domain of the primordial
stripe (identitycloudservice) and enter its user
Keep in mind that group mapping for a secondary stripe uses the primordial stripe user sign in. This is important, since adding multiple stripes adds multiple options to this dropdown.
- Select Identity, then Federation.
- Click Add Identity Provider.
- In the screen displayed, complete the fields as shown
Federation with IDCS secondary stripe
Oracle Identity Cloud Service
Oracle Identity Cloud Service Base URL
Enter this URL using the format:
<idcs-xxxx>domain part with your secondary IDCS stripe.
Client ID/Client Secret
Enter this information that you created in the secondary stripe and noted during Creating an OAuth client in the secondary stripe steps.
Select this option
- Click Continue.
- Map the IDCS secondary stripe and OCI groups you previously
created. Map the IDCS secondary stripe group (created in Creating an IDCS group for secondary stripe users) and the OCI group (created in Creating an Oracle Cloud Infrastructure group for secondary stripe users).
- Click Add Provider.The secondary stripe federation is complete. Notice that the group mapping is displayed.
- Verify the secondary stripe, and configure visibility for
secondary stripe administrators and users.
The tenant administrator can see all federated IDCS stripes in the OCI console:
The secondary stripe administrator and all other secondary stripe users will not see any stripes under federation. To resolve that, see Providing access to a federated stripe in the Oracle Cloud Infrastructure console group for secondary stripe users.
Creating an Oracle Cloud Infrastructure policy for federated users to create instances
With the federation done, set up Oracle Cloud Infrastructure policies that allow federated users from the secondary IDCS stripe to create Oracle Integration instances. As a common pattern, the policy is scoped to a compartment.
- Create a compartment where Oracle Integration instances for the secondary IDCS stripe can be created.
Name the compartment
<stripename>_compartment.For example, create a compartment named
- Create a policy that will allow federated users to create Oracle Integration instances in the compartment. Name the policy
This policy allows a user who is a member of the group in the policy to create an Oracle Integration instance (integration-instance) in the compartment named stripe2_compartment.
allow group oci_stripe2_administrators to manage integration-instances in compartment stripe2_compartment
Allow group <stripename>_administrators to<verb> <resource-type>in compartment<stripename>_compartment
Providing access to a federated stripe in the Oracle Cloud Infrastructure console group for secondary stripe users
Perform additional steps to enable the secondary stripe administrator and all other secondary stripe users to see stripes under federation.
- In Oracle Identity Cloud
Service, create a group called
- Add users to the group that you want to be able to see the federation and to create users and groups in the Oracle Cloud Infrastructure console in that stripe.
- In the Oracle Cloud
Infrastructure console, using the primary stripe user with the correct
permission, create an Oracle Cloud
Infrastructure group called
- Map the
- Using the following statement examples, define a policy that
grants access to federated stripes.Several of the examples show how to grant access to a specific federated stripe, by using a
whereclause that identifies the secondary stripe. You can get the federation's OCID from the federation view in the Oracle Cloud Infrastructure console.
Allows secondary stripe administrators to.... Policy statement
Create groups (use)
allow group oci_stripe2_federation_administrators to use groups in tenancy
List the identity providers in the federation (inspect)
allow group oci_stripe2_federation_administrators to inspect identity-providers in tenancy
Note that if the secondary stripe admins are required to create groups, this policy is required when a where clause is included.
Access a specific federated stripe (use)
allow group oci_stripe2_federation_administrators to use identity-providers in tenancy where target.identity-provider.id=“ocid1.saml2idp.oc1..aaaaaaaaa…”
Manage ALL or ONLY a specific secondary stripe identity provider (manage)
allow group oci_stripe2_federation_administrators to manage identity-providers in tenancy
ONLY specific secondary stripe identity provider:
allow group oci_stripe2_federation_administrators to manage identity-providers in tenancy where target.identity-provider.id = "ocid1.saml2idp.oc1..aaaaaaaaa…"
When you sign in as a user in the above Oracle Identity Cloud Service group, you can create users and groups in the Oracle Cloud Infrastructure console and assign permissions as you would in a primary stripe.
Additional information about where clauses
Suppose you define a policy for a group (as in the example shown below) that uses the manage verb with a where clause restricting it to a specific identity provider (ocid).
allow group OCISecStripeAdmin to manage identity-providers in
When a user from the group logs into the Oracle Cloud Infrastructure Console and navigates to the Federation page, the following message appears.
Adding the following additional policy enables users in the group to navigate to the same page and see the identity providers. They can inspect both, but are only able to see the group mappings (read) of the allowed identity provider:
Additional example policy:
allow group OCISecStripeAdmin to
inspect identity-providers in tenancy
Creating Oracle Integration instances in the secondary stripe compartment
With federation and Oracle Cloud Infrastructure policies defined, federated users can sign into the Oracle Cloud Infrastructure Console and create Oracle Integration instances as shown.
- Sign-in as a federated user from the secondary stripe. Users will need to select the secondary stripe in the Identity Provider field (idcs-secondary-stripe-service, in this case).
- Authorized administrators can ceate Oracle Integration instances in the specified compartment (idcs-secondary-stripe-compartment, in this case).