Configuring Multiple Identity Stripes for Oracle Integration Generation 2
For Oracle Integration Generation 2, the primary (primordial) stripe is automatically federated using preconfigured groups. However, you can create separate environments for a single cloud service or application (for example, create one environment for development and one for production), where each environment has a different identity and security requirements. Implementing one or more secondary stripes enables you to create and manage multiple instances of Oracle Identity Cloud Service to protect your applications and Oracle Cloud services.
You can manually federate one or more secondary stripes with Oracle Cloud Infrastructure using SAML IDP federation in which multiple Oracle Identity Cloud Service stripes are associated with the same cloud account. Note that the tenant administrator administers both primary and secondary stripes, but identities within the stripes are isolated from each other.
For benefits to using multiple Oracle Identity Cloud Service instances, see About Multiple Instances.Note:
By default, a tenancy is limited to three (3) identity providers. (See Service Limits.) To increase the limit for your tenancy, see Requesting a Service Limit. You MUST increase the limit BEFORE starting to create the federation (step 4 below).
Configuring multiple identity stripes
Note:
It's important that the procedures contained in the steps below be followed in their exact order.First, define a naming convention for the striping, as described in Defining a Stripe Naming Convention. Then follow the steps below to manually federate a secondary stripe for your cloud account. You must be the tenant administrator.
- Creating an IDCS group for secondary stripe users
- Creating an OAuth client in the secondary stripe
- Creating an Oracle Cloud Infrastructure group for secondary stripe users
- Creating the federation and its group mapping
- Creating an Oracle Cloud Infrastructure policy for federated users to create instances
- Providing access to a federated stripe in the Oracle Cloud Infrastructure console group for secondary stripe users
- Creating Oracle Integration instances in the secondary stripe compartment
Defining a Stripe Naming Convention
As a best practice, define a <stripename>
for all the
entities you'll create specific to the stripe. Uniquely identifying configurations
associated with a stripe is important, especially when multiple stripes are
configured.
In the sections that follow, you'll use <stripename>
in these
entities:
Entity | Naming convention |
---|---|
IDCS group |
|
OCI group |
|
Compartment |
|
Identity Provider |
|
Policy |
|
Policy Statement |
|
Creating an IDCS group for secondary stripe users
In IDCS, create a group in the secondary stripe and add users from the secondary stripe to the group.
Creating an OAuth client in the secondary stripe
Create an IDCS confidential application that uses OAuth client credentials and is assigned the IDCS domain administrator role. You must create a confidential application per secondary stripe.
Creating an Oracle Cloud Infrastructure group for secondary stripe users
This group is needed because the OCI SAML IDP federation requires group mapping for federating users from the federated IDP (IDCS), and OCI native group membership is required for defining and granting OCI permissions (policies) for federated users.
Creating the federation and its group mapping
Now that you have the IDCS and OCI groups created and client information needed, create the IDCS identity provider and map the groups.
Creating an Oracle Cloud Infrastructure policy for federated users to create instances
With the federation done, set up Oracle Cloud Infrastructure policies that allow federated users from the secondary IDCS stripe to create Oracle Integration instances. As a common pattern, the policy is scoped to a compartment.
Providing access to a federated stripe in the Oracle Cloud Infrastructure console group for secondary stripe users
Perform additional steps to enable the secondary stripe administrator and all other secondary stripe users to see stripes under federation.
When you sign in as a user in the above Oracle Identity Cloud Service group, you can create users and groups in the Oracle Cloud Infrastructure console and assign permissions as you would in a primary stripe.
Additional information about where clauses
Suppose you define a policy for a group (as in the example shown below) that uses the manage verb with a where clause restricting it to a specific identity provider (ocid).
Example policy:
allow group OCISecStripeAdmin to manage identity-providers in
tenancy where
target.identity-provider.id='ocid1.saml2idp.oc1..aaaaaaaa...’
When a user from the group logs into the Oracle Cloud Infrastructure Console and navigates to the Federation page, the following message appears.
Adding the following additional policy enables users in the group to navigate to the same page and see the identity providers. They can inspect both, but are only able to see the group mappings (read) of the allowed identity provider:
Additional example policy: allow group OCISecStripeAdmin to
inspect identity-providers in tenancy