One of your ideas has been delivered from your suggestion.OCI Identity and Access Management Integration

This feature enables enterprise grade identity and access management capabilities based on integration with Oracle Cloud Infrastructure Identity and Access Management (OCI IAM), allowing for greater control with who has access to your cloud resources.  You can control what type of access a group of users have, and to which specific permissions and roles they have access to.  This will allow all of your users to have one access point to all production and test environments for the Financial Aid Administration UI and Student/Parent Self-Service (Portal).  This centralized approach provides enhanced security and simplifies the enforcement of credentials for your end users. 

The new capabilities moves user identity management out of the Student Financial Aid (SFA) application and into the OCI Cloud Console. 

  • You will manage SFA specific configurations with the SFA application and then use OCI to manage users, identity providers, etc.
  • Secure and scalable capabilities of OCI will be utilized to authorize users based on group membership in OCI IAM
  • Your existing IDP solution can still be leveraged and integrated to OCI IAM using OCI Cloud Console

The following identity management tasks will be now managed either in the SFA application or the OCI Cloud Console:

Task Where
User Authorization Management - Role Creation and Permission Assignment SFA
User Authorization Management - Assigning Group(s) to Role(s) SFA
User Authorization Management - Group creation SFA or OCI Cloud Console
User Authorization Management - Group Membership and Management OCI Cloud Console
User Account Management OCI Cloud Console
Guest User Account and Notifications Management SFA or OCI Cloud Console
Bulk Management of User Accounts and Groups OCI Cloud Console
Enhanced Security Capability Management - External Identity Providers OCI Cloud Console
Enhanced Security Capability Management - Password Policies OCI Cloud Console
Enhanced Security Capability Management - Session Settings OCI Cloud Console
Custom IAM Interface Branding Management OCI Cloud Console

Custom Notification Management

OCI Cloud Console

User Self-Service Password Management

OCI Cloud Console
Authentication and Authorization Audit Reports OCI Cloud Console

MANAGE AUTHENTICATION FOR ADMINISTRATORS AND NON-ADMINISTRATORS

After having provisioned your production and non-production environments, you can access your identity domain through cloud.oracle.com and log in using the same credentials you used during the provisioning of the Student Financial Aid (SFA) environments.

Note that:

  • The OCI identity domain selected during the provisioning of your production SFA environment will be used for all your SFA environments.
  • You'll need to know the OCI Cloud Account name and the OCI compartment and identity domain (if you're not using the values we suggested) that were selected during the provisioning process.

For each production and non-production environment, two Oracle Cloud Service applications are created: one for the administration UI and the APIs, and one for the Student/Parent Self-Service Portal. These applications serve as the integration point between your OCI identity domain and your SFA environments and enable SSO.

Production and Non-Production Environment URLs

Production Environment URLs Non-Production URLs
Financial Aid System (Admin): 

https://sfp.ocs.oraclecloud.com/<customer_shortname>/vm-ui/ui-auth

Financial Aid System (Admin): 

https://sfp.ocs.oc-test.com/<customer_shortname-test>/vm-ui/ui-auth

Student/Parent Self-Service (Portal): 

https://sfp.ocs.oraclecloud.com/<customer_shortname>/portal/ui-auth

Student/Parent Self-Service (Portal): 

https://sfp.ocs.oc-test.com/<customer_shortname-test>/portal/ui-auth

Once fully opted in, legacy UI endpoints (/portal/login - /portal/saml and vm-ui/login - vm-ui/saml) will redirect to new IAM endpoints (/portal/ui-auth and /vm-ui/ui-auth).

Authentication for Administrators

If these groups haven't already been created, SFA creates two default SFA global administrator groups in your OCI identity domain. The user that initiated the provisioning of the SFA environments is also added to these groups.

  • Admin. This group gives default administrator permissions to all your Student/Parent Self-Service Portal environments.
  • SYS_ADMIN. This group gives default administrator permissions to all your administration UI environments.

To manage these groups, from the OCI console's navigation menu, go to Identity & Security > Domains, then select your identity domain, and then groups.

Users that are members of these groups can use the production and non-production environment URLs to authenticate themselves and access the administration UI and the APIs, and one for the Student/Parent Self-Service Portal.

Authentication for Non-Administrators

When you assign the application to the groups, members of the groups are authenticated via OCI IAM. This means that to successfully log in and access SFA, these conditions must be true:" to be "To successfully log in and access SFA, these conditions must be true:

  • The user is a member of an identity domain group.
  • The group must have a role in SFA. You assign this role in SFA itself.
  • The role must have at least one permission assigned in SFA.

When you view role and group mappings in the administration UI and Student/Parent Self-Service Portal, you'll see all the groups in the identity domain that's integrated with your SFA environments. These groups can be those created by OCI, SFA, or the ones you created yourself. To avoid confusion, we recommend adopting a naming convention for all the groups you create that meets your organization's requirements. Here's an example of a naming convention: <environment>-<workload>-<purpose> (oracletest-portal-generaladmin).

MANAGE USERS AND GROUPS IN OCI IAM

For users to access the administration UI and Student/Parent Self-Service portal, they must exist in your OCI identity domain.

Manage Users

If you're going to use OCI IAM as your primary identity provider, we recommend reviewing these documentation.

OCI Cloud Console provides you with the ability to bulk manage user accounts and groups via the OCI IAM API or CLI.

Manage Federated Users

If you're going to use an external identity provider, the user accounts must still exist in OCI IAM with the federated attribute set to true so that they don't have a local OCI console password. If you use an external identity provider, you can assign the Oracle Cloud Service application directly to the identity provider policy. For information, see Adding Apps to the Policy.

To use an external IDP, we recommend you set up a SAML external IDP for authentication and authorization while using the System for Cross-Domain Identity Management (SCIM) protocol for user life cycle management. Review this documentation as well:

If your IDP supports sending the studentID attribute as a string array data type, another option is to use just-in-time provisioning with a SAML IDP.

If you'll be using just-in-time provisioning for scenarios where only one value is in the studentID attribute in the SAML assertion from your IDP, then take one of these actions:

  • Open a service request with Oracle Support to enable support of this scenario:
    • Product: Identity Cloud Service (IDCS)
    • Category: Applications
    • Subcategory: SAML Federation
    • Make a request to have this feature enabled on the identity domain saml.jit.user.attribute.provisioning to support Student Financial Aid's custom schema attribute - studentID (string array) - in scenarios where only one value is sent in a SAML assertion.
  • Modify the assertion sent to OCI IAM such that the studentID value is enclosed in brackets [12345]
    • For example: <saml:Attribute Name="studentID"> <saml:AttributeValue xsi:type="xs:string">["123456789"]</saml:AttributeValue> </saml:Attribute>

When configuring just-in-time provisioning in the OCI Console, the assertion attribute from your IDP must be mapped to urn:ietf:params:scim:schemas:idcs:extension:custom:User:studentID. You'd need to manually enter and then select this value.

We recommend reviewing the following documentation for just-in-time provisioning:

If you don't use SCIM or just-in-time provisioning to automate user account creation, you'll be responsible for creating the accounts in OCI. If you use a combination of external identity providers and OCI IAM users, you'll need to create the OCI IAM users before the users sign in.

You can bulk create the OCI IAM users via OCI tools. You can also bulk create the OCI IAM federated users and set the federated attribute value to true, then set up SCIM or just-in-time provisioning so that the accounts are updated going forward.

Manage Groups

Groups must exist in OCI prior to assigning a user to the group either natively in OCI IAM or via just-in-time provisioning. Review the following documentation for more information:

MANAGING ROLES, PERMISSION AND GROUPS IN SFA

For users to access the administration UI and Student/Parent Self-Service portal, their associated groups must have defined role with permissions in SFA.

Manage Roles and Permissions

In the SFA application you will continue to create roles and manage permissions. There are no changes to the creation of a role or the permission mapping itself, the action is still completed within the SFA Application. 

Roles cannot be assigned to users via the SFA Application or via a SAML assertion attribute from a configured external identity provider, as this assignment will be done in OCI IAM

  • Within "User Management" in the Administration UI, the roles associated to a user will become read only
  • Within "Manage Users" in the Self-Service (Portal) the associated roles will no longer be available to select or view
  • If a Role is deleted within the SFA application, the association to the Group is removed.

Manage Groups

Groups can also be created from within the SFA Administration UI and Self-Service (Portal).

  • Within the SFA Administration UI, users with the existing "Administration" and "Roles Permissions Management" permissions will be able to manage the groups on the existing Roles Management UI, within new "Group Mappings" tab
  • Within the Self-Service (Portal), users with the existing "Manage Self Service Permissions" permission will be able to manage the groups in the Roles Permission Section in the Settings UI, within there will be a new "Groups" section

The new group management UIs will contain a list of groups queried directly from OCI IAM.

  • By default, the following Groups will be present
    • OCI IAM created groups
      • All Domain Users
      • Domain_Administrators
    • SFA created groups
      • Admin (Default administrator credentials for the Self-Service (Portal))
      • SYS_ADMIN (Default administrator credentials for the Administration UI)
      • Membership in these groups gives a user administrator rights to all corresponding Admin UI or Portal instances in all of your SFA environments
  • Any new groups you create will be listed here

The Groups UIs will show all groups defined across all of your SFA environments (ie. Test vs Production) and SFA applications (ie. Administration UI and Self-Service (Portal)). For this reason, we suggest that your group naming convention includes the environment and application.

  • If there is a discrepancy between the mapping due to the user being associated to a different environment or a group belonging to a different application, the user will be presented an error message upon attempting to log in.

You will also have the ability to assign Group(s) to Roles. This can be done in a one-to-many relationship where roles can be assigned to multiple groups, and groups can be assigned to multiple roles.

  • Users associated to a Group with multiple Roles will have a union of the Permissions from each Role.

SFA will complete group synchronization to ensure that groups created with OCI IAM or SFA are aligned. This will be completed upon a new login session to the Administration UI or Self-Service (Portal), and checked daily at midnight

  • SFA will detect if a Group was deleted in OCI Cloud Console but was mapped to a Role in SFA
  • If a conflict occurs in this scenario, the role is highlighted in RED within the respective new group management UIs (within SFA Administration UI or Self-Service (Portal)) to prompt the SFA Administrator to address the issue by mapping the Role to an existing or new OCI IAM Group

    • If not addressed, a user is only assigned the Role in question and attempts to log into the SFA application prior to it being fixed, they will be presented with the following error "An issue has occurred while signing in, please reach out to the financial aid office for assistance."
  • Within the Administration UI, a new Sync Groups button will allow you to perform this synchronization on demand

Customer created groups cannot be deleted from within the SFA application, you will need to do this from the OCI Console.

Manage Users

User management can no longer be done via the SFA application or via a SAML assertion attribute from a configured external identity provider  

  • Within "User Management" in the Administration UI, user attributes will become read only
  • Within "Manage Users" in the Self-Service (Portal), user attributes will become read only

Note, if a user account is deleted via OCI IAM, the user account record will still exist in the SFA Application for audit and compliance enablement.

MANAGING GUEST USER ACCOUNTS AND NOTIFICATIONS

Additional setup is required to manage Guest User accounts.

Within the Self-Service (Portal), users with the existing "Manage Proxy Access" permission will now be updated to have the "Manage Guest Access" permission, which will allow them to update the Guest Authentication Mode within the Settings UI. The "Guest and Student Authentication Mode" section will be replaced with a new "Guest Authentication Mode"

The following options previously available within "Guest and Student Authentication Mode" section will no longer be applicable

  • "Guest and Student Local Authentication"
  • "Guest and Student SAML Authentication"
  • "Guest Local Authentication and Student SAML Authentication"

Within the new "Guest Authentication Mode" section (available to users with the "Manage Guest Access" permission), you will have the following options

  • "Enable External IDP Authentication"
    • if you select "Enable External IDP Authentication" and Save, your external identity provider will need to be configured to support these user accounts for authentication (See SAML Attributes Required for Authentication section below) 
  • By default, this option is not selected, and OCI IAM will be used to manage Guest User Accounts
    • When using OCI IAM for Guest accounts, when a Student adds a user, SFA will query the OCI IAM Identity Domain to see if the user exists
      • If the user exists, update the studentID attribute to include the additional student ID
      • If the user does not exist, the user will be created with the email address provided by the student
  • With the 25A release, a single Guest user account can be used to access information for multiple student accounts (where authorized and applicable)

Notification Management

The "Email Communication Preference" section (previously available for users with "Manage Self Service UI Settings" permission) within the Settings UI in Self-Service (Portal) will be removed as all notification management will be done on OCI Cloud Console

To make it easier for guest users to authenticate and access Student Financial Aid, you can create a direct link that redirects guest users to the application.

  • By default, when a new OCI IAM user account is created, the user receives an email notification to activate their account. The link in the email takes the user to the OCI Cloud Console and, when complete, redirects the user to the OCI Cloud Console My Apps page.
  • On the My Apps page, you can add a link that lets guest users immediately access Financial Aid System (administrative interface) or the Self-Service Portal. To do this, see Adding an Enterprise Application. Make sure you select the checkbox Display in My Apps.
  • To control who can see this link, you'll have to manage the groups that are assigned to this application. For information, see Assigning Applications to a Group.

AUTHORIZATION FLOW FOR ACCESSING APPLICATIONS

Users accessing the Financial Aid Administration UI or Student/Parent Self-Service (Portal) via the /ui-auth endpoint are redirected to OCI IAM (SAML).

If the environment does not utilize an external identity provider, OCI IAM will authenticate the user. SFA will authorize the user based on group(s) included in the SAML assertion where the group(s) match groups assigned to roles within the Administration UI or Self-Service (Portal)

IAM Non Federated User

If the environment utilizes an external identity provider that is applicable to the user, OCI IAM will redirect the user to the external IDP. The external IDP will authenticate the user, the user redirected to OCI IAM and then to SFA. SFA will authorize the user based on group(s) included in the SAML assertion where the group(s) match groups assigned to roles within the Administration UI or Self-Service (Portal).IAM Federated User

SAML ATTRIBUTES REQUIRED FOR AUTHENTICATION

When users log in to Student Financial Aid (SFA), OCI IAM sends attributes in the SAML assertion to authenticate users.

If you're using an external identity provider, you would need to populate these attributes so that users can log in.

This table lists the attributes that OCI IAM sends in the SAML assertion to authenticate users accessing the administration UI.

OCI IAM attributes sent in the SAML assertion for the administration UI

Name Format Type Type Value Condition
firstName Basic User Attribute First name None
lastName Basic User Attribute Last name None
emailAddress Basic User Attribute Primary email None
roles Basic User Attribute Group membership All groups

This table lists the attributes that OCI IAM sends in the SAML assertion to authenticate users accessing the Student/Parent Self-Service Portal.

OCI IAM attributes sent in the SAML assertion for the Student/Parent Self-Service Portal

Name Format Type Type Value Condition
studentID Basic Expression/Literal urn:ietf:params:scim:schemas:idcs:extension:custom:User:studentID None
firstName Basic User Attribute First name None
lastName Basic User Attribute Last name None
roles Basic User Attribute Group membership All groups
emailAddress Basic User Attribute Primary email None

The studentID attribute is a custom schema attribute that SFA adds to your identity domain schema when you provision the SFA environment for the first time. Make sure that this attribute:

  • Is populated with a student’s ID so that a student can successfully log in to Student Portal.
  • Is populated with at least one student ID so that a guest user can successfully log in.
  • Is of type String Array and must be of this type when included in the assertion from an IDP.
  • Is presented in a comma-separated format: <studentID1>,<studentID2>,. . . and so on.

INCREASED API SECURITY ACCESS

The Oracle Cloud Service applications are used for API authentication and authorization. The applications add controls that enable you to issue tokens with READ (GET as an example) and ADMIN (POST as an example).

In OCI IAM, the controls are referred to as scopes. These scopes are available for each Student Financial Aid (SFA) environment:

  • /audit.admin
  • /audit.readonly
  • /mpg.admin
  • /mpg.readonly
  • /ui.admin
  • /ui.readonly
  • /vug.admin
  • /vug.readonly

Here are examples of when to use the different scopes:

  • When you need to make a READ (GET) call to the Vocado US Department of Education Gateway (VUG) API, you would request a token with only the /vug.readonly scope for the corresponding SFA environment.
  • When you need to make an ADMIN (POST) call to the Message Processing Gateway (MPG) API, you would request a token with only the /mpg.admin scope for the corresponding SFA environment.

Environment URLs and Endpoints

Here's the list of production and test environments as well as the endpoints.

Production and Test Environment Formats

Production Environment Test Environment

Format: 

https://sfp.ocs.oraclecloud.com/<environment>/<endpoint>

Example: 

https://sfp.ocs.oraclecloud.com/oracleprod/<endpoint>

Format: 

https://sfp.ocs.oc-test.com/<environment>/<endpoint>

Example: 

https://sfp.ocs.oc-test.com/oracletest/<endpoint>

These are the endpoints in the production and test environments:

  • API
    • /audit/v2
    • /mpg/v2
    • /portal/info
    • /vm-ui/rest
    • /vug/v2
  • Financial Aid System and Self-Service Portal
    • /vm-ui/ui-auth
    • /portal/ui-auth

Add a Confidential Application

To access the APIs for all your SFA environments, you need to create a Confidential Application for which you can regenerate the credentials on an ongoing basis, and control who has access to it.

For the complete instructions, see Adding a Confidential Application. The steps outlined below provide some recommendations as you add a new application.

  1. From OCI's navigation menu, go to Identity & Security > Domains > <your OCI identity domain> > Integrated applications.
  2. Add a new application.
  3. Select Confidential Application.
    1. Enter the required information.
    2. Select Enforce grants as authorization.
  4. On the Configure OAuth pane, select Configure this application as a client now.
  5. Select Client Credentials.
  6. Select Add resources.
    1. Expand the . . ._ADMIN app that corresponds to the SFA environment you want to interact with via REST API.
    2. Select the corresponding scope for the activity.
      • You can select the checkbox next to all . . ._ADMIN apps that correspond to your SFA environments to add all scopes for those environments. But it's good practice to include only the SFA environments and specific scopes in the "Resources" of the Integrated application that are needed at the time, and to keep the "Resources" empty when not in use.
      • By default, any scopes for newly provisioned SFA environments will not be included in "Resources."
    3. Select Add.
  7. Select Add app roles.
    1. Select Signin.
    2. Select Add.
  8. Finish creating the app. You don't need the other options.
  9. Activate the application.

Request a Token

To access the REST APIs, you also need to request a token. A user accessing an API endpoint will retrieve an OAuth token using their own, named account and present the token via a CURL command (or third-party tool). SFA will validate the token against OCI and then authorize the user based on role and then group membership. This token can't be shared, but you can configure when the token expires. This period depends on your organization's requirements and whether you're comfortable allowing a token to be used for a certain period.

  1. From OCI's navigation menu, go to Identity & Security > Domains > <your OCI identity domain> > Integrated applications.
  2. Browse to the confidential application you created, then select it.
  3. Select OAuth Configuration
    1. Locate the Client ID and Client secret
      • We recommend routinely regenerating the Client Secret for the confidential application you created because this allows for READ and ADMIN access to the APIs for your SFA environments.
      • We also recommend restricting who has access to the Client ID and Client Secret within OCI IAM.
    2. Encode the values to Base64
      • Here's an example in Windows Powershell:
        • $stringToEncode = "id:secret"
        • $bytes = [System.Text.Encoding]::UTF8.GetBytes($stringToEncode)
        • $encodedString = [System.Convert]::ToBase64String($bytes)
        • $encodedString
      • Make sure to note the value for use in token requests
    3. In your preferred software client, make an API call to request and retrieve a token:
      • When you need to make a READ (GET) call to the MPG API, you would request a token with only the /mpg.readonly scope for the SFA environment you need to interact with
        • Example scope:
          • curl -H "Authorization: Basic <base64 string created from client id and client secret" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST https://<identity domain url>/oauth2/v1/token-d "grant_type=client_credentials&scope=https://sfp.ocs.oc-test.com/oracletest/mpg.readonly"
      • When you need to make an ADMIN (POST) call to the VUG API you would request a token with only the /vug.admin scope for the SFA environment you need to interact with.
    4. To make an API call to interact with an SFA environment, use the token retrieved in the previous step.

ENHANCED IAM CAPABILITIES

The following security capabilities are provided in the OCI Cloud Console and outlined further within OCI documentation 

Note, you will no longer manage your Password Policy within the SFA Application and instead this will be done within the OCI Cloud Console

  • The "Password Policy Configuration" section (previously available for users with " Update Password Policy" permission) within the Settings UI in Self-Service (Portal) will be removed.
  • The "Password Policy" page within the Security Management UIs within the Administration UI will be removed.
  • See OCI documentation for more details for how you will manage these settings with OCI IAM: Password Policy

Custom Notification Management

  • Within the OCI Cloud Console, you can manage custom notifications
  • An extensive list of email notifications (including Welcome, Password Recovery, etc.) can be sent to:
    • Users
    • Administrators
  • Customizations that can be made include:
    • Language
    • Encoding
    • Sender
    • Subject
    • Email body
  • See OCI documentation for more details: 

Custom IAM Interface Branding Management

  • The following branding capabilities are provided in OCI Cloud Console
    • Add a background image on the sign-in page
    • Customize the text that users see on the sign-in page
    • Choose the language that users see on the sign-in page 
    • Add a custom logo on the sign-in page
    • Add branding to notification templates
  • See OCI documentation for more details: 

User Self-Service Password Management

  • OCI Cloud Console provides users with the ability to change their password or reset a forgotten password.
  • See OCI documentation for further information:

Audit Logging and Reporting

  • Oracle Identity and Access Management (IAM) is provides a robust reporting and audit logging suite.
    • These will help you maintain security and compliance by providing detailed information about who is accessing your Student Financial Aid applications and when, and triage login issues.  
      • Successful and Failed Logins
      • Notification delivery statuses
      • Sign-on and Sign out activity
      • Access stats to IAM
      • Diagnostic Data
  • Audit logging can be used to identify potential security breaches, ensure your SSO standards meet the compliance requirements of your school and can provide visibility into trends and user activity.
    • Generate reports of users' activities
    • Capture historical user data
    • Analyze Application Usage
  • Reports and Audit Logs can be run within the IAM console and viewed in an interactive browser, downloaded as a CSV and run utilizing service REST APIs.
    • Not all reports are available via the interactive browser, there are reports only available via REST APIs (See Documentation) 
  • Refer to the following Oracle Identity and Access Management documentation:

OCI Identity and Access Management provides secure and centralized access to all of your SFA environments. 

Here's the demo of these capabilities (Please note that the setup steps shown in demo have been updated since recording):

Steps to Enable

Use the Opt In UI to enable this feature. For instructions, refer to the Optional Uptake of New Features section of this document.

Offering: Student Financial AidNo Longer Optional From: Update 25C

Once delivered in the 25A release, all new customers (that do not have any current environments provisioned), will have all their environments provisioned with OCI IAM integration and will not need to migrate or opt into this feature.

For existing customers, the following modes will be supported to ease the uptake of OCI IAM

Prior to opting in, the existing functionality will remain unchanged

  • URLs and endpoints
  • Permission, role, and user management
  • Endpoints used for accessing SFA and SFA API's
    • /vm-ui/saml (if configured)
    • /vm-ui/login
    • /portal/saml (if configured)
    • /portal/login
    • /admin
    • /audit
    • /mpg
    • /vug
  • User login
    • Users accessing the Administration UI or Self-Service (Portal) via the /login endpoint are authenticated via the SFA application, then authorized based on roles assigned from within the SFA application
    • Users accessing the Administration UI or Self-Service (Portal) via the /saml endpoint is redirected and authenticated against a customer's external identity provider (using SAML), then authorized based on the role attribute included in the SAML assertion returned from the external identity provider
    • API access is done via CURL commands (or via third-party tools) using dedicated accounts and basic authentication

Hybrid Mode

When opting into the feature, you will first activate a Hybrid mode that will allow you to leverage new OCI IAM integration for users utilizing the new endpoints, while continuing to manage user access via legacy functionality.

Prerequisites for Hybrid Mode

Additional configuration is required to grant access to SFA environments. These tasks are a one-time required setup to provision your first SFA environment.

Note the following:

  • The identity domain you select is used for all future SFA environments and can't be changed.
  • To filter the permissions that SFA has in the identity domain you select, the domain must be in a compartment or sub-compartment under the root compartment of your tenancy.

If you want to make changes to the identity domain you created for integration with SFA, see Managing Identity Domains for more information.

  1. Create a compartment.
    • We suggest using SFA-Resources as the name of the compartment.
  2. Create an identity domain.
  3. We suggest using SFA-Domain as the name and selecting Free as the domain type. SFA will upgrade the domain type to Oracle Apps.
    • Note the following: 
      • Make sure the selected region is US East (Ashburn) or US West (Phoenix).
      • Must be created in the Compartment created in the previous step (SFA-Resources).
      • Under Remote region disaster recovery, you must Enable remote region disaster recovery.
  4. Create a group in the Identity Domain you selected
    • This group will be granted permissions to manage the provisioning of SFA environments in a later step.
    • Suggested name: SFA-OCI-App-Mgmt
  5. Create an identity policy to grant SFA access to integrate with your selected identity domain. For information on identity policies, see How Policies Work.
    • The following policies are required.
      • Allow service sfpprodiam to manage domains in compartment SFA-Resources
      • Allow group SFA-Domain/SFA-OCI-App-Mgmt to read subscriptions in tenancy
      • Allow group SFA-Domain/SFA-OCI-App-Mgmt to read app-listing-environments in tenancy
      • Allow group SFA-Domain/SFA-OCI-App-Mgmt to read metrics in tenancy
      • Allow group SFA-Domain/SFA-OCI-App-Mgmt to read domains in tenancy
      • Allow group SFA-Domain/SFA-OCI-App-Mgmt to read announcements in tenancy
      • Allow group SFA-Domain/SFA-OCI-App-Mgmt to manage organizations-family in tenancy
      • Allow group SFA-Domain/SFA-OCI-App-Mgmt to manage OSFPCS-environment-family in tenancy

NOTE: If you used a different compartment name, use that instead of SFA-Resources. If you selected a different group name earlier in the process, use that name here instead of SFA-OCI-App-Mgmt

  1. In the identity domain you created:
    • Allow clients to access the signing certificate for the identity domain in IAM without logging in to an identity domain. For instructions, see Viewing SAML Certificate Metadata.
    • Verify that a primary email address is required to create user accounts in an identity domain in IAM. For instructions, see Requiring User's Email Address for Account Creation.
    • Create the user account that becomes the default global administrator for your SFA environments. For instructions, see Creating a User.
      You'll be able to change this later.
    • Enable the user account to also manage SFA environment provisioning. To do so, add the user to the group created earlier. Suggested name: SFA-OCI-App-Mgmt. Note that if you used a different group name earlier in the process, use that name here instead of SFA-OCI-App-Mgmt.  For instructions, see Add users to a group

Enable Hybrid Mode

Once the prerequisite tasks have been completed, Hybrid mode can be enabled per environment by submitting a SR. In the SR include the following

  • Requested environment along with 3 convenient dates and times, so that to an enablement time can be coordinated with you.
  • Identity Domain OCID and URL
  • Tenancy OCID
  • Email address for default global admin

By 25B, any environments not in Hybrid mode will be automatically enabled during a scheduled maintenance window with proper notifications prior.

Hybrid Mode Functionality

The following functionality can be used within Hybrid mode

Functionality Hybrid Mode
SFA Endpoints Both existing legacy and new endpoints can be leveraged
Login Process Both existing legacy and new login process leveraging new endpoints can be leveraged
User Authorization Management - Role Creation and Permission Assignment Continues to work as it does prior to opting in
User Authorization Management - Assigning Group(s) to Role(s)

For users accessing SFA via the legacy endpoints, Groups has no impact. Continue to create/manage roles as you currently do and then assign to users via SFA or SAML assertion.

For users accessing SFA via the new endpoints, a User MUST be in a Group in OCI IAM, that Group MUST have Role assigned in the SFA Application and the Role MUST have at least one Permission assigned in the SFA Application

Existing Roles that were created prior to opting into the feature, can be modified to assign a Group to it. This Role can then be used for users accessing SFA via the Legacy endpoints and new endpoints.

New Roles can be created and applied to users logging in via the legacy endpoints and/or new endpoints

User Authorization Management - Group creation

Default Groups will be created and displayed within the new group management UIs in SFA applications, however no roles will be associated to those groups.

You can create new Groups in either the SFA applications or OCI Cloud Console, and can delete groups from OCI Cloud Console

User Authorization Management - Group Membership and Management You can assign users who are using the new endpoints to Groups within OCI Cloud Console.
User Account Management

You can to create users using the new endpoints within OCI Cloud Console.

You can either manually re-create your existing users, or use Just-in-time provisioning. Please note that if you create an existing user using the new endpoint, you will see 2 user accounts for the same user within the user list and SFA will leverage the new endpoint for log in.

For users using the legacy endpoints with a User Type of "External (SAML)" or "Internal"  the User Management capabilities with the Administration UI and Self-Service UI can still be used.

Guest User Account and Notifications Management

You will continue to manage guest user accounts using "Guest and Student Authentication Mode" settings on the Self-Service (Portal) regardless of endpoints.

Bulk Management of User Accounts and Groups Can be managed within OCI Cloud Console, but will only be applicable for users leveraging new endpoints
Enhanced Security Capability Management - External Identity Providers Can be setup and managed within OCI Cloud Console, but will only be applicable for users leveraging new endpoints
Enhanced Security Capability Management - Just-in-time provisioning Can be setup and managed within OCI Cloud Console, but will only be applicable for users leveraging new endpoints
Enhanced Security Capability Management - Password Policies

For users leveraging new endpoints, you will need to set up your password policies on OCI Cloud Console.

For users leveraging legacy endpoints, you can still manage your password policy via the password policy capabilities within the SFA Application 

Enhanced Security Capability Management - Session settings Can be setup and managed within OCI Cloud Console, but will only be applicable for users leveraging new endpoints
Custom IAM Interface Branding Management For users leveraging new endpoints, you will need to set up your desired branding

Custom Notification Management

Can be setup and managed within OCI Cloud Console, but will only be applicable for users leveraging new endpoints

For existing users using legacy endpoints, you can use the existing "Email Communication Preference" settings on the Self-Service (Portal).

User Self-Service Password Management

Can be setup within OCI Cloud Console, but will only be applicable for users leveraging new endpoints

Authentication and Authorization Audit Reports

Can be accessed within OCI Cloud Console, but will only be applicable for users leveraging new endpoints

OAS Audit reports will still be available for all users regardless of the endpoints being used.

SFA API Access

Both existing legacy and new endpoints can be leveraged

Testing Hybrid Mode

During Hybrid mode, you need to complete end to end user experience testing, adjust internal documentation as needed, etc.

  • Any third-party integration services accessing SFA or the SFA APIs need to be setup to use the new endpoints.
    • Examples include Oracle Integration Cloud

Migrated Mode

Once you have fully completed your testing and are ready to migrate, you can disable the legacy and hybrid functionality resulting in the new SFA and OCI IAM integrated capabilities being available.

Prerequisites for Migrated Mode

Prior to enabling Migrated mode, complete end to end user experience testing, adjust internal documentation as needed, etc.

  • Any third-party integration services accessing SFA APIs need to be setup to use the new endpoints.
    • Please refer to the "Increased API Security Access" section, for further information on how to set this up.
    • If you are using Oracle's Campus Solutions, ensure that you have fully tested API integrations prior to opting into Migrated mode.
      • In order to obtain the POC which enhances CS to account for the new API endpoints, you should be current on CS/SFP integration related fixes through PI34.
      • Refer to Doc ID 3080631.1 for more details

Enable Migrated Mode

Once the prerequisite tasks have been completed, Migrated mode can be enabled per environment by submitting a SR. In the SR include the following

  • Requested environment along with 3 convenient dates and times, so that to an enablement time can be coordinated with you.
    • Note that as there is possible BIP reporting service downtime, this should be done during off hours.

Note that we encourage testing Migrated mode in your non production environment prior to migrating in production.

By 25C, any environments not in Migrated mode will be automatically enabled during a scheduled maintenance window with proper notifications prior. User accounts that are not administered in IAM, including accounts with ‘local’ or ‘external’ authentication, will no longer work.

Migrated Mode Functionality

In addition to the functionality outlined in Hybrid mode, you will need to set up Guest User Accounts

  • Within the new "Guest Authentication Mode" section (available to users with the "Manage Guest Access" permission), you will need to either
    • Select "Enable External IDP Authentication" to allow for your external identity provider to be configured to support these user accounts for authentication
    • Or leave this selection unchecked and manage Guest User Accounts via OCI IAM.

The following legacy functionality will no longer be applicable:

  • Legacy SFA Admin UI and Portal HTTP/S will redirect to the new /ui-auth endpoints
  • Legacy API endpoints will no longer be accessible
    • Note there are no changes in this release to the following API endpoints:
      • /vm-ui/rest/....
      • /portal/info/....
  • Roles cannot be assigned to users via the SFA Application or via a SAML assertion attribute from a configured external identity provider (/saml endpoints)
    • Within "User Management" in the Administration UI, the roles associated to a user will become read only
    • Within "Manage Users" in the Self-Service (Portal) the associated roles will no longer be available to select or view
  • The User Management capabilities within the SFA Application are now read only
    • Within "User Management" in the Administration UI, user attributes will become read only
    • Within "Manage Users" in the Self-Service (Portal), user attributes will become read only
  • The Password Policy capabilities within the SFA Application are now read only
    • The "Password Policy Configuration" section (previously available for users with " Update Password Policy" permission) within the Settings UI in Self-Service (Portal) will be removed.
    • The "Password Policy" page within the Security Management UIs within the Administration UI will be removed.
  • Guest accounts are no longer managed via the SFA Application
    • "Guest and Student Authentication Mode" section in Self-Service (Portal)  will be replaced with a new "Guest Authentication Mode"
  • Email notifications are no longer managed via the SFA application
    • Emails sent upon account activation will not be sent via SFA application
    • The "Email Communication Preference" section (previously available for users with "Manage Self Service UI Settings" permission) within the Settings UI in Self-Service (Portal) will be removed
  • Email to reset passwords will no longer be sent via SFA application

Tips And Considerations

OCI IAM by default will send email notifications to new OCI IAM users and OCI IAM federated users in a variety of scenarios. 

  • Please modify templates, deactivate notifications, etc. as needed.
  • When a new OCI IAM user account is created, by default, the user will receive an email notification to activate their account.
    • The link in the email will take the user to the OCI Cloud Console and, when complete, redirect the user to the OCI Cloud Console My Apps page. 
    • You can add link(s) to this page to let customers directly click to proceed to the Admin UI or Portal by creating an "Enterprise Application" within your Identity Domain
    • See OCI documentation for Adding an Enterprise Application for more information
    • Note: Make sure to select "Display in My Apps"
    • Group and User assignment on the created Enterprise Application can control who sees a given link
  • In the Admin UI and Portal when working work Roles and Groups Mappings:
    • All groups in the OCI Identity Domain integrated with your SFA environments are displayed
      • This means default groups created by OCI, SFA and all groups you have created are listed
      • To avoid confusion, please adopt a naming convention for all groups you create that meets your organization's requirements. 
      • A sample naming convention is:
        • <environment>-<workload>-<purpose>
        • Example: oracletest-portal-generaladmin
    • Membership of the default groups created by SFA (Admin and SYS_ADMIN) in the OCI Identity Domain integrated with your SFA Environments gives a user administrator rights to all corresponding Admin UI or Portal instances in all of your SFA environments 
      • During initial setup, it is recommended to create new groups for administrator rights per SFA environment and use these default groups as break glass access for restricted global admin access
  • At this time, SFA is only supporting integration of SAML external identity providers in the OCI Cloud Console
  • The OCI Identity Domain you select to use with your first environment when opting into Hybrid mode will be used for all of your SFA environments
  • For customers provisioned after 25A, the OCI Identity Domain of the user logged into the OCI Cloud Console to instantiate the creation of your first SFA environment will be used for all of your SFA environments
  • To maintain OCI IAM's enhanced API security, for the Integrated App you created for API Access, you should:
    • Routinely regenerate the Client secret as this allows for READ and ADMIN access to the APIs for your SFA environments
    • Restrict who has access to the Client ID and Client secret

Key Resources