Manage Users and Groups in OCI IAM

For users to access the Administration interface and Student/Parent Self-Service portal, they must exist in your OCI identity domain.

Manage Users

If you're going to use OCI IAM as your primary identity provider, we recommend reviewing the following documentation.

• Creating a User
• Importing and Exporting Users, Groups, and AppRoles
• Editing a User
• Deleting a User
• Adding a User to a Group
• Removing Users from Groups

Manage Federated Users

If you're going to use an external identity provider (IDP), the user accounts must still exist in OCI IAM with the federated attribute set to true so that they don't need to have a local OCI console password. When using an external IDP, you can assign the Oracle Cloud Service application directly to the identity provider policy. For information, see Adding Apps to the Policy.

To use an external IDP, we recommend you set up a SAML external IDP for authentication and authorization while using the System for Cross-Domain Identity Management (SCIM) protocol for user life cycle management. Review this documentation as well:

• Adding a SAML Identity Provider

• Creating an Identity Provider Policy

  • SSO Between OCI and Microsoft Entra ID

  • Identity Lifecycle Management Between OCI IAM and Entra ID

  • SSO With OCI and Okta

  • Identity Lifecycle Management Between OCI and Okta

  To provision other IDPs into your identity domain, you can set up a confidential application within the identity domain, and then configure the integration on your IDP's side. Consult your IDP support team as needed.

If your IDP supports sending the studentID attribute as a string array data type, another option is to use just-in-time provisioning with a SAML IDP.

If you'll be using just-in-time provisioning for scenarios where only one value is in the studentID attribute in the SAML assertion from your IDP, then take one of these actions:

• Open a service request with Oracle Support to enable support of this scenario:

  • Product: Identity Cloud Service (IDCS)

  • Category: Applications

  • Subcategory: SAML Federation

  Make a request to have this feature enabled on the identity domain saml.jit.user.attribute.provisioning to support Student Financial Aid's custom schema attribute - studentID (string array) - in scenarios where only one value is sent in a SAML assertion.

• Modify the assertion sent to OCI IAM such that the studentID value is enclosed in brackets [12345].

  For example: <saml:Attribute Name="studentID"> <saml:AttributeValue xsi:type="xs:string">["123456789"]</saml:AttributeValue> </saml:Attribute>

When configuring just-in-time provisioning in the OCI Console, the assertion attribute from your IDP must be mapped to urn:ietf:params:scim:schemas:idcs:extension:custom:User:studentID. You'd need to manually enter and then select this value.

We recommend reviewing the following documentation for just-in-time provisioning:

• Adding a SAML Just-in-Time Identity Provider
• Creating an Identity Provider Policy
  • JIT Provisioning from Entra ID to OCI IAM
  • JIT Provisioning from Okta to OCI IAM

Do note that:

• If you don't use SCIM or just-in-time provisioning to automate user account creation, you'll be responsible for creating the accounts in OCI. If you use a combination of external identity providers and OCI IAM users, you'll need to create the OCI IAM users before the users sign in.

• You can bulk create the OCI IAM users via OCI tools.

  You can also bulk create the OCI IAM federated users and set the federated attribute value to true. You can then set up SCIM or just-in-time provisioning so that the accounts are updated going forward.

Manage Groups

Groups must exist in OCI before assigning a user to the group either natively in OCI IAM or via just-in-time provisioning. Review the following documentation for more information:

• Creating a Group
• Importing and Exporting Users, Groups, and AppRoles
• Deleting Groups
• Adding Users to a Group
• Removing Users from a Group