1. How do I set up OCI Identity and Access Management for Student Financial Aid?
  2. Manage Authentication for Administrators and Non-Administrators

Manage Authentication for Administrators and Non-Administrators

After having provisioned your production and nonproduction environments, you can access your identity domain through cloud.oracle.com and log in using the same credentials you used during the provisioning of the Student Financial Aid (SFA) environments.

Note that:

  • The OCI identity domain selected during the provisioning of your production SFA environment will be used for all your SFA environments.
  • You'll need to know the OCI Cloud Account name and the OCI compartment and identity domain (if you're not using the values we suggested) that were selected during the provisioning process.

For each production and non-production environment, two Oracle Cloud Service applications are created: one for the administration UI and the APIs, and one for the Student/Parent Self-Service Portal. These applications serve as the integration point between your OCI identity domain and your SFA environments and enable SSO.

Production and Non-Production Environment URLs

Production Environment URLs Non-Production Environment URLs
Financial Aid Application (Admin): https://sfp.ocs.oraclecloud.com/<customer_shortname>/vm-ui/ui-auth Financial Aid Application (Admin): https://sfp.ocs.oc-test.com/<customer_shortname-test>/vm-ui/ui-auth
Student Portal: https://sfp.ocs.oraclecloud.com/<customer_shortname>/portal/ui-auth Student Portal: https://sfp.ocs.oc-test.com/<customer_shortname-test>/portal/ui-auth

Authentication for Administrators

If these groups haven't already been created, SFA creates two default SFA global administrator groups in your OCI identity domain. The user that initiated the provisioning of the SFA environments is also added to these groups.

  • Admin. This group gives default administrator permissions to all your Student/Parent Self-Service Portal environments.
  • SYS_ADMIN. This group gives default administrator permissions to all your administration UI environments.

To manage these groups, from the OCI console's navigation menu, go to Identity & Security > Domains, then select your identity domain, and then groups.

Users that are members of these groups can use the production and non-production environment URLs to authenticate themselves and access the administration UI and the APIs, and one for the Student/Parent Self-Service Portal.

Authentication for Non-Administrators

To successfully log in and access SFA, these conditions must be true:

  • The user is a member of an identity domain group.
  • The group must have a role in SFA. You assign this role in SFA itself.
  • The role must have at least one permission assigned in SFA.

When you view role and group mappings in the administration UI and Student/Parent Self-Service Portal, you'll see all the groups in the identity domain that's integrated with your SFA environments. These groups can be those created by OCI, SFA, or the ones you created yourself. To avoid confusion, we recommend adopting a naming convention for all the groups you create that meets your organization's requirements. Here's an example of a naming convention: <environment>-<workload>-<purpose> (oracletest-portal-generaladmin).