1. How do I set up OCI Identity and Access Management for Student Financial Aid?
  2. Set Up Your OCI Cloud Account for Student Financial Aid

Set Up Your OCI Cloud Account for Student Financial Aid

Student Financial Aid (SFA) integrates with OCI identity domain to enable you to manage users and groups who can then be allowed to access certain resources.

After provisioning your SFA environments, you need explore and understand the integration between SFA and OCI Identity and Access Management. Other configuration is required to grant access to SFA environments.

These tasks are a one-time required setup to provision your first SFA environment.

Note:
  • The identity domain you select is used for all future SFA environments and can't be changed.
  • To filter the permissions that SFA has in the identity domain you select, the domain must be in a compartment or subcompartment under the root compartment of your tenancy.

If you want to modify the identity domain you created, see Managing Identity Domains for more information.

  1. Create a compartment.
    We suggest using SFA-Resources as the name of the compartment.
  2. Create an identity domain. Create this domain in the compartment you just made.

    We suggest using SFA-Domain as the name and selecting Free as the domain type. SFA will upgrade the domain type to Oracle Apps.

    You also need to make sure these options are selected:
    • Make sure the selected region is US East (Ashburn) or US West (Phoenix).
    • In Remote region disaster recovery, select Enable remote region disaster recovery.
  3. Create a group in the identity domain you selected.

    This group will be granted permissions to manage the provisioning of SFA environments. We suggest using the name SFA-OCI-App-Mgmt.

  4. Create an identity policy to grant SFA access to integrate with your selected identity domain. For information on identity policies, see How Policies Work.

    These policies are required:

    • Allow service sfpprodiam to manage domains in compartment SFA-Resources

    • Allow group SFA-Domain/SFA-OCI-App-Mgmt to read subscriptions in tenancy

    • Allow group SFA-Domain/SFA-OCI-App-Mgmt to read app-listing-environments in tenancy

    • Allow group SFA-Domain/SFA-OCI-App-Mgmt to read metrics in tenancy

    • Allow group SFA-Domain/SFA-OCI-App-Mgmt to read domains in tenancy

    • Allow group SFA-Domain/SFA-OCI-App-Mgmt to read announcements in tenancy

    • Allow group SFA-Domain/SFA-OCI-App-Mgmt to manage organizations-family in tenancy

    • Allow group SFA-Domain/SFA-OCI-App-Mgmt to manage OSFPCS-environment-family in tenancy

    Note that if you used a different compartment name, use that instead of SFA-Resources. And if you used a different group name, use that name here instead of SFA-OCI-App-Mgmt.

  5. In the identity domain you created:
    1. Allow clients to access the signing certificate for the identity domain in IAM without logging in to an identity domain. For instructions, see Viewing SAML Certificate Metadata.
    2. Verify that a primary email address is required to create user accounts in an identity domain in IAM. For instructions, see Requiring User's Email Address for Account Creation.
    3. Create the user account that becomes the default global administrator for your SFA environments. For instructions, see Creating a User.
      You can modify this later.
    4. Enable the user account to also manage SFA environment provisioning. To do this, add the user to the group you created earlier (step 3).

      If you used a different group name than the one we suggested (SFA-OCI-App-Mgmt), you will have to add the user to the group name you created. See Adding Users to a Group for more information.