As a best practice, define a <stripename> for all the entities you'll create specific to the stripe. Uniquely identifying configurations associated with a stripe is important, especially when multiple stripes are configured.

In the sections that follow, you'll use stripename in these entities:

In IDCS, create a group in the secondary stripe and add users from the secondary stripe to the group.

1. Add a group in the secondary stripe, and name it stripename_administrators. For example, name it as stripe2_administrators. Click Finish.
   These administrators will be granted permission to create Process Automation instances. This IDCS group will be mapped with an IAM group. See Map the IDCS and IAM Groups.
2. Add users from the secondary stripe to the group.

Create an IDCS confidential application that uses OAuth client credentials and is assigned the IDCS domain administrator role. You must create a confidential application per secondary stripe.

1. As an IDCS administrator, sign in to the secondary IDCS admin console.
2. Add a confidential application.
   1. Navigate to the Applications tab.
   2. Click Add.
   3. Choose Confidential Application.
   4. Name the application Client_Credentials_For_SAML_Federation.
   5. Click Next.
3. Configure client settings.
   1. Click Configure this application as a client now.
   2. Under Authorization, select Client Credentials.
   3. Under Grant the client access to Identity Cloud Service Admin APIs, click Add and select the app role Identity Domain Administrator.
   4. Click Next twice.
4. Click Finish. Once the application is created, note its client ID and client secret. You’ll need this information in upcoming steps for federation
5. Click Activate and confirm activating the application.

This group is needed because the Oracle Cloud Infrastructure SAML IDP federation requires group mapping for federating users from the federated IDP (IDCS), and OCI native group membership is required for defining and granting Oracle Cloud Infrastructure permissions (policies) for federated users.

1. In the Oracle Cloud Infrastructure Console, open the navigation menu and click Identity & Security. Under Identity, click Groups.
   This IAM group will be mapped with the IDCS group you created.
2. Create a group and name it oci_stripename_administrators. For example, name it oci_stripe2_administrators.

Now that you have the IDCS and IAM groups created and the client information needed, create the IDCS identity provider and map the groups.

1. Sign in to the Oracle Cloud Infrastructure console. Select the identity domain of the primordial stripe (identitycloudservice) and enter its user credentials.
   Keep in mind that group mapping for a secondary stripe uses the primordial stripe user sign in. This is important, since adding multiple stripes adds multiple options to this dropdown.
2. Open the navigation menu and click Identity & Security, then Federation.
3. Click Add Identity Provider.
4. In the resulting window, complete the fields as shown below.

   Field	Information to Enter
   Name	<stripename>_service
   Description	Federation with IDCS secondary stripe
   Type	Oracle Identity Cloud Service
   Oracle Identity Cloud Service Base URL	Enter the following URL using the format: https://idcs-xxxx.identity.oraclecloud.com Replace the <idcs-xxxx> domain part with your secondary IDCS stripe.
   Client ID/Client Secret	Enter the client ID and secret that you obtained while creating an OAuth client in the secondary stripe. See Create an OAuth Client in the Secondary Stripe.
   Force Authentication	Select this option.

5. Click Continue.
6. Map the IDCS secondary stripe and OCI groups you previously created.
   Map the IDCS secondary stripe group (created in Create an IDCS Group for Secondary Stripe Users) and the OCI group (created in Create an IAM Group for Secondary Stripe Users).
7. Click Add Provider.
   The secondary stripe federation is complete. Notice that the group mapping is displayed.
8. Verify the secondary stripe, and configure visibility for secondary stripe administrators and users.
   • The tenant administrator can see all federated IDCS stripes in the OCI console.
   • The secondary stripe administrator and all other secondary stripe users will not see any stripes under federation. To resolve that, see Provide Access to a Federated Stripe in the IAM Group for Secondary Stripe Users.

With the federation done, set up IAM policies that allow federated users from the secondary IDCS stripe to create Oracle Cloud Infrastructure Process Automation instances. As a common pattern, the policy is scoped to a compartment.

1. Create a compartment where Oracle Cloud Infrastructure Process Automation instances for the secondary IDCS stripe can be created. Name the compartment stripename_compartment.
   For example, create a compartment named stripe2_compartment.
2. Create a policy that will allow federated users to create Oracle Cloud Infrastructure Process Automation instances in the compartment. Name the policy stripename_adminpolicy (for example, stripe2_adminpolicy).

   Under Policy Builder, select Show manual editor.

   • Syntax: allow group stripename_administrators to verb resource-type in compartment stripename_compartment
   • Policy: allow group oci_stripe2_administrators to manage process-automation-instance in compartment stripe2_compartment

Perform additional steps to enable the secondary stripe administrator and all other secondary stripe users to see stripes under federation.

1. In Oracle Identity Cloud Service, create a group called stripe2_federation_administrators.
2. Add users to the group that you want to be able to see the federation and to create users and groups in the Oracle Cloud Infrastructure console in that stripe.
3. In the Oracle Cloud Infrastructure console, using the primary stripe user with the correct permission, create an IAM group called oci_stripe2_federation_administrators.
4. Map the stripe2_federation_administrators and oci_stripe2_federation_administrators groups.
5. Using the following statement examples, define a policy that grants access to federated stripes.

   Several of the examples show how to grant access to a specific federated stripe, by using a where clause that identifies the secondary stripe.

   You can get the federation's OCID from the federation view in the Oracle Cloud Infrastructure console.

   Allows secondary stripe administrators to...	Policy statement
   Create groups (use)	allow group oci_stripe2_federation_administrators to use groups in tenancy
   List the identity providers in the federation (inspect)	allow group oci_stripe2_federation_administrators to inspect identity-providers in tenancy Note that if the secondary stripe admins are required to create groups, this policy is required when a where clause is included.
   Access a specific federated stripe (use)	allow group oci_stripe2_federation_administrators to use identity-providers in tenancy where target.identity-provider.id=“ocid1.saml2idp.oc1..aaaaaaaaa…”

   When you sign in as a user in the above IDCS group, you can create users and groups in the Oracle Cloud Infrastructure console and assign permissions as you would in a primary stripe.

With federation and Oracle Cloud Infrastructure policies defined, federated users can sign into the Oracle Cloud Infrastructure Console and create Oracle Cloud Infrastructure Process Automation instances.

1. Sign in as a federated user from the secondary stripe.
   Users will need to select the secondary stripe in the Identity Provider field. For example, stripe2_administrators.
2. Authorized administrators can ceate Process Automation instances in the specified compartment (for example, stripe2_compartment).