What are the different Identity Domain types in OCI?

OCI offers four Identity Domain types: Free (included with tenancy, basic features, limited users), Oracle Apps (included with Oracle SaaS subscriptions), Premium (full IAM features including adaptive security, app gateway, and unlimited apps), and Oracle Apps Premium (Premium features for Oracle SaaS customers). The domain type determines available features like adaptive MFA, conditional access, and the number of supported applications and users.

How does Identity Domain federation work with external IdPs?

Identity Domains act as a service provider (SP) that federates with external identity providers (IdPs) via SAML 2.0 or OpenID Connect. When a user signs in, the Identity Domain redirects to the external IdP for authentication, receives a SAML assertion or OIDC token, and maps the user to an OCI identity. This enables employees to use their corporate credentials for OCI access without maintaining separate passwords. Just-in-time (JIT) provisioning can automatically create OCI users on first login.

OCI Identity Domain Config Builder

IAM & SecurityOCI

Build Identity Domain sign-on policies with MFA, password rules, and conditional access.

OCI Identity Domains Configuration

Build Identity Domain sign-on policies with MFA, password rules, and conditional access.

Required Fields

domainIddisplayNamesignOnPolicy

{
  "domainId": "ocid1.domain.oc1..aaaaaaaexample",
  "displayName": "corporate-signon-policy",
  "description": "Enforce MFA and conditional access for corporate identity domain",
  "signOnPolicy": {
    "name": "corporate-mfa-policy",
    "policyType": "SignOn",
    "rules": [
      {
        "name": "require-mfa-external",
        "priority": 1,
        "condition": {
          "clientIpNotInList": ["10.0.0.0/8", "172.16.0.0/12"],
          "networkPerimeterExcluded": true
        },
        "action": {
          "type": "Allow",
          "requireMfa": true,
          "mfaFactors": ["TOTP", "PUSH", "FIDO_AUTHENTICATOR"],
          "mfaEnrollment": "Required"
        }
      },
      {
        "name": "allow-internal-trusted",
        "priority": 2,
        "condition": {
          "clientIpInList": ["10.0.0.0/8"],
          "networkPerimeterIncluded": true
        },
        "action": {
          "type": "Allow",
          "requireMfa": false
        }
      }
    ]
  },
  "passwordPolicy": {
    "minLength": 14,
    "minUpperCase": 1,
    "minLowerCase": 1,
    "minNumeric": 1,
    "minSpecialChars": 1,
    "maxLength": 128,
    "passwordExpiresAfterDays": 90,
    "numPasswordsInHistory": 12,
    "lockoutDuration": 900,
    "maxFailedAttempts": 5
  },
  "sessionSettings": {
    "maxSessionDurationInHours": 8,
    "maxInactiveIntervalInMinutes": 30
  },
  "freeformTags": {
    "compliance": "soc2",
    "department": "identity"
  }
}

Generated Output

Output will appear here...

About This Tool

OCI Identity Domains provide identity management, authentication, and single sign-on (SSO) for OCI resources and applications. Identity Domains support SAML 2.0 and OpenID Connect federation, multi-factor authentication (MFA), adaptive security policies, password policies, and user lifecycle management. This builder helps you configure Identity Domain settings including domain type selection, MFA enforcement, sign-on policies, password policies, federated identity provider integration, and application SSO configuration.

When to Use This Tool

•Configuring MFA enrollment policies that require TOTP or FIDO2 authenticators for all users accessing production OCI compartments
•Setting up SAML 2.0 federation with an enterprise identity provider like Azure AD or Okta for single sign-on to OCI Console
•Building sign-on policies that apply conditional access rules based on network location, device posture, and risk score
•Defining password policies with complexity requirements, history enforcement, and automatic lockout thresholds for local OCI users

Frequently Asked Questions

What are the different Identity Domain types in OCI?: OCI offers four Identity Domain types: Free (included with tenancy, basic features, limited users), Oracle Apps (included with Oracle SaaS subscriptions), Premium (full IAM features including adaptive security, app gateway, and unlimited apps), and Oracle Apps Premium (Premium features for Oracle SaaS customers). The domain type determines available features like adaptive MFA, conditional access, and the number of supported applications and users.
How does Identity Domain federation work with external IdPs?: Identity Domains act as a service provider (SP) that federates with external identity providers (IdPs) via SAML 2.0 or OpenID Connect. When a user signs in, the Identity Domain redirects to the external IdP for authentication, receives a SAML assertion or OIDC token, and maps the user to an OCI identity. This enables employees to use their corporate credentials for OCI access without maintaining separate passwords. Just-in-time (JIT) provisioning can automatically create OCI users on first login.

Related Learning Guides

OCI IAM, Compartments & Policies22 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.

OCI Identity Domain Config Builder

IAM & SecurityOCI

Build Identity Domain sign-on policies with MFA, password rules, and conditional access.

OCI Identity Domains Configuration

Build Identity Domain sign-on policies with MFA, password rules, and conditional access.

Required Fields

domainIddisplayNamesignOnPolicy

Generated Output

Output will appear here...

About This Tool

When to Use This Tool

•Configuring MFA enrollment policies that require TOTP or FIDO2 authenticators for all users accessing production OCI compartments
•Setting up SAML 2.0 federation with an enterprise identity provider like Azure AD or Okta for single sign-on to OCI Console
•Building sign-on policies that apply conditional access rules based on network location, device posture, and risk score
•Defining password policies with complexity requirements, history enforcement, and automatic lockout thresholds for local OCI users

Frequently Asked Questions

What are the different Identity Domain types in OCI?: OCI offers four Identity Domain types: Free (included with tenancy, basic features, limited users), Oracle Apps (included with Oracle SaaS subscriptions), Premium (full IAM features including adaptive security, app gateway, and unlimited apps), and Oracle Apps Premium (Premium features for Oracle SaaS customers). The domain type determines available features like adaptive MFA, conditional access, and the number of supported applications and users.
How does Identity Domain federation work with external IdPs?: Identity Domains act as a service provider (SP) that federates with external identity providers (IdPs) via SAML 2.0 or OpenID Connect. When a user signs in, the Identity Domain redirects to the external IdP for authentication, receives a SAML assertion or OIDC token, and maps the user to an OCI identity. This enables employees to use their corporate credentials for OCI access without maintaining separate passwords. Just-in-time (JIT) provisioning can automatically create OCI users on first login.

Related Learning Guides

OCI IAM, Compartments & Policies22 min read