Build Identity Domain sign-on policies with MFA, password rules, and conditional access.
Last verified: May 2026
Build Identity Domain sign-on policies with MFA, password rules, and conditional access.
Required Fields
domainIddisplayNamesignOnPolicyOutput will appear here...The builder configures OCI Identity Domain settings: domain type (Free, Oracle Apps, Premium, Oracle Apps Premium), authentication factors (TOTP, SMS, email, push, FIDO2), MFA enforcement policies (always required, conditional on risk score, conditional on network/device), password policy (length, complexity, history, lockout thresholds), federated identity provider config (SAML 2.0 metadata XML, OIDC discovery URL, claim mapping for JIT provisioning), and self-service settings. Output is generated as oci iam commands and Terraform oci_identity_domain resources.
OCI Identity Domains provide identity management, authentication, and single sign-on (SSO) for OCI resources and applications. Identity Domains support SAML 2.0 and OpenID Connect federation, multi-factor authentication (MFA), adaptive security policies, password policies, and user lifecycle management. This builder helps you configure Identity Domain settings including domain type selection, MFA enforcement, sign-on policies, password policies, federated identity provider integration, and application SSO configuration.
Your team is rolling out OCI to a 500-employee organization. Without federation, every employee would need a separate OCI password. The builder helps configure: Premium Identity Domain with SAML 2.0 federation to Azure AD, JIT provisioning with group claim mapping, MFA required for all users (TOTP + FIDO2 fallback), conditional access requiring corporate IP for admin operations. Day-one experience: employees sign in to Azure AD as usual, then access OCI seamlessly. No separate password management; centralized auditing in Azure AD; OCI access automatically revoked when AD users are deactivated.
Identity Domain federation with your enterprise IdP (Azure AD, Okta) eliminates separate OCI passwords for users — better security, better UX. SAML 2.0 is the most widely supported; OIDC is more modern. Both work well; pick whichever matches your IdP's capabilities.
MFA enforcement should be MANDATORY for all production access. The Free domain tier supports basic MFA (TOTP); Premium adds FIDO2 (security keys), adaptive policies, and risk-based step-up. For regulated industries, Premium pays for itself in a single avoided breach.
JIT (Just-In-Time) provisioning is the cleanest pattern for federation. Users authenticate via your IdP, and an OCI user is auto-created on first login with attributes (group memberships, OCID) pulled from the SAML/OIDC response. Eliminates manual user lifecycle management on the OCI side.
OCI offers four Identity Domain types: Free (included with tenancy, basic features, limited users), Oracle Apps (included with Oracle SaaS subscriptions), Premium (full IAM features including adaptive security, app gateway, and unlimited apps), and Oracle Apps Premium (Premium features for Oracle SaaS customers). The domain type determines available features like adaptive MFA, conditional access, and the number of supported applications and users.
Identity Domains act as a service provider (SP) that federates with external identity providers (IdPs) via SAML 2.0 or OpenID Connect. When a user signs in, the Identity Domain redirects to the external IdP for authentication, receives a SAML assertion or OIDC token, and maps the user to an OCI identity. This enables employees to use their corporate credentials for OCI access without maintaining separate passwords. Just-in-time (JIT) provisioning can automatically create OCI users on first login.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.