Identity Domain in OCI

Identity Domain in OCI

May 29, 2024 | seedling, permanent

tags :

OCI construct #

Domain can be created to manage and organize users

An identity domain represents a user population in OCI and associated configurations and security settings. ref

Oracle Cloud Infrastructure (OCI) identity domains are a powerful tool for:

  1. managing users and roles within an organization.
  2. They offer a secure way to create and manage users, define and enforce access control policies, and
  3. offer a simple and consistent way to authenticate users.

ref Groups and Dynamic Groups in OCI come under domain.

What is OCI Identity Domain? #

OCI identity domains are a feature of Oracle Cloud Infrastructure (OCI) that allow you to create and manage users and roles within an organization. They offer a secure way to easily manage user access to resources and applications and enforce access control policies. OCI identity domains also provide a reliable and consistent way to authenticate users.

OCI identity domains are based on the popular IAM (Identity and Access Management) framework..

  1. This framework provides a secure way to create and manage users, define and enforce access control policies, and authenticate users.
  2. In addition, OCI identity domains are integrated with other OCI services, such as Oracle Compute in OCI and Database in OCI.

OCI identity domains are designed to be simple, secure, and reliable. They are easy to use and set up, and they offer robust security features:, including

  1. multi-factor authentication(MFA),
  2. Encryption, and
  3. access control policies.

In addition, OCI identity domains are highly reliable and scalable, so you can be confident that your users and roles will be managed securely and efficiently.

youtube

Types of Domain #

ref ref 2

IAM has five different identity domain types to suit different organizational needs. Start here to understand which suits your requirements best, and which type to choose when you create an identity domain.

Here’s a summary of the identity domain types. Decide which looks closest to what you need and check the features and limits that you get with that identity domain type to decide which best suits your purposes.

Free #

When you create an OCI tenancy, you are automatically provisioned with a Free Tier identity domain. This domain type allows you to use IAM to manage access to OCI Infrastructure as a Service (IaaS) and resources. Use this domain type to start to use and understand IAM, and to manage access to OCI Infrastructure as a Service and PaaS resources. It includes everything you need. But if you find you need extra features or higher limits, you can change to a different identity domain type.

  • Two non-oracle apps are permitted non-oracle apps: apps not developed by Oracle, it can be hosted on OCI or anywhere,
  • There is a limit of 2000 users

Use case #

  • Your organization uses Oracle Cloud and your employees need secure access to subscribed OCI services.
  • Your users might currently be managed in Active Directory or a third-party Identity Provider.
  • As you consider how IAM can help manage access to third-party applications, you can sign up for a 30-day Oracle Cloud promotion and try extra features.

Oracle Apps #

Many Oracle services and applications automatically provision an Oracle Apps identity domain which allows you to use the IAM service to manage access to the subscribed services. It should include everything you need. But if you require additional features or higher limits, you can change to a different identity domain type.

Use Case #

  • Your organization has a vested interest in Oracle SaaS, PaaS, or GBU(Global Business Unit) applications, and *you would like your users to seamlessly authenticate across Oracle cloud applications without having to present credentials each time.
  • You want to use modern Authentication and Authorization features for your users such as passwordless authentication, FIDO2 hardware tokens, and/or adaptive security. You might also have one or two non Oracle applications for which you’d like users to seamlessly sign in without having to reauthenticate.

  • Note

    Many Oracle services and applications automatically provision an Oracle Apps identity domain which lets you to use IAM to manage access to the subscribed services. For example, if you order a Fusion App, you also get an Oracle Apps identity domain. You cannot get Oracle Apps identity domains directly, or change an existing Free, Premium, or External User identity domain to Oracle Apps.

Oracle Apps Premium #

Oracle Apps Premium identity domains add support for hybrid IAM scenarios including the proxies, gateways, and bridges which extend the IAM service to on-prem or OCI-hosted Oracle applications such as Oracle E-Business Suite, PeopleSoft, and Oracle Database.

  • This identity domain type is intended primarily for use with (OCI hosted) Oracle applications but also allows for use with a limited number of non Oracle applications.

Use Case #

Your organization is already using Oracle SaaS, PaaS, or GBU applications. You would like your users to seamlessly authenticate to on-premises or cloud-hosted Oracle applications such as E-Business Suite, JD Edwards, PeopleSoft, Oracle Database, and/or Oracle Linux. You want to use modern authentication and authorization features for your users such as passwordless authentication, FIDO2 hardware tokens, and adaptive security. You might also want bidirectional synchronization with AD or other on-prem systems and you might have a few non Oracle applications for which you’d like users to seamlessly sign in without having to reauthenticate.

Premium #

Premium identity domains provide the full IAM feature set for employee and workforce use cases giving you enterprise-ready access management across hybrid IT environments.

  • It gives you support for all apps and services, and for unlimited third-party applications.
  • If you are standardizing on Oracle as your enterprise identity and access manager provider, this is the identity domain type you want.

Use Case #

  • You want a full-featured Identity-as-a-Service (IDaaS) solution that helps you manage workforce authentication and access to all of your Oracle and non Oracle applications whether they’re SaaS apps, on-premises enterprise apps, or apps that are hosted in the cloud (this can be used in invoicing-apis user access management ).

  • You want to use modern authentication and authorization features for your users such as passwordless authentication, FIDO2 hardware tokens, and adaptive security. You might also want automated provisioning and deprovisioning of accounts across these systems.

  • Observation

    • Non-oracle means custom built applications, like invoicing-apis, that can be hosted on OCI or else where.
    • Confirmed with ChatGPT 4

External User #

External identity domains provide a robust IAM feature set for non employee use cases, consumer-facing IAM, and custom app development. The functionality provides relevant features for these scenarios such as user self-service, social login, and consent management.

External identity domains are only licensed for non employee user accounts. If your business needs mean that you have employee user accounts stored within an External identity domain, they are only permitted to be stored in External identity domains if they also exist in another identity domain of type Free, Oracle Apps, Oracle Apps Premium or Premium.

Use Case #

You want a full-featured Identity-as-a-Service (IDaaS) solution that helps you manage authentication and access to custom or consumer-facing applications.

  • The solution should support social login,
  • user self-service password and
  • profile management, and
  • terms of use consent. And you might need the solution to scale to support millions of users.

Is it possible to access resources from identity domain in another? #

Inter-Domain Resource Sharing #

General Limitations Security and Isolation: OCI’s identity domains are designed to be secure and isolated to protect resources and control access within an organization or a specific project.

Resource Ownership #

Resources in OCI are owned by a specific identity domain, and by default, they aren’t accessible across domains.

It is possible to access resources from across domain but it is not advisable and secure to do so and also not straight forward.

Question ChatGPT 4 #

“Given this context what type of domain I should use to manage users, who are customers not employees, in an application that our company has developed and hosted on OCI " #

Based on the given context, the most suitable domain type to manage users who are customers (not employees) in an application hosted on OCI would be the External User domain. The External User domain is designed for non-employee use cases, consumer-facing IAM, and custom app development. It provides relevant features such as user self-service, social login, and consent management, which are essential for managing authentication and access to custom or consumer-facing applications.

OCR of Images #

2023-10-03_11-21-31_screenshot.png #

ORACLE Cloud Search resou Identity Domains: > Default domain Identity domain Ov Overview Users Groups Char DO Dynamic groups 00 Do De Do Ho Integrated applications Oracle Cloud Services Jobs Reports Security Settings Notifications Branding Au

2023-10-03_11-00-36_screenshot.png #

Audit log report Get the most out of your domain Review identity domain activity, including successful and failed logins, and creation, modification, and deletion LE Learn more about OCI IAM identity domains, including general intormation about identity domains, how to use identity domains, license types, and more. of user accounts. Generate report Learn more Onboard users Manually create users Create an individual user. Create user Configure multi-tactor authentication (MFA) ENABLED Configure MFA settings and compliance policies for the tenancy to define which authentication factors to allow. Configure MFA Import users from a CSV file Import a batch of users by using a comma- separated values (CSV) file. Enable single sign-on users Import (SSO) Sync users trom your Active Directory Create users that are based on and stay in sync with user accounts in your enterprise Microsoft Active Directory. Sync users Let users sign in to one instance by using their corporate security credentials and then access another instance in the same identity domain without signing in again. Manage identity providers for SSO FAQS Explore different types of reports What are identity domains? Who has access to an identity domain? What type of identity domain should I choose? Learn about available reports and how to view data reported from identity EE domains. Launch

2023-10-23_16-43-22_screenshot.png #

Users Groups Branding Notifications Dynamic Groups Policy Provisioning AD Bridge Single Sign On OAuth Federation MFA OOA Audit & Reporting Compartment Linux PAM RADIUS Proxy App Gateway Adaptive Access IDENTITY DOMAIN Network Sources OCI IDENTITY & ACCESS MANAGEMENT

2023-11-20_14-57-16_screenshot.png #

Domain type Free Oracle Apps Premium Premium Authentication and Access Management for Oracle Cloud (laas and Paas services) with limits on usage and functionality. Limit of 2000 users. Limited feature support. Limit of 2 non-Oracle apps. Limit of 3 external Identity Providers. Authentication and Access Management for all of your Oracle apps. Unlimited support for Oracle Apps in- cluding hybrid IAM. Limit of 6 non-Oracle apps. Unlimited external Identity Providers. Enterprise Identity & Access Management for employee workforce scenarios. Includes all features. Broad support for hybrid IAM use-cases. . Unlimited support for Oracle and non- Oracle Apps. Unlimited external Identity Providers. External User Identity storage, Access Management, and API security for consumer and non- employee use-cases. Provides social logon, self-service, and consent management. Limited enterprise and hybrid IAM fea- tures. e Excludes App Catalog provisioning connectors.

Links to this note

Calendar May 29, 2024

Go to random page

Previous Next