Understand how identities are managed in OCI (Oracle Cloud Infrastructure)

The OCI Console has its own directory of identities. You can create users and groups within it, and even activate a basic MFA feature.

However, by default, the identities in OCI’s directory are federated with an external Identity Provider (IdP), named Oracle Identity Cloud Service (IDCS). In other words, a Single Sign-On (SSO) is configured thanks to IDCS.

IDCS is included with your cloud tenancy, but you could also add other IdPs if you want:

When you loggin into the cloud, you're therefore offered two options:

If you're not familiar with the concept of Identity Poviders (IdP):

In SAML jargon, an IdP is a system to which you delegate the verification of identities. The IdP has its own directory of identities, containing user-names, passwords, and OTP secrets (if One Time Password MFA is activated). In our case, IDCS verifies identities on behalf OCI's IAM. It does so by verifying the credentials provided by the users who try to log in. It verifies those credentials against its own directory of identities; and if they match, it sends a message to OCI's IAM telling that this user is indeed who he/she claims to be.

Of course, this requires the users to be registered (a.k.a. "provisioned") in both directories (IDCS and OCI IAM), so that both know which user the other directory is talking about. However, passwords and OTP secrets don't have to be the sames in both directories, as they're only verified by the IdP.

Why is OCI’s IAM federated with IDCS by default? Why doesn’t Oracle Cloud just include OCI’s IAM? 

For two reasons:

1. Some services in the Oracle Cloud require identities coming form IDCS. E.g. Oracle Integration Cloud, Oracle Analytics Cloud, Visual Builder Cloud Service.
2. Even if you only use services that don't require IDCS (i.e. almost all the services available in the OCI console), IDCS’ features go way beyond OCI-IAM’s ones.

Some IDCS features come at no additional cost. To see which IDCS features require additional credits consumption, check out the table in this documentation. The “Foundation” package is the free-of-charge package.

Do you recommend to always use IDCS (instead of just relying on OCI’s IAM)?

If you'll use services requiring IDCS, yes. Otherwise, it depends:

My opinion is that you should always use MFA.

• OCI’s IAM includes at no additional costs the following type of MFA: One Time Password;
• Unfortunately, in IDCS, MFA is only available with the “Standard” package (i.e. you are billed/user/month).

My advice:

For the IDCS admin user:

• As your tenancy always comes with an IDCS instance, and therefore with one IDCS user (the IDCS admin), you should activate MFA for that user. Thus, you should activate the “Standard” package of IDCS. If you only have one user registered in IDCS (i.e. the IDCS admin), you’ll only be billed for that single user; so the cost will be negligible.

For OCI users:

• If you only have a few users: don’t use IDCS, just rely on OCI’s IAM. Make sure your users activate MFA. Unfortunately, OCI’s IAM doesn’t offer mechanisms to enforce this, so you’ll have to contact your users, and remind them to activate MFA.
• If you have many users: you need advanced security features, and enforcement mechanisms. Hence, you need IDCS. If you federate IDCS in turn with another IdP that provides MFA, then I guess IDCS “Foundation” package is enough. Otherwise, you’ll need IDCS “Standard” (so as to benefit from MFA).

Ok, so I’ll go for IDCS. But as I have to deal with two directories of identities (IDCS’s directory, and OCI’s directory), do I have to provision identities in both of them?

Don’t worry about identities provisioning from IDCS to OCI's directory, this is done automatically. As soon as you create a user in IDCS, it is automatically provisionned within OCI's directory too.

Groups mapping

Identities from IDCS are provisioned automatically, but not groups. So you have to create groups manually in OCI, and then define the matching between IDCS’ groups and OCI’s groups.

If for instance a user was present in the IDCS group named “okeAdmins”, then his corresponding user in the OCI directory will automatically be configured as belonging to the OCI group named “okeAdmins” (note: group names do not have to be identical).

So to sum up

You can create users:

• Either inside OCI’s directory only
• Or inside IDCS’ directory. As the provisioning of users from IDCS’s directory to OCI’s directory is automatic, your IDCS user will appear in the OCI directory too. They will have almost the same user-name, but will have the “oracleidentitycloudservice/” prefix. As OCI is federated with IDCS, users will be able to log into OCI’s console by identifying on IDCS’ loggin page.

You can create groups:

• In OCI’s directory only
• You can also create groups in IDCS. If you want IDCS groups membership to be propagated to an OCI group, you have to configure group-mapping. The target OCI group has to be created first.

Okay, now you know how identities are managed in OCI and IDCS!

Bonus: IDCS and Active Directory

It is very common to use IDCS with Active Directory.

Assuming that you currently use ADFS for authentications, IDCS will easily use ADFS as an IdP.

 AD’s identities can also be automatically provisioned into IDCS, thanks to the AD Bridge (this requires IDCS Standard). This will allow you to have both directories of identities in sync.