Add a Sign-On Policy

Define criteria that Oracle Identity Cloud Service uses to determine whether to allow or deny access to users who are using apps to attempt to sign in to Oracle Identity Cloud Service.

Criteria that you can define for sign-on policies include:

• The identity providers that will be used to authenticate the user

• The groups of which the user is a member

• Whether the user is an Oracle Identity Cloud Service administrator

• The IP address that the user is using to sign in to Oracle Identity Cloud Service

• Whether the user will be forced to sign in to Oracle Identity Cloud Service again (for authentication purposes), or will be authenticated the next time they sign in to Oracle Identity Cloud Service

• Whether the user will be prompted for an additional factor to sign in to Oracle Identity Cloud Service

The sign-on policy wizard contains three panes:

• Details: Provide the name and description for the policy.

• Sign-On Rules: Assign or remove rules for this policy.

• Apps: Assign or remove apps for this policy.

1. In the Identity Cloud Service console, expand the Navigation Drawer, click Security, and then click Sign-On Policies.

   Note:

   In the Sign-On Policies page, Oracle Identity Cloud Service provides you with a default sign-on policy. See Understand Sign-On Policies for more information about this policy.
2. Click Add.
3. Add a Policy Name and Description, and then click Next:

   After providing information in the Details pane and clicking Next, Oracle Identity Cloud Service adds the sign-on policy and saves it in a deactivated state. You must activate the policy to use it.

   You may want to assign or remove rules or apps for this policy. To do this, the wizard has the Sign-On Rules and Apps panes.

4. In the Sign-On Rules pane of the wizard, click Add to add a sign-on rule to this policy.
5. Use the following table to populate the Add Rule window, and then click Save:

   Field	Description
   Rule Name	Enter the name of the sign-on rule.
   If the user is authenticated by	Enter or select all identity providers that will be used to authenticate the user accounts evaluated by this rule.
   And is a member of these groups	Enter or select the groups that the user must be a member of to meet the criteria of this rule.
   And is an administrator	If the user must be assigned to administrator roles in Oracle Identity Cloud Service to meet the criteria of this rule, then select this check box. See Add or Remove a User Account from an Administrator Role. Otherwise, leave the check box deselected.
   And is not one of these users	Enter or select the user accounts that will be excluded from the rule.
   And the user's client IP address is	There are two options associated with this field: Anywhere and In one or more of these network perimeters. If you select Anywhere, then users can log in to Oracle Identity Cloud Service using any IP address. If you select In one or more of these network perimeters, then a text area appears. In this text area, you can enter or select network perimeters that you defined in Oracle Identity Cloud Service. See Add a Network Perimeter. Users can log in to Oracle Identity Cloud Service using only IP addresses that are contained in the defined network perimeters. For applications on OCI-C: If your application is on OCI-C and Oracle Identity Cloud Service is the Identity Provider, ensure that you add the following OCI Service Gateway IP range to the network perimeter used by Sign-On policy: OCI Service Gateway IP CIDR 240.0.0.0/4.
   Access is	There are two items in this menu: Allowed and Denied. Select whether a user will be allowed or prevented from accessing the apps that are assigned to them if the user account meets the criteria of this rule.
   Prompt for reauthentication	Select this check box to force the user to log in to Oracle Identity Cloud Service again. By not selecting this check box, the user will be authenticated the next time they log in to Oracle Identity Cloud Service.

   If you have activated Adaptive Security, then additional fields appear in the Add Rule window. You can use these fields to specify conditions that Oracle Identity Cloud Service will evaluate to determine whether a user who meets these conditions will be allowed to sign in to Oracle Identity Cloud Service or will be prevented from accessing Oracle Identity Cloud Service.

   For example, you can specify that if a user's risk range is High and the risk score associated with the user from a risk provider is greater than a particular value, then the user is a security risk, and shouldn’t be allowed to access resources that are protected by Oracle Identity Cloud Service, such as the My Profile console, the Identity Cloud Service console, or any apps assigned to the user.

   Or, you can determine that if a user's risk range is Low, based on the risk score associated with a risk provider, then the user is not a risk, and therefore, should be able to sign in to Oracle Identity Cloud Service.

   See Activate Adaptive Security for more information about activating Adaptive Security, and Understand Risk Providers to learn more about risk ranges, risk providers, and risk scores associated with users.

   Field	Description
   And if the user's risk level is	Select whether the user's risk range must be greater than, equal to, or less than a Low, Medium, or High risk range to meet the criteria of this rule.
   And the risk provider name	Select the risk provider and the risk score that will be used to determine whether a user who meets the criteria of this rule will be allowed to sign in to Oracle Identity Cloud Service or will be prevented from accessing Oracle Identity Cloud Service. Click the Plus button to add another risk provider to the Add Rule window or the X button to remove the risk provider from this window.

   Important:

   Be careful when setting Adaptive Security conditions. For example, suppose you specify that a user who meets the criteria of this rule because their risk score meets or exceeds the risk score that you set is prevented from accessing Oracle Identity Cloud Service. Unless the user changes their password or Oracle Identity Cloud Service runs the Time-based risk-score re-evaluation event to lower the user's risk score, the user can't sign in to Oracle Identity Cloud Service.

   If you have selected at least one factor for Multi-Factor Authentication, then additional fields appear in the Add Rule window. See Configure Multi-Factor Authentication Settings.

   Field	Description
   Prompt for an additional factor	Select this check box to prompt the user for an additional factor to log in to Oracle Identity Cloud Service. If you select this check box, then you must specify whether the user is required to enroll in Multi-Factor Authentication and how often this additional factor is to be used to log in to Oracle Identity Cloud Service. Select Any Factor to prompt the user to enroll and verify any factor enabled in the MFA tenant level settings. Select Specific Factor to prompt the user to enroll and verify a subset of factors enabled in the MFA tenant level settings. After you select Specific Factor, you can select factors that must be enforced by this rule.
   Frequency	Select Once per Session (Default), so that for each session that the user has opened for accessing Oracle Identity Cloud Service from an authoritative device, they must use both their user names and passwords, and a second factor. Select Every time, so that each time users log in to Oracle Identity Cloud Service from a trusted device, they must use their user names and passwords, and a second factor. Select Once every, and then specify how often users must provide a second factor to log in to Oracle Identity Cloud Service. For example, if you want users to use this additional factor twice a month, then enter 15 in the text field and select Days from the drop-down menu to the right of the field.
   Enrollment	This menu contains two options: Required and Optional. Select Required to force the user to enroll in Multi-Factor Authentication. Select Optional to give users the option of skipping enrolling in Multi-Factor Authentication. Users see the inline enrollment setup process after they enter their user name and password, but can click Skip. Users can then enable MFA later from the 2–Step Verification tab of the My Profile console. Users are not prompted to set up a factor the next time that they sign in to Oracle Identity Cloud Service. Note: If you set Enrollment to Required, and later change it to Optional, the change only affects new users. Users already enrolled Multi-Factor Authentication will not be able to click Skip when logging in.

   Note:

   You may have added incorrect sign-on rules to this policy inadvertently. If so, then you can remove them. To do so, select the check boxes for each of the rules that you want to remove, click Remove, and then click OK from the confirmation window.
6. In the Sign-On Rules pane, click Add to add another sign-on rule to this policy. Otherwise, click Next.

   Note:

   If you have added multiple sign-on rules to this policy, then you can change the order that will Oracle Identity Cloud Service evaluate them. See Change the Priority of a Sign-On Rule for the Policy.
7. In the Apps pane of the wizard, click Assign to assign apps to this policy.
8. In the Assign Apps window, select the check box for each app that you want to assign to the policy. Then, click OK.

   Note:

   You can assign only one sign-on policy to an app. If the app isn’t assigned to any sign-on policy explicitly, then the default sign-on policy applies to the app.

   You can remove apps from the policy by selecting the check box for each app that you want to remove, clicking Remove, and then clicking OK from the confirmation window.

9. Click Finish.