Frequently Asked Questions for Oracle Identity Cloud Service Federated Users
When you sign up for Oracle Cloud Infrastructure, your account is automatically federated with Oracle Identity Cloud Service as your identity provider. This topic answers some frequently asked questions about the federation.
The following resources are created in Identity Cloud Service:
This SAML application that creates the federation with Oracle Cloud Infrastructure.
A supporting application for the federation.
Do not delete these applications.
This group is mapped to the Administrators group in Oracle Cloud Infrastructure. Members of this group have full administrator privileges in Oracle Cloud Infrastructure.
A default administrator user (e.g., email@example.com) who is a member of the OCI_Administrators group.
The following resources are created in Oracle Cloud Infrastructure:
- Identity Provider: OracleIdentityCloudService
Group Mappings:The federation is created with one group mapping:
OCI_Administrators group (from Oracle Identity Cloud Service) is mapped to the Administrators group (In Oracle Cloud Infrastructure).
- The default administrator user created in Oracle Identity Cloud Service is provisioned in Oracle Cloud Infrastructure. This user can have the Oracle Cloud Infrastructure credentials, but not a Console password.
- A default administrator local-user with the same user name (firstname.lastname@example.org) is also created in Oracle Cloud Infrastructure's IAM service. Customers who choose not to use the Oracle Identity Cloud Service federation can use this user to administer Oracle Cloud Infrastructure.
The default administrator created in Oracle Identity Cloud Service and the local default administrator created in Oracle Cloud Infrastructure exist independently in their respective identity systems. Ensure that you manage passwords for them separately.
Oracle Identity Cloud Service is the identity provider for multiple Oracle services. Federating Oracle Cloud Infrastructure with Oracle Identity Cloud Service allows you to have a seamless connection between services, without having to create a separate username and password for each one.
Click the Profile menu () to display your username. Users signed in through an identity provider will see their username prefaced with their identity provider name, for example:
Yes. If you don't want to manage the user in Oracle Identity Cloud Service, you can add a user directly to the Oracle Cloud Infrastructure IAM service. See Adding Users. Using this procedure, you can create users who can sign in directly to the Oracle Cloud Infrastructure Console. Users created with this procedure do not have access to any other Oracle services.
In short, managing groups requires actions in both Oracle Identity Cloud Service and Oracle Cloud Infrastructure. Groups you create in Oracle Identity Cloud Service have no privileges in Oracle Cloud Infrastructure until you map them to a group in Oracle Cloud Infrastructure. You define the policies that permit access to Oracle Cloud Infrastructure resources in the IAM service in Oracle Cloud Infrastructure. For more information, see Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console.
To edit mappings of your user groups in Oracle Identity Cloud Service to user groups in Oracle Cloud Infrastructure, you'll need to supply the client ID and client secret. The client ID and client secret are stored in Oracle Identity Cloud Service. To get this information:
- Sign in to the Oracle Identity Cloud Service console.
- In the Identity Cloud Service console, click Applications. The list of trusted applications is displayed.
- Click COMPUTEBAREMETAL.
- Click Configuration.
Expand General Information. The client ID is displayed. Click Show Secret to display the client secret.