Managing Identity Domains

An identity domain is a container for managing users and roles, federating and provisioning of users, secure application integration through Oracle Single Sign-On (SSO) configuration, and SAML/OAuth based Identity Provider administration. It represents a user population in Oracle Cloud Infrastructure and its associated configurations and security settings (such as MFA).

Overview

Identity domains are like other OCI resources. As an administrator, you can create, move, tag, and delete an identity domain. Oracle Cloud Infrastructure access policies can be written to allow users in a given domain to access resources in other domains. You can also assign user accounts to predefined administrator roles to delegate administrative responsibilities within a domain. For more information about administrator roles and the privileges associated with each role, see Understanding Administrator Roles.

You manage identity domains (for example, creating or deleting a domain) using the user interface or the IAM API. You manage resources (for example, users and groups) within an identity domain using the user interface or with the SCIM-based IAM Identity Domains API.

Each tenancy in the root compartment includes a Default identity domain created in the root compartment that contains the initial tenant administrator user and group and a default Policy that allows administrators to manage any resource in the tenancy. The Default identity domain lives with the lifecycle of the tenancy and can’t be deleted.

You can create additional identity domains within a tenancy. Multiple identity domains are useful when you need separate environments for a single cloud service or application (for example, one environment for development and one for production). For added security, you can configure each identity domain to have its own Password and Sign-On policies. You can also configure an identity domain for consumer-facing applications and allow consumer users to perform self-registration and social login.

You can upgrade a domain to a different domain type. Each identity domain type  is associated with a different set of features and object limits. For information to help you decide which domain type is appropriate for what you want to do, see IAM Identity Domain Types.

Users in identity domains can request access to groups and applications. Users can also perform self-service tasks such as updating profile information, changing passwords, and configuring settings for 2-Step Verification.

Information for Existing IAM and IDCS Administrators

If you're an existing IAM or IDCS administrator and you don't see identity domains in your regions, read the following information to learn what to expect when the update happens.
If you're an existing IAM or IDCS administrator and your region has been updated recently, read the following information to learn about what to expect post update.

Required Policy or Role

To manage identity domain settings, you must have one of the following access grants:
  • Be a member of the Administrators group
  • Be granted the Identity Domain Administrator role
  • Be a member of a group granted manage domains

To understand more about policies and roles, see The Administrators Group, Policy, and Administrator Roles, Understanding Administrator Roles, and Understanding Policies.

The Default Identity Domain

Each tenancy includes a Default identity domain in the root compartment.

A Default identity domain:

  • Can’t be deactivated or deleted. (Lives with the lifecycle of the tenancy.)
  • Can’t be hidden from the sign-in page.

The Default identity domain contains the initial tenant Administrator user and Administrators group and a default policy that allows administrators to manage any resource in the tenancy. The Administrators policy and the Administrators group may not be deleted and there must be at least one user in the Administrators group. You can also assign user accounts to predefined administrator roles to delegate administrative responsibilities it the Default domain.

Granting a user or a group the Identity domain administrator role in the Default domain is equivalent to granting them full administrator permissions for the tenancy. This behavior applies to the Default domain only. Granting users or groups the Identity domain administrator role for domains other than the Default domain, grants them full administrator permissions to only that domain.

You can upgrade a domain to a different domain type. Each identity domain type  is associated with a different set of features and object limits. For information to help you decide which domain type is appropriate for what you want to do, see IAM Identity Domain Types.

Creating Identity Domains

To create an identity domain, administrators only need to know which identity domain type they want to create, in which compartment to create it, and the new identity domain administrator’s sign-in credentials, if needed. The domain types you are allowed to create are based on your subscription. The user interdace guides you through the identity domain creation process.

The default groups created in a new identity domain are All Tenant Users, and Administrators. During identity domain creation, if you choose to create an administrative user for the identity domain, that administrator is placed in the Administrators group. The Administrators group may not be deleted and there must be at least one user in the group. Unlike the Default identity domain, administrators can hide any identity domain they create from the sign-in page.

You can upgrade a domain to a different domain type. Each identity domain type  is associated with a different set of features and object limits. For information to help you decide which domain type is appropriate for what you want to do, see IAM Identity Domain Types.

Note

Granting a user or a group the Identity domain administrator role in the Default domain is equivalent to granting them full administrator permissions for the tenancy. This behavior applies to the Default domain only. Granting users or groups the Identity domain administrator role for domains other than the Default domain, grants them full administrator permissions to only that domain.

Using Multiple Identity Domains

Create and manage multiple identity domains (for example, one domain for development and one for production) each with different identity and security requirements to protect your applications and Oracle Cloud services.

There are several benefits to using multiple identity domains. By having separate identity domains, the users who work in one identity domain don't impact the work of users in another identity domain. Using multiple identity domains can help you maintain the isolation of administrative control over each identity domain. This is necessary if, for example, your security standards prevent development user IDs from existing in the production environment, or require that different administrators have control over different environments.

Each tenancy contains a Default identity domain, the identity domain which comes with your tenancy. Administrators can create as many additional identity domains as their license allows. Administrators can:

  • Create additional identity domains and be the identity domain administrator for them or assign another user to be the administrator.
  • Create additional identity domains and, as part of the identity domain creation process, assign users to be identity domain administrators of the identity domains.
  • Delegate the creation of additional identity domains to other administrators.

An identity domain administrator is assigned to an identity domain during the creation of the identity domain. Although the identity domain administrator identity may have the same user name as a user in the Default identity domain, they are different users who might have different privileges in each identity domain, and will have separate passwords.

The identity domain administrator can use the entire feature set of the identity domain. In an identity domain, the identity domain administrator can:

  • Manage users, groups, applications, system configuration, and security settings.
  • Perform delegated administration by assigning users to different administrative roles.
  • Enable and disable Multi-Factor Authentication (MFA), configure MFA settings, and configure authentication factors.
  • Create self-registration profiles to manage different sets of users, approval policies, and applications.

Limits on Identity Domains

Each identity domain type is associated with a different set of features and object limits.

See IAM Identity Domain Types for object limits, rate limits, and meters for each identity domain type.

See Service Limits for a list of applicable limits and instructions for requesting a limit increase. To set compartment-specific limits on a resource or resource family, administrators can use compartment quotas.

Changing Identity Domain Types

Upgrade your current identity domain type by changing the domain type.

See Understand Identity Domain Types to learn about the different domain types and the features associated with each one.

Identity Domains and Region Expansion

This topic covers information about identity domains and region expansion.

Default Identity Domain

You can’t change to which regions the Default domain replicates. The Default domain always replicates to all regions to which the tenant is subscribed. When an administrator subscribes to another region, then only the Default domain replicates to that region.

The Default domain's home region is the tenancy's home region. This cannot be changed.

Additional Identity Domains

Additional identity domains can have their own home region, but only within the set of regions the tenancy is subscribed to. Additional identity domains can also be replicated to regions within the set of regions the tenancy is subscribed to.

To take advantage of the Disaster Recovery (DR) feature which establishes a DR region outside of the primary region, you might need to update your firewall policies to enable communication with the additional (DR) regions. Refer to OCI documentation for details.

Moving Identity Domains

You can’t move the Default identity domain from the root compartment of the tenancy.

You can move any other identity domain to a different compartment within the same tenancy. When you move a domain, all its resources are moved with it. For more information about moving resources, see Moving Resources to a Different Compartment.

Deactivating Identity Domains

Domains must be deactivated before they are deleted.

The Default identity domain and the identity domain to which you’re signed in can’t be deactivated.

Before deactivating an identity domain, all Cloud, Oracle, Custom, and Enterprise applications must be deactivated. All applications created by App Services in Oracle Cloud Services (for example, AnalyticsINST-OAC1) must also be deactivated, but "entitlement" apps in Oracle Cloud Services (for example, ADWC) do not need to be deactivated.

Immediately after the administrator starts deactivating an identity domain, the identity domain moves to a de-activating state and users won't be able to authenticate at this point.

Deleting Identity Domains

After the applications have been deactivated, an administrator can deactivate the identity domain and delete it. Deleting an identity domain invalidates any IAM Policy that references it, and all resources in the identity domain are deleted. Deleted domains don’t display in the identity domain Console.

Recovering Domains

Administrators can't recover a deleted identity domain. See Getting Help and Contacting Support to contact Oracle support to recover a deleted identity domain.

Tagging Resources

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the wanted tags. For general information about applying tags, see Resource Tags.

Disaster Recovery and Domains

To take advantage of the Disaster Recovery (DR) feature which establishes a DR region outside of the primary region, you might need to update your firewall policies to enable communication with the additional (DR) regions. Refer to OCI documentation for details.

Using the Console

Viewing Identity Domains for a Tenancy

View the identity domains in a specfic compartment in a tenancy.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.

    You will see a table with a list of the identity domains for the tenancy. If you only have one identity domain, it will be the Default identity domain. For more information about the Default domain, see The Default Identity Domain

  2. (Optional) Change the Compartment to see domains in other compartments.
  3. (Optional) In the table, you can:
    • See the details of the identity domain, by clicking the name.

    • Access the Users page of the identity domain, by clicking the Users link.

    • Access the Groups page of the identity domain, by clicking the Groups link.

    • Copy the domain OCID.

    • View existing tags for the domains and create tags.

Viewing Identity Domain Details
View and copy information from the details tab.
Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in.
The Domain information tab of the identity domain is displayed. From this tab, you can view or copy:
  • OCID.
  • Description
  • Domain URL
Copying an Identity Domain OCID

OCIDs can be lengthy strings. Copy the OCID so that you can paste it in the search field when searching for resources related to an OCID in a tenancy. Also, OCIDs can be used to specify a group or a compartment in a policy.If you rename an identity domain, the OCID doesn't change.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Click a link for an identity domain.
  3. Next to the OCID field, click Copy.
The OCID is copied to the clipboard.
Creating an Identity Domain
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Click Create domain.
  3. On the Create domain page, enter the following:
    • Display name: Give the identity domain a name. Use only letters, numerals, hyphens, periods, or underscores. The name can contain up to 100 characters.
      Note

      Choose your Display name carefully. Changing the identity domain Display name has consequences, for example, bookmarked URLs need updated to use the new Display name.
    • Description Enter a description.
    • Domain type: Choose from one of the available Domain types. For information to help you decide which domain type is appropriate for what you want to do, see IAM Identity Domain Types.
    • Domain administrator: If you want to use your administrative user account for this identity domain, then uncheck Create an administrative user for this account. Otherwise, enter the details of the user you want to administer this identity domain. See <topic title> for a more information about administrator roles.
    • Optionally, choose a different compartment.
    • To add tagging, click Show Advanced Options and enter the tagging details.
  4. Click Create Domain.
Ensure that the identity domain status is Creating.
Changing an Identity Domain Type

You can upgrade your identity domain by changing the domain type.

You can upgrade a domain to a different domain type. Each identity domain type  is associated with a different set of features and object limits. For information to help you decide which domain type is appropriate for what you want to do, see IAM Identity Domain Types.

For more information for what validations to expect when changing domain types, see Changing your Identity Domain Type.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in.
  2. Click Edit domain.
  3. Under Domain type, click Change domains type.
  4. Click the domain type to which you want to upgrade.
  5. Click Change domain type.
  6. Click Save.
Viewing or Editing Tags

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the wanted tags. For general information about applying tags, see Resource Tags.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in.
  2. Click the Tags tab to see the tags defined for the identity domain.
  3. Click Add Tags to add more tags to the identity domain.
Editing Identity Domain Details

You can edit certain details for an identity domain. For example, you can choose whether to show the identity domain on login or upgrade your domain type.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in.
  2. Click Edit domain. Change any of the following settings:
    • Display name. Use only letters, numerals, hyphens, periods, or underscores. The name can contain up to 100 characters.
      Note

      Choose your Display name carefully. Changing the identity domain Display name has consequences, for example, bookmarked URLs need updated to use the new Display name.
    • Description
    • Domain type. To upgrade, see IAM Identity Domain Types.
    • Show identity domain on login
  3. Click Save.
Moving Resources to a Different Compartment
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in.
  2. Click Move resource.
  3. Choose a new compartment and then click Move Resource.
Resetting All Passwords for a Domain

Resetting all passwords for an identity domain resets the passwords for all users and administrators in the identity domain, including the identity domain administrators. After the passwords are reset, users and administrators will receive an email notification, requesting them to reset their passwords.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in.
  2. Click Reset all passwords.
  3. Confirm resetting all passwords for the identity domain.
Managing Regions for Identity Domains

You can replicate an identity domain to multiple regions if the tenancy is subscribed to multiple regions.

Ensure that the tenancy is subscribed to the regions to which you want to replicate the identity domain. For more information about the home regions and the basics of managing your region subscriptions, see Managing Regions. For more information about the replication behavior of the Default domain versus additional domains you create, see Identity Domains and Region Expansion.
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in.
  2. Click More Actions, and then Manage regions.
    The Manage regions window displays with a list of regions to which your tenancy is subscribed.
  3. For the region to which you want to replicate, click Enable replication.
  4. Confirm the replication.
Deactivating an Identity Domain

Identity domains must be first deactivated to delete them.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in.
  2. Click More Actions, and then Deactivate.
  3. Confirm the deactivation.

    The identity domain will be in an Inactive status.

Deleting an Identity Domain
First, deactivate the apps in the identity domain, deactivate the identity domain, and then you can delete it.

Deleting an identity domain invalidates any IAM Policy that references it.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in.
  2. Click Delete.