Oracle Cloud Infrastructure Documentation

Securing IAM

Manage IAM security features.

This section contains information about various security aspects of IAM:

  • Managing Terms of Use: Lets you set the terms and conditions to access the Console or a target application, based on the user's consent.
  • Managing Password Policies: Create and manage group-based password policies for an identity domain.
  • Managing Adaptive Security and Risk Providers: Learn about adaptive security and risk providers, how to activate adaptive security, how to configure the Default risk provider, and how to add a third-party risk provider.
  • Managing Delegated Authentication: Find out how users can use their Microsoft Active Directory (AD) passwords to sign in to their identity domain to access resources and applications protected by IAM.
  • Configuring Account Recovery: Learn how to use an automated process designed to help users regain access to their accounts if they have trouble signing in, if they're locked out, or they forget their passwords.
  • Managing Multifactor Authentication: Multifactor authentication (MFA) is a method of authentication that requires the use of more than one factor to verify a user's identity. Find out how to enable it in an identity domain.
  • Managing Passwordless Authentication: Passwordless authentication allows users to sign in using their username and another authentication factor, such as a passcode sent to them in email. Learn how to set it up.
  • Managing Trusted Partner Certificates: A trusted partner is any application or organization, remote to IAM that communicates with IAM. Learn how to use trusted partner certificates, which are X.509 digital certificates, to manage the trust relationship.
  • Managing Network Perimeters: Find out how to use blocklists to define network perimeters to manage access to identity domains.

Managing Network Perimeters

Network perimeters in an identity domain in IAM restrict the IP addresses that users can use to sign in.

You can perform the following tasks related to network perimeters:

Introduction

After creating a network perimeter, you can prevent users from signing in to IAM if they use one of the IP addresses in the network perimeter. This is known as blocking. A blocklist contains IP addresses or domains that are suspicious. As an example, a user might be trying to sign in to IAM with an IP address that comes from a country where hacking is rampant.

An IP address is a string of numbers that identifies the network of any device connected to the internet. Similar to a return address on an envelope, it's associated with a human-readable domain. Because the IP address tells other devices where data is coming from, it can be a good way to track bad content.

Blocklists can list a single IP address or a (set) range of IPs. IAM can use this information to block users who try to sign in from suspicious IP addresses.

You can also configure IAM so that users can sign in, using only IP addresses contained in the network perimeter. This is known as allowlisting, where users who try to sign in to IAM with these IP addresses are accepted. allowlisting is the reverse of blocklisting, the practice of identifying IP addresses that are suspicious, and as a result, denied access to IAM.

You can configure IAM so that only users who use a particular IP address or IP address in a specific range will be allowed to sign in to IAM. Or, you can configure IAM to monitor for suspicious IP addresses or IP address ranges, and prevent users who use these IP addresses from signing in to IAM.

With a network perimeter, you can define, in a standard format, an exact IP address, a range of IP addresses, or a set of masked IP addresses. Both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) protocols are supported.

  • Exact IP address. You can enter a single IP address or multiple IP addresses. If you enter multiple exact IP addresses, then put a comma between each one.

  • Two IP addresses, separated by a hyphen, which is an IP range. For example, if you specify the IP range of 10.10.10.1-10.10.10.10, any user who tries to sign in to IAM with an IP address from 10.10.10.1 through 10.10.10.10 are using an IP address that falls within the IP range.

  • Masked IP address range. Each number of an IP address is 8 bits. For example, if you have a masked range of 10.11.12.18/24, then the first three numbers (24 bits) is the mask that must be applied to see if an IP address falls in this range. For this example, valid IP addresses are those that begin with 10.11.12.

    Caution

    Don't use an IP address range of 0.0.0.0/0 as it encompasses all IPv4 addresses globally.
Note

The examples listed use IP addresses with the IPv4 protocol. However, you can apply the same formats to IP addresses that use the IPv6 protocol (for example, B138:C14:52:8000:0:0:4D8).

After defining network perimeters, you can assign them to a sign-on policy, and configure the policy so that if you're trying to sign in to IAM using an IP address that's defined in the network perimeter, you can sign in to IAM or be prevented from accessing IAM.

See Add a Sign-On Policy for more information about assigning network perimeters to a sign-on policy.

Listing Network Perimeters

Retrieve a list of network perimeters.

  1. Open the navigation menu  and select Identity & Security. Under Identity, select Domains.
  2. Select the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want.
  3. Select Security and then Network perimeters.

    A list of existing network perimeters is displayed.

Creating a Network Perimeter

Create a network perimeter in an identity domain in IAM and configure it to restrict the IP addresses that users can use to sign in.

  1. On the Domains list page, select the domain in which you want to make changes. If you need help finding the list page for the domain, see Listing Identity Domains.
  2. Select Security and then Network perimeters.

    A list of existing network perimeters is displayed.

  3. On the Network perimeters list page, select Create network perimeter.
  4. Enter the name of the network perimeter and the exact IP address or IP addresses, IP range, or masked IP address range for the network perimeter. To learn about IP address formats, see Managing Network Perimeters.
  5. Select Create.
Now, create a sign-on policy rule that includes the network perimeter. To learn about using this network perimeter in sign-on policy rules, see Creating a Sign-On Policy.

Getting a Network Perimeter's Details

View the name and the IP addresses for a network perimeter in an identity domain in IAM.

  1. On the Domains list page, select the domain in which you want to make changes. If you need help finding the list page for the domain, see Listing Identity Domains.
  2. Select Security and then Network perimeters.

    A list of existing network perimeters is displayed.

  3. Find the network perimeter for which you want to see more information.
  4. From the Actions menu (three dots) of the network perimeter, select Edit network perimeter
    A window opens and displays the name and IP addresses associated with the network perimeter. You can update these values as needed.

Updating a Network Perimeter

Update the name and the IP addresses for a network perimeter in an identity domain in IAM.

  1. On the Domains list page, select the domain in which you want to make changes. If you need help finding the list page for the domain, see Listing Identity Domains.
  2. Select Security and then Network perimeters.

    A list of existing network perimeters is displayed.

  3. From the Actions menu (three dots) of the network perimeter that you want to update, select Edit network perimeter.
  4. Update the name and IP addresses, as necessary.
  5. Select Save changes.

Deleting a Network Perimeter

Delete one or more network perimeters in an identity domain in IAM.

  1. On the Domains list page, select the domain in which you want to make changes. If you need help finding the list page for the domain, see Listing Identity Domains.
  2. Select Security and then Network perimeters.

    A list of existing network perimeters is displayed.

  3. From the Actions menu (three dots) of the network perimeter that you want to update, select Delete network perimeter.
  4. Confirm the deletion when prompted.

Managing Continuous Workforce Verification (Beta)

Important

Pre-General Availability: 2023-10-14

This documentation is in pre-General Availability status and is intended for demonstration and preliminary use only. It may not be specific to the hardware on which you are using the software. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to this documentation and will not be responsible for any loss, costs, or damages incurred due to the use of this documentation.

This documentation is not a commitment by Oracle to deliver any material, code, functionality or services. This documentation, and Oracle Pre-GA programs and services are subject to change at any time without notice and, accordingly, should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality for Oracle’s Pre-GA programs and services remains at the sole discretion of Oracle. All release dates or other predictions of future events are subject to change. The future availability of any future Oracle program or service should not be relied on in entering into any license or service agreement with Oracle.

See Oracle Legal Notices.

Introduction (Beta)

Identity Verification (IDV) is a process that validates a person's real-world identity by comparing their physical facial attributes to government-issued identification documents, such as passports and driver's licenses. This provides a high level of assurance that the user is who they claim to be.

Continuous Workforce Verification (CWV) builds on IDV by periodically re-validating a user's identity using facial biometrics after initial enrollment. This ensures that the person accessing applications or resources is the individual who is supposed to access the application or resource (and not someone who happened to gain possession of the credentials), strengthening your organization's security posture against imposters and unauthorized access.

This service integrates with third-party identity verification (or identity proofing) providers to perform the initial document and identity check. Once a user's identity is verified, their facial biometric data is enrolled with Oracle's native service for ongoing verification checks. Currently, Oracle supports Daon.

Concepts (Beta)

Identity Verification (IDV): The one-time process of proving a user's identity by matching a live selfie against a government-issued ID document. This is performed via a third-party provider.

Facial Biometrics: The process of capturing a user's unique facial characteristics to create a secure biometric template. This template is used for initial enrollment and subsequent verification checks. Facial biometrics in IAM is an OCI-native capability.

Continuous Workforce Verification (CWV): An ongoing security posture where a user's identity is periodically checked using facial biometrics to ensure the authorized user is still the one operating the account.

Identity Verification Provider: A third-party service (for example, Daon) that is integrated into OCI IAM to handle the initial identity proofing by verifying government-issued documents.

Liveliness Detection: Technology used during facial biometric scans to ensure the user is physically present and not using a photo, video, or mask to spoof the system. This involves prompts like tilting the head or blinking.

Inline Enrollment: An enrollment process that is mandated by an administrator and occurs directly within the sign-in flow. Users are typically required to complete it before they can access applications.

Continuous Workforce Verification Process

The process involves two key personas:

  • Administrators: Configure Identity Verification providers and set up Continuous Workforce Verification policies that define when and how often users must verify their identity.
  • Users: Enroll in the service by verifying their identity with a government-issued ID and their face. Subsequently, they complete periodic facial biometric checks as defined by the administrator.

Administrators Workflow (Beta)

  1. An administrator at Example Inc. first establishes a commercial relationship with a supported identity verification provider, such as Daon.
  2. In the OCI Console, the administrator navigates to the Identity Domain, configures Daon as an identity verification provider using credentials such as client ID and secret, and activates it.
  3. The administrator then creates a Continuous Workforce Verification policy and adds a rule that specifies which user groups are affected.
  4. Within the rule, the administrator enables facial biometrics and sets the frequency for periodic checks (for example, every 7 to 14 days) and re-enrollment (for example, every 6 to 12 months).

Oracle recommends combining Identity Verification and Biometrics for enhanced identity assurance. However, each capability is optional and can be used separately. Administrators have the flexibility to configure Continuous Workforce Verification with Identity Verification and Facial Biometrics, or with Facial Biometrics alone according to their organization’s specific needs. When both identity verification and facial biometrics are enabled for inline enrollment, the IDV process will be prompted first, followed by Biometric verification.

Administrators also have the option to specify enrollment as a mandatory inline option or a feature that users can skip and define settings such as verification frequency.

End-User Workflow (Beta)

  1. Initial Enrollment: An employee, John, is prompted to enroll inline after authentication (if Continuous Workforce Verification policy is configured for inline enrollment), or from My Profile. This is a one-time process.
    1. Identity Verification: A QR code appears on John's computer screen. He scans it with his smartphone to initiate the identity verification process with Daon. He takes a live selfie and then scans his government-issued ID. Daon validates the document's authenticity and confirms that the selfie matches the photo in the document.
    2. Biometric Enrollment: John is redirected back to his computer's web browser. He is prompted to position his face in a frame and complete randomized liveness prompts, such as tilting his head. The system captures his facial data, creates a biometric template, and stores it securely to complete his enrollment.
  2. Ongoing Verification: Two weeks later, when John accesses an application, he signs in with his standard credentials. Immediately afterward, CWV initiates a facial biometric challenge. He positions his face, completes a liveness prompt, and the system validates his identity against the stored template, granting him access.

Use Case: Example of how Example Inc Leverages IDV and CWV (Beta)

This use case highlights how Example Inc leverages the identity verification vendor Daon for continuous workforce verification (CWV). An administrator configures IAM to integrate with the identity verification provider and creates continuous workforce verification policies for periodic verification of users. Employee of Example Inc. verifies identity with a government-issued ID, enrolls in facial biometrics, and is re-verified through periodic identity checks.

Admin Configuration (Beta)

  1. An administrator at Example Inc. navigates to the Identity Domain and configures an identity verification provider, Daon.
  2. The administrator enters credentials provided by the vendor (client id, client secret, discovery URL), maps the Supported claims with identity domain attributes, and then selects Create. The Identity verification provider is created. Administrator then activates the identity verification provider.
  3. The administrator creates a continuous workforce verification policy and creates a rule. In the rule, administrator sets the prerequisites in the conditions field, with passkey as the first authentication factor and Oracle Mobile Authenticator (OMA) as the second factor and select the user groups that are evaluated by the rule.
  4. The Example Inc. administrator then enables facial biometrics, schedules facial biometric checks at randomized intervals between 7 and 14 days, and re-enrollment frequency between 6 to 12 months.
  5. Administrator enables identity verification, and selects the provider created in step 2.
  6. Once defined, the policy is enforced across the identity domain for the users who satisfy the conditions specified in the rule.

User Enrollment (Beta)

  1. An employee, John, receives an email informing him of the new requirement. He signs in with his primary and second factor and is prompted to Enroll with Biometrics. If not prompted to enroll in biometrics during sign-in, the user signs in to My Login Profile and selects Enroll with biometrics.
  2. The user reviews and accepts the terms and conditions.

  3. Identity Verification

    1. A QR code appears on his computer screen. John scans it with his smartphone, which initiates identity verification with Daon. Depending on Daon configuration, John might be asked to download the Daon app or an app provided by Example Inc. to complete identity verification.
    2. John takes a live selfie. Daon verifies the user’s selfie for liveliness.
    3. He then scans his government-issued ID using his phone. Daon validates the document’s authenticity and confirms that the selfie matches the photo in the document.
    4. A success message indicates that his identity has been verified.

  4. Facial Biometrics Enrollment

    1. John is redirected back to his computer's web browser.
    2. The browser requests access to his webcam. He is prompted to position his face in a frame and complete the randomized liveliness prompts, such as tilting the user’s head up, to the right, and left. These steps protect against spoofing and replay attacks.
    3. The system captures his facial data, creates a biometric template, and stores it securely. His enrollment is now complete.

Continuous Workforce Verification (Beta)

  1. Once enrolled, periodic facial biometric verification occurs seamlessly in the background. For example, two weeks later, when accessing an enterprise application, John completes the standard passkey login followed by Oracle Mobile Authenticator (OMA) as the second factor.
  2. Immediately afterward, CWV initiates a facial biometric verification challenge. John positions his face within the frame, completes a randomized liveliness prompt, and the system validates his identity against the securely stored biometric template.
  3. John is granted access to the application. The verification event is logged for auditing purposes.

Getting Started (Beta)

Important

Pre-General Availability: 2023-10-14

This documentation is in pre-General Availability status and is intended for demonstration and preliminary use only. It may not be specific to the hardware on which you are using the software. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to this documentation and will not be responsible for any loss, costs, or damages incurred due to the use of this documentation.

This documentation is not a commitment by Oracle to deliver any material, code, functionality or services. This documentation, and Oracle Pre-GA programs and services are subject to change at any time without notice and, accordingly, should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality for Oracle’s Pre-GA programs and services remains at the sole discretion of Oracle. All release dates or other predictions of future events are subject to change. The future availability of any future Oracle program or service should not be relied on in entering into any license or service agreement with Oracle.

See Oracle Legal Notices.

Before You Begin (Beta)

Before you configure this feature, ensure you have the following:

  1. Third-party Identity Verification Provider Subscription: You must have an active commercial relationship and license with a supported third-party Identity Verification provider. IAM supports identity verification with providers using OpenID Connect (OIDC) integration. You will need to obtain a license from a supported vendor (for example, Daon) before you can begin the identity verification provider configuration.
  2. From your IDV provider, you will need the following credentials for configuration:
    1. Client ID
    2. Client Secret
    3. Discovery URL
  3. Feature availability: Identity Verification and Continuous Workforce Verification features are available in OCI IAM Oracle Apps Premium and Premium domain types only. If you have a domain with Free domain type, you must upgrade to one of these domain types.
  4. Admin Access: You need permissions to manage identity verification providers and domain policies.
  5. User Pre-requisites: Ensure your users are aware of the requirements for enrollment:
    1. A mobile device with a camera and the ability to install the IDV provider's application.
    2. A government-issued ID with NFC capabilities (for example, a modern passport).
    3. A computer with a webcam for facial biometric enrollment and verification.
    4. A passkey configured as an authentication factor, as it is a prerequisite for CWV.

Required IAM Policies (Beta)

To manage Identity Domain security settings and continuous workforce verification policies, you must have one of the following grants:

  1. Be a member of the Administrators group
  2. Be granted the Identity Domain Administrator role or the Security Administrator role
  3. Be a member of a group granted manage identity-domains permissions

Using Identity Verification Providers (Beta)

Important

Pre-General Availability: 2023-10-14

This documentation is in pre-General Availability status and is intended for demonstration and preliminary use only. It may not be specific to the hardware on which you are using the software. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to this documentation and will not be responsible for any loss, costs, or damages incurred due to the use of this documentation.

This documentation is not a commitment by Oracle to deliver any material, code, functionality or services. This documentation, and Oracle Pre-GA programs and services are subject to change at any time without notice and, accordingly, should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality for Oracle’s Pre-GA programs and services remains at the sole discretion of Oracle. All release dates or other predictions of future events are subject to change. The future availability of any future Oracle program or service should not be relied on in entering into any license or service agreement with Oracle.

See Oracle Legal Notices.

Creating an Identity Verification Provider (Beta)

  1. On the Domains list page, select the domain in which you want to make changes. If you need help finding the list page for the domain, see Listing Identity Domains.
  2. In the Console, open the navigation menu and select Identity & Security.
  3. On the Domain's page, select the Security tab, and then select Identity verification providers.
  4. Select Create verification provider.
  5. In the Details section:
    1. Select a Verification provider from the drop down list (for example, Daon).
    2. Enter a unique Name and a Description for this provider configuration.
  6. In the Configure section, enter the credentials you obtained from your third-party provider:
    1. Client ID
    2. Client secret
    3. Discovery URL
    4. Token endpoint
    5. User endpoint
  7. In the Supported claims retrieved section, map the claims returned by the provider to attributes in your identity domain. This ensures that the data from the ID document is correctly associated with the user's profile.
  8. Select a Verified Claim (for example, First name).
  9. Select the corresponding Identity Domain User Attribute to map it to.
  10. Select Add another claim to map additional attributes.
  11. Select Create.
    Note

    The identity verification provider is created in a deactivated state. You must first activate an identity provider in order to use the provider in a continuous workforce verification policy.

Getting an Identity Verification Provider’s Details (Beta)

  1. On the Domains list page, select the domain in which you want to make changes. If you need help finding the list page for the domain, see Listing Identity Domains.
  2. Go to Security, and then select Identity verification providers.
  3. Select one of the identity verification providers to view the details.

Updating an Identity Verification Provider (Beta)

  1. On the Domains list page, select the domain in which you want to make changes. If you need help finding the list page for the domain, see Listing Identity Domains.
  2. Go to Security, and then Identity verification providers.
  3. Select one of the identity verification providers to view the details.
  4. (Optional) Make any necessary updates to the Details page.
  5. Select Save.

Deleting an Identity Verification Provider (Beta)

  1. On the Domains list page, select the domain in which you want to make changes. If you need help finding the list page for the domain, see Listing Identity Domains.
  2. Go to Domain, Security, and then Identity verification providers.
  3. Select one of the identity verification providers to delete.
  4. Confirm the deletion.

Activate an Identity Verification Provider (Beta)

  1. On the Domains list page, select the domain in which you want to make changes. If you need help finding the list page for the domain, see Listing Identity Domains.
  2. Go to Domain, Security, and then Identity verification providers.
  3. From the Actions menu (three dots) of the identity verification provider you want to activate, select Activate verification provider.
  4. Confirm the activation.

Deactivating an Identity Verification Provider (Beta)

  1. On the Domains list page, select the domain in which you want to make changes. If you need help finding the list page for the domain, see Listing Identity Domains.
  2. From the Actions menu (three dots), of the identity verification provider you want to deactivate, select Deactivate verification provider.
  3. Confirm the deactivation.

Using Continuous Workforce Verification (Beta)

Important

Pre-General Availability: 2023-10-14

This documentation is in pre-General Availability status and is intended for demonstration and preliminary use only. It may not be specific to the hardware on which you are using the software. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to this documentation and will not be responsible for any loss, costs, or damages incurred due to the use of this documentation.

This documentation is not a commitment by Oracle to deliver any material, code, functionality or services. This documentation, and Oracle Pre-GA programs and services are subject to change at any time without notice and, accordingly, should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality for Oracle’s Pre-GA programs and services remains at the sole discretion of Oracle. All release dates or other predictions of future events are subject to change. The future availability of any future Oracle program or service should not be relied on in entering into any license or service agreement with Oracle.

See Oracle Legal Notices.

Listing Continuous Workforce Verification Policies (Beta)

  1. On the Domains list page, select the domain in which you want to make changes. If you need help finding the list page for the domain, see Listing Identity Domains.
  2. Go to Domain, Domain Policies, find the Continuous Workforce Verification policy section to view a list of verification policies.

Adding a Continuous Workforce Verification Policy (Beta)

  1. On the Domains list page, select the domain in which you want to make changes. If you need help finding the list page for the domain, see Listing Identity Domains.
  2. Go to Domain, Domain Policies, find the Continuous Workforce Verification policy section and select the default policy name to add a rule, or select Create policy.
  3. (Optional) Enter a Name and Description for the policy.
  4. Create a rule for the Continuous Workforce Verification Policy.
    1. Add a Name and Description for the rule.
    2. In the Groups section, select groups that you want to add to this rule.
    3. In the Facial biometrics section, switch on Enable facial biometrics.
      1. Set the Verification frequency (for example, Every 7 to 14 days). This determines how often the periodic facial scan occurs.
      2. Select a pre-defined re-enrollment frequency. This determines how often users are prompted to re-enroll.
      3. Switch on Mandate inline enrollment to force users to enroll during their next sign-in. If disabled, users must enroll manually via their My Profile page.
      4. Enable Identity verification provider. Select the identity verification provider you created and activated in this identity domain.
  5. Click Add Rule.
  6. (Optional) (Optional) In the Policy Rules section, select Add rule again to add another workforce verification rule to this policy.
    Note

    If you added multiple rules to this policy, then you can change the order in which they will be evaluated. Select Edit priority and then use the arrows to change the order of the rules.
  7. The Continuous Workforce Verification policy is saved in a deactivated state. When you finish creating the policy, you must activate the policy to use it.

Getting a Continuous Workforce Verification Policy’s Details (Beta)

  1. On the Domains list page, select the domain in which you want to make changes. If you need help finding the list page for the domain, see Listing Identity Domains.
  2. Select one of the continuous workforce verification policies to view the details.

Activate a Continuous Workforce Verification Policy (Beta)

  1. On the Domains list page, select the domain in which you want to make changes. If you need help finding the list page for the domain, see Listing Identity Domains.
  2. Select the continuous workforce verification policy you wish to activate.
  3. In the Details page, from the Actions menu (three dots), select Activate policy.
  4. To confirm the activation, select Activate policy.

Deactivate a Continuous Workforce Verification Policy (Beta)

  1. On the Domains list page, select the domain in which you want to make changes. If you need help finding the list page for the domain, see Listing Identity Domains.
  2. Select the continuous workforce verification policy you wish to deactivate.
  3. In the details page, from the Actions menu (three dots), select Deactivate policy.
  4. To confirm the deactivation, select Deactivate policy.