Managing Sign-On Policies

This topic describes how to create and implement sign-on policies for an identity domain.

About Sign-On Policies

A sign-on policy allows identity domain administrators, security administrators, and application administrators to define criteria that determine whether to allow a user to sign in to an identity domain.

An identity domain includes a default sign-on policy that contains a default sign-on rule. By default, this rule allows all users to sign in to the identity domain with a username and password. However, you can build upon this policy by adding other sign-on rules to it. By adding these rules, you can prevent some of your users from signing in to the identity domain. Or, you can allow them to sign in, but prompt them for an additional factor to access resources that are protected by the identity domain, such as the Oracle Cloud Infrastructure Console.

For example, you can create two sign-on rules for the default sign-on policy. The first rule prevents any users from signing in to the identity domain if they’re using an IP address that falls within the range of a network perimeter that you defined. The second rule requires users who belong to a particular group (for example, the UA_Developers group) to be prompted for a second factor as part of the 2-Step Verification process. All other users will be able to sign in without being prompted for a second factor.

Because you can define multiple sign-on rules for a sign-on policy, the identity domain must know the order in which the rules are to be evaluated. To do this, you can set the priority of the rules. For the example above, you can have the network perimeter sign-on rule evaluated first, and the UA_Developers group rule evaluated next. If a user meets the criteria of the network perimeter sign-on rule (that is, the IP address used to attempt to sign in to the identity domain falls within the IP range that you defined in the network perimeter), the user is prevented from accessing identity domain-protected resources. If the user passes the criteria for this rule, then the rule with the next highest priority is evaluated. For this example, this is the UA_Developers group rule. If the user is a member of the UA_Developers group, they will be prompted for an additional factor to sign in to the identity domain. If the user is not a member of the UA_Developers group, the rule with the next highest priority is evaluated. For this example, this is the default sign-on rule. Because this rule, by default, allows all users to sign in to the identity domain, the user will be able to sign in without being prompted for a second factor.

Important

For the default sign-on rule, never set access for all of your users to be denied. If users don't meet the criteria of any other rules you define that allow them to sign in to the identity domain, they will be prevented from accessing identity domain-protected resources. Also, configure the identity domain to evaluate this sign-on rule last because, by default, it allows all users to sign in to the identity domain.

In addition to the default sign-on policy, you can create sign-on policies and associate them with specific apps. When a user uses one of these apps to attempt to sign in to the identity domain, the identity domain checks to see if the app has any sign-on policies associated with it. If so, then the identity domain evaluates the criteria of the sign-on rules assigned to the policy. If there are no sign-on policies for the app, then the default sign-on policy is evaluated.

Using the Console

Adding a Sign-On Policy
This procedure adds a sign-on policy in a deactivated state. After completing this task, you must activate the policy to begin enforcing it in the identity domain.

Criteria that you can define for sign-on policies include:

  • The identity providers that will be used to authenticate the user

  • The groups of which the user is a member

  • Whether the user is an identity domain administrator

  • Whether to exclude a user

  • The IP address that the user is using to sign in to the identity domain

  • Whether the user will be forced to sign in to the identity domain again (for authentication purposes), or will be authenticated the next time they sign in to the identity domain

  • Whether the user will be prompted for an additional factor to sign in to the identity domain

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Security and then Sign-on policies.
  3. Click Create sign-on policy.
  4. Add a Name and Description, and then click Add policy:

    After you click Add policy, the sign-on policy is saved in a deactivated state. You must activate the policy to use it.

  5. In the Add sign-on rules screen, click Add sign-on rule to add a sign-on rule to this policy.
  6. Use the following table to configure the rule, and then click Add sign-on rule:
    Field Description
    Rule name Enter the name of the sign-on rule.
    Authenticating identity provider Enter or select all identity providers that will be used to authenticate the user accounts evaluated by this rule.
    Group membership Enter or select the groups that the user must be a member of to meet the criteria of this rule. You must enter at least three characters to initiate a search of groups.
    Administrator If the user must be assigned to administrator roles in the identity domain to meet the criteria of this rule, then select this check box.
    Exclude users Enter or select the users to exclude from the rule. You must enter at least three characters to initiate a search of users.
    Filter by client IP address There are two options associated with this field: Anywhere and Restrict to the following network perimeters.
    • If you select Anywhere, then users can log in to the identity domain using any IP address.

    • If you select Restrict to the following network perimeters, then the Network perimeters text box appears. In this text box, enter or select network perimeters that you defined. For more information, see Adding a Network Perimeter. Users can log in to the identity domain using only IP addresses that are contained in the defined network perimeters.

    Allow access or Deny access Select whether a user will be allowed to access the Console if the user account meets the criteria of this rule. When you select Allow access, the following additional options are presented.
    Prompt for reauthentication

    Select this check box to force the user to log in to the identity domain again.

    If not selected, the user will be authenticated the next time they log in to the identity domain.

    Prompt for an additional factor

    Select this check box to prompt the user for an additional factor to log in to the identity domain.

    If you select this check box, then you must specify whether the user is required to enroll in Multi-Factor Authentication and how often this additional factor is to be used to log in.

    Select Any factor to prompt the user to enroll and verify any factor enabled in the MFA tenant level settings.

    Select Specified factors only to prompt the user to enroll and verify a subset of factors enabled in the MFA tenant level settings. After you select Specified factors only, you can select factors that must be enforced by this rule.

    Frequency
    • Select Once per session or trusted device, so that for each session that the user has opened from an authoritative device, they must use both their user names and passwords, and a second factor.

    • Select Every time, so that each time users log in from a trusted device, they must use their user names and passwords, and a second factor.

    • Select Custom interval, and then specify how often users must provide a second factor to log in. For example, if you want users to use this additional factor every two weeks, then click Number, enter 14 in the text field, and then click the Interval drop-down menu to select Days. If you configured multifactor authentication (MFA), then this number must be less than or equal to the number of days a device can be trusted according to MFA settings. For more information, see Managing Multi-Factor Authentication.

    Enrollment

    This menu contains two options: Required and Optional.

    • Select Required to force the user to enroll in Multi-Factor Authentication.

    • Select Optional to give users the option of skipping enrolling in Multi-Factor Authentication. Users see the inline enrollment setup process after they enter their user name and password, but can click Skip. Users can then enable MFA later from the 2–Step Verification setting in the Security settings of My Profile. Users are not prompted to set up a factor the next time that they sign in.

      Note

      If you set Enrollment to Required, and later change it to Optional, the change only affects new users. Users already enrolled in Multi-Factor Authentication will not see the inline enrollment process and will not be able to click Skip when logging in.
  7. In the Add sign-on rules screen, click Add sign-on rule to add another sign-on rule to this policy. Otherwise, click Next.
    Note

    If you have added multiple sign-on rules to this policy, then you can change the order that they will be evaluated. See To Change the Priority of a Sign-On Rule for the Policy.
  8. In the Add apps screen, click Add app to add apps to this policy.
  9. In the Add app window, select the check box for each app that you want to add to the policy. Then, click Add app.
    Note

    You can add an app to only one sign-on policy. If the app isn’t assigned to any sign-on policy explicitly, then the default sign-on policy applies to the app.

  10. Click Close.
Activating a Sign-On Policy

You must activate a sign-on policy after you create it.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Security and then Sign-on policies.
  3. In the Sign-on policies page, select the check box for each sign-on policy that you want to activate.
  4. From the Actions menu, select Activate sign-on policy.
  5. To confirm the activation, click Activate sign-on policy.
Updating a Sign-On Policy
You can modify the following:
  • Edit the name or description of the policy

  • Add, remove, edit, or change the priority of sign-on rules for the policy

  • Add or remove apps from the policy

To modify a sign-on policy:

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Security and then Sign-on policies.
  3. In the Sign-on policies page, click the sign-on policy that you want to modify.

To Change the Priority of a Sign-On Rule for the Policy

You can change the priority of a sign-on rule for a sign-on policy to change the order that the identity domain will evaluate it.

  1. Click Edit priority.
  2. Click the up or down arrow next to the rule to move it to the position in the listed order that you want the rule applied.

    For example, if your sign-on rule is currently listed fourth, and you want the identity domain to evaluate it first, click the up arrow next to the rule until it is at the top of the list. Your sign-on rule will appear first in the list, and the other rule will now have a priority of 2.

  3. Click Save changes.
To Add a Rule to the Policy
  1. On the sign-on policy details page, click Add sign-on rule.
  2. Use the following table to configure the rule:
    Field Description
    Rule name Enter the name of the sign-on rule.
    Authenticating identity provider Enter or select all identity providers that will be used to authenticate the user accounts evaluated by this rule.
    Group membership Enter or select the groups that the user must be a member of to meet the criteria of this rule. You must enter at least three characters to initiate a search of groups.
    Administrator If the user must be assigned to administrator roles in the identity domain to meet the criteria of this rule, then select this check box.
    Exclude users Enter or select the users to exclude from the rule. You must enter at least three characters to initiate a search of users.
    Filter by client IP address There are two options associated with this field: Anywhere and Restrict to the following network perimeters.
    • If you select Anywhere, then users can log in to the identity domain using any IP address.

    • If you select Restrict to the following network perimeters, then the Network perimeters text box appears. In this text box, enter or select network perimeters that you defined. For more information, see Adding a Network Perimeter. Users can log in to the identity domain using only IP addresses that are contained in the defined network perimeters.

    Allow access or Deny access Select whether a user will be allowed to access the Console if the user account meets the criteria of this rule. When you select Allow access, the following additional options are presented.
    Prompt for reauthentication

    Select this check box to force the user to log in to the identity domain again.

    If not selected, the user will be authenticated the next time they log in to the identity domain.

    Prompt for an additional factor

    Select this check box to prompt the user for an additional factor to log in to the identity domain.

    If you select this check box, then you must specify whether the user is required to enroll in Multi-Factor Authentication and how often this additional factor is to be used to log in.

    Select Any factor to prompt the user to enroll and verify any factor enabled in the MFA tenant level settings.

    Select Specified factors only to prompt the user to enroll and verify a subset of factors enabled in the MFA tenant level settings. After you select Specified factors only, you can select factors that must be enforced by this rule.

    Frequency
    • Select Once per session or trusted device, so that for each session that the user has opened from an authoritative device, they must use both their user names and passwords, and a second factor.

    • Select Every time, so that each time users log in from a trusted device, they must use their user names and passwords, and a second factor.

    • Select Custom interval, and then specify how often users must provide a second factor to log in. For example, if you want users to use this additional factor every two weeks, then click Number, enter 14 in the text field, and then click the Interval drop-down menu to select Days. If you configured multifactor authentication (MFA), then this number must be less than or equal to the number of days a device can be trusted according to MFA settings. For more information, see Managing Multi-Factor Authentication.

    Enrollment

    This menu contains two options: Required and Optional.

    • Select Required to force the user to enroll in Multi-Factor Authentication.

    • Select Optional to give users the option of skipping enrolling in Multi-Factor Authentication. Users see the inline enrollment setup process after they enter their user name and password, but can click Skip. Users can then enable MFA later from the 2–Step Verification setting in the Security settings of My Profile. Users are not prompted to set up a factor the next time that they sign in.

      Note

      If you set Enrollment to Required, and later change it to Optional, the change only affects new users. Users already enrolled in Multi-Factor Authentication will not see the inline enrollment process and will not be able to click Skip when logging in.
  3. Click Add sign-on rule.
    Note

    If you have added multiple sign-on rules to this policy, then you can change the order that they will be evaluated. See To Change the Priority of a Sign-On Rule for the Policy.
To Edit a Sign-On Rule
  1. On the sign-on policy details page, find the rule you want to edit.
  2. Click the Actions menu (three dots) for the sign-on rule and click Edit sign-on rule.
  3. Make your edits. For more a full description of all the fields, see To Add a Rule to the Policy
  4. When finished, click Save changes.
To Delete a Sign-On Rule
  1. On the sign-on policy details page, find the rule you want to delete.
  2. Select the check box for each sign-on rule that you want to delete from the policy.
  3. Click Remove sign-on rule.
  4. In the confirmation window, click Remove sign-on rule.
To Add Apps to the Policy
  1. On the sign-on policy details page, click Apps. The list of applications already added to the policy is displayed.
  2. Click Add app.
  3. In the Add app window, select the check box for each app that you want to add to the policy. Then, click Add app.
To Remove Apps from the Policy
  1. On the sign-on policy details page, click Apps. The list of applications already added to the policy is displayed.
  2. Select the check box for each app that you want to remove from the policy.
  3. Click Remove app.
  4. To confirm the removal, click Remove app.
Deactivating a Sign-On Policy
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Security and then Sign-on policies.
  3. In the Sign-on policies page, select the check box for each sign-on policy that you want to deactivate.
  4. From the Actions menu, select Deactivate sign-on policy.
  5. To confirm the deactivation, click Deactivate sign-on policy.
Deleting a Sign-On Policy
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Security and then Sign-on policies.
  3. In the Sign-on policies page, select the check box for each sign-on policy that you want to delete.
  4. From the Actions menu, select Delete sign-on policy.
  5. To confirm, click Delete sign-on policy.