IAM Identity Domain Types

Learn about identity domain types and the features and limits associated with each.

An IAM identity domain  is deployed with one of five identity domain types. Each identity domain type  is associated with a different set of features and object limits. Use this information to decide which domain type is appropriate for what you want to do.

This section summarizes:

  • The different identity domain types
  • SKUs associated with each
  • Object limits
  • Rate limits
  • Meters for each identity domain type

Understand Identity Domain Types

IAM has five different domain types to suit different organizational needs. Start here to understand which suits your requirements best, and which type to choose when you create a domain.

Here's a summary of the domain types. Decide which looks closest to what you need and check the features and limits that you get with that domain type to decide which best suits your purposes.

Free

When you create an OCI tenancy, you are automatically provisioned with a Free tier identity domain. This domain type allows you to use IAM to manage access to OCI Infrastructure as a Service and PaaS resources. Use this domain type to start to use and understand IAM, and to manage access to OCI Infrastructure as a Service and PaaS resources. It includes everything you need. But if you find you need extra features or higher limits, you can change to a different identity domain type.

Use case: Your organization uses Oracle Cloud and your employees need secure access to subscribed OCI services. Your users might currently be managed in Active Directory or a third-party Identity Provider. As you consider how IAM can help manage access to third-party applications, you can sign up for a 30-day Oracle Cloud promotion and try extra features.

Oracle Apps

Many Oracle Applications automatically provision an Oracle Apps identity domain which allows you to use IAM to manage access to the subscribed application. It includes everything you need. But if you find you need extra features or higher limits, you can change to a different identity domain type.

Use Case: Your organization has a vested interest in Oracle SaaS, PaaS, or GBU applications, and you would like your users to seamlessly authenticate across all Oracle cloud applications without having to present credentials each time. You want to use modern authentication and authorization features for your users such as passwordless authentication, FIDO2 hardware tokens, and adaptive security. You might also have a one or two non-Oracle applications that you’d like users to seamlessly move across without having to reauthenticate.

Oracle Apps Premium

Oracle Apps Premium domains add support for hybrid IAM including the proxies, gateways, and bridges which extend the service to on-prem or OCI-hosted Oracle applications such as Oracle E-Business Suite, PeopleSoft, and Oracle Database. This domain type is limited to use with Oracle applications.

Use Case: Your organization is already using Oracle SaaS, PaaS, or GBU applications. You would like your users to seamlessly authenticate to on-premises or cloud-hosted Oracle applications such as E-Business Suite, JD Edwards, PeopleSoft, Oracle Database, and Oracle Linux. You want to use modern authentication and authorization features for your users such as passwordless authentication, FIDO2 hardware tokens, and adaptive security. You might also want bidirectional synchronization with AD or other on-prem systems and you might have several non-Oracle applications that you’d like users to seamlessly move across without having to reauthenticate.

Premium

Premium identity domains provide the full IAM feature set for workforce use-cases giving you enterprise-ready access management across hybrid IT environments. It gives you support for all apps and services, and for third-party applications. If you are standardizing on Oracle as your enterprise identity and access manager provider, this is the domain type you want.

Use Case: You want a full-featured Identity-as-a-Service (IDaaS) solution that helps you manage workforce authentication and access to all of your Oracle and non-Oracle applications whether they’re SaaS apps, on-premises enterprise apps, or apps that are hosted in the cloud. You want to use modern authentication and authorization features for your users such as passwordless authentication, FIDO2 hardware tokens, and adaptive security. You might also want automated provisioning and deprovisioning of accounts across these systems.

External User

External identity domains provide a robust IAM feature set for non-employee use-cases, consumer-facing IAM, and custom app development. The functionality provides relevant features for these scenarios such as user self-service, social login, and consent management.

Use Case: You want a full-featured Identity-as-a-Service (IDaaS) solution that helps you manage authentication and access to custom or consumer-facing applications. The solution should support social login, user self-service password and profile management, and terms of use consent. And you might need the solution to scale for millions of users.

Feature Availability for Identity Domain Types

Understand the features available for the different identity domain types.

This table shows the features available to each domain type.

Feature Free Oracle Apps Oracle Apps Premium Premium External User
Core IAM features
User and group management Checkmark Checkmark Checkmark Checkmark Checkmark
End-user self-registration - Checkmark Checkmark Checkmark Checkmark
Self-service profile management Checkmark Checkmark Checkmark Checkmark Checkmark
Account recovery (self-service password reset by way of email, SMS, security questions) Checkmark Checkmark Checkmark Checkmark Checkmark
Default password policy Checkmark Checkmark Checkmark Checkmark Checkmark
Group-based password policy Checkmark Checkmark Checkmark Checkmark Checkmark
Support for External Apps1
Outbound SSO to third-party apps Checkmark

Limit of 2 external apps

Checkmark

Limit of 2 external apps

Checkmark

Limit of 6 external apps

Checkmark

Unlimited

Checkmark
Provisioning to third-party apps using App Catalog Checkmark

Limit of 2 external apps

Checkmark

Limit of 2 external apps

Checkmark

Limit of 6 external apps

Checkmark

Unlimited

-
OAuth/token mgmt for third-party apps Checkmark

Limit of 2 external apps

Checkmark

Limit of 2 external apps

Checkmark

Limit of 6 external apps

Checkmark

Unlimited

Checkmark
Generic SCIM app template Checkmark

Limit of 2 external apps

Checkmark

Limit of 2 external apps

Checkmark

Limit of 6 external apps

Checkmark

Unlimited

Checkmark

Unlimited

Cloud Infrastructure Entitlement Management (CIEM)
All current Infrastructure as a Service IAM features Checkmark Checkmark Checkmark Checkmark -
Manage access to OCI resources Checkmark Checkmark Checkmark Checkmark -
Dynamic groups (for OCI) Checkmark Checkmark Checkmark Checkmark -
Credential types specific to OCI Checkmark Checkmark Checkmark Checkmark -
Security Options
External IdPs and social login (Federation / Inbound SSO) Checkmark

3 external IdPs

Checkmark

3 external IdPs

Checkmark

Unlimited external IdPs

Checkmark

Unlimited external IdPs

Checkmark

Unlimited external IdPs

Flexible IdP routing policies Checkmark Checkmark Checkmark Checkmark Checkmark
Terms of use Checkmark Checkmark Checkmark Checkmark Checkmark
Just in time provisioning Checkmark Checkmark Checkmark Checkmark Checkmark
PIV / CAC card support Checkmark Checkmark Checkmark Checkmark Checkmark
Schema extension Checkmark Checkmark Checkmark Checkmark Checkmark
Delegated administration Checkmark Checkmark Checkmark Checkmark Checkmark
Uni-directional Active Directory sync which supports inbound sync from AD to the IAM identity domain Checkmark Checkmark Checkmark Checkmark -
Authentication Options: Oracle Mobile Authenticator (MFA) and adaptive security (MFA - TOTP and push, phone call, security questions, FIDO2, DUO, email). Checkmark

SMS is not part of the Free domain type

Checkmark Checkmark Checkmark Checkmark
Passwordless authentication Checkmark Checkmark Checkmark Checkmark Checkmark
Sign in policies (conditions - authenticated by, groups, administrators, exclusions, network sources, built-in risk engine) Checkmark Checkmark Checkmark Checkmark Checkmark
Application SDKs Checkmark Checkmark Checkmark Checkmark Checkmark
Oracle SaaS Integration
SSO for Oracle Cloud services Checkmark Checkmark Checkmark Checkmark Checkmark
User provisioning for Oracle Cloud services (with account form, custom attributes, filters, and so on) Checkmark Checkmark Checkmark Checkmark -
OAuth/Token management for Oracle App and SaaS extensions2 Checkmark Checkmark Checkmark Checkmark -
Reports
Auditing and reporting Checkmark Checkmark Checkmark Checkmark Checkmark
Branding
Customized look and feel Checkmark Checkmark Checkmark Checkmark Checkmark
Hosted sign-in - - Checkmark Checkmark Checkmark
Advanced and hybrid identity and access management features
Advanced IAM
Bi-directional sync with LDAP by way of provisioning bridge - - Checkmark Checkmark -
Bi-directional sync with AD bridge - - Checkmark Checkmark -
Delegated authentication by way of AD bridge - - Checkmark Checkmark -
SSO for any application Checkmark Checkmark Checkmark Checkmark Checkmark
Hybrid IAM
Application Gateway (for any enterprise app) - - Checkmark

Oracle enterprise apps only

Checkmark

Any enterprise app

Checkmark

Any enterprise app

EBS Asserter - - Checkmark Checkmark -
RADIUS proxy (all - Oracle DB, VPNs, network devices, and so forth) - - Checkmark

Oracle DB only

Checkmark

All - Oracle DB, VPNs, Network Devices, and so on

-
Linux PAM - - Checkmark Checkmark -

1 External or third-party apps are defined as either commercial applications offered by a provider other than Oracle or as custom-developed applications (including, for example, applications built on OCI using Visual Builder Cloud Service).

2 SaaS Extensions are custom-developed applications that are only used as extensions to subscribed Oracle SaaS applications such as HCM, ERP, SCM, and so on. The sole purpose of these applications is to augment Oracle SaaS apps.

IAM Object Limits

Understand the number of different types of object allowed in each identity domain type.

You can create different identity domain types subject to the limit allowed by your subscription type. To find out the identity domain limits for each subscription type, see IAM With Identity Domains Limits.

This table shows the limits of the number of each type of object for each identity domain type.

Resource

Free Oracle Apps Oracle Apps Premium Premium External User
Users 2,000 500,000 500,000 500,000 Unlimited
Groups 50 8,000 50,000 50,000 50,000
Users in a group 2,000 5,000 50,000 50,000 50,000
Number of groups a user 250 500 1,000 1,000 1,000
Default password and group-based password policies 8 8 8 8 8
Non-Oracle apps1 2 2 6 2,000 2,000
Oracle Cloud apps 1,000 1,000 1,000 1,000 -
EBS Asserter - - 10 10 -
Enterprise apps - - 100

(Only Oracle enterprise apps)

100 100
RADIUS proxy - - 10

(Only Oracle DB)

10 -
Active Directory (AD) domains 1 5 10 10 -
Provisioning bridges 2 5 5 5 -
Application Gateway - - 10 10 10
External Identity Providers and Social Login (IdPs)(Federation / inbound SSO) 3 3 20 20 20
IdP policies 3 3 50 50 50
Terms of use 100 100 100 100 100
Sign in policies 3 3 100 100 100
Self-registration profiles - - 20 20 20
IAM policies 100 100 100 100 -
Statements in an IAM policy 50 50 50 50 -
Dynamic groups 50 50 50 50 -
Network source groups in a tenancy 10 10 10 10 -
API key per user 2 2 2 2 -
Auth token per user 1 1 1 1 -
OAuth2 client credentials per user 8 8 8 8 -
SMTP credentials 1 1 1 1 -
Customer secret key per user 1 1 1 1 -
DB credentials per user 1 1 1 1 -

1 Non-Oracle or third-party apps are defined as either commercial applications offered by a provider other than Oracle or as custom-developed applications (including, for example, applications built on OCI using Visual Builder Cloud Service).

API Rate Limits

Understand the rate limiting for APIs for different identity types.

Oracle APIs are subject to rate limiting to protect the API service usage for all of Oracle's customers. If you reach the API limit for the identity domain type, then IAM returns a 429 error code.

Free Oracle Apps Oracle Apps Premium Premium External User
AuthN / sec 10 50 80 95 90
AuthN / min 150 1000 2100 4500 3100
Token Mgmt / sec 10 40 50 65 60
Token Mgmt / min 150 1000 1700 3400 2300
Others / sec (excluding bulk, import and export) 20 50 55 90 80
Others / min (excluding bulk, import and export) 150 1500 1750 5000 4000
Bulk / sec 1 1 1 2 2
Bulk / min 1 2 3 6 6
Import and export / day 1 2 3 5 5

Other Restrictions

These restrictions are for Bulk, Import, and Export for all tiers:
  • Payload size: 1 MB
  • Bulk API: 50 operations limit per call
  • Only one of these can be run at a time:
    • Import: For Users, Groups & App Role Memberships
    • Full sync from apps
    • Bulk APIs
    • Export: For Users, Groups & App Role Memberships
  • CSV Import: 100 K rows limit per CSV & Max file size: 10 MB
  • CSV Export: 100 K rows limit

Meters for Identity Domain Types

Understand the meters used for different identity domain types.

Free and Oracle Apps identity domain types do not use meters.

Oracle Apps Premium, Premium, and External User identity domain types use these meters:

  • Users per Month: The number of active and inactive users in the system, reported per hour. These meters are aggregated at the end of the billing cycle.

  • SMS: The number of SMS messages sent from the system, reported every hour. These meters are aggregated at the end of the billing cycle.

  • Tokens: The number of tokens issued by the system, reported every hour.

  • Replicated Users per Month: If you configure replication to more regions, this meter applies to the number of active and inactive users in each replicated region, reported per hour. These meters are aggregated at the end of the billing cycle.

After you have provisioned your service, Oracle Cloud Infrastructure has tools to help you analyze and understand the costs associated with your account. See Checking Your Expenses and Usage.

Changing your Identity Domain Type

When you change the identity domain type, IAM validates the change you are making.
  1. You cannot change the default domain to External User identity domain type.
  2. Your subscription type controls the number of identity domains of each type. If the change would exceed the number of identity domains of that type for your subscription type, you cannot change to the new identity domain type. See IAM With Identity Domains Limits.
  3. If the number of objects of any type in your identity domain is higher than is allowed in the target identity domain type, you cannot change to the new identity domain type. See IAM Object Limits.
  4. The features available in your current identity domain type are checked. See Feature Availability for Identity Domain Types. A warning message appears reminding you to exercise caution when changing from one identity domain type to another. You can proceed after the warning message, but some of your existing features might no longer work.
  5. You can only change an identity domain to the Oracle Apps identity domain type if you have at least one Oracle App registered in that identity domain.