About Oracle Identity Cloud Service Concepts

Learn about the basic concepts behind the technologies used in Oracle Identity Cloud Service.

Oracle Cloud Services

Learn about Software as a Service (SaaS), Data as a Service (DaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) services used in Oracle Cloud.

Oracle Cloud offers a host of cloud services.

Application services are classified into two categories:

  • Software as a Service (SaaS): Provides a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted.

  • Data as a Service (DaaS): Provides data on demand to a user regardless of geographic or organizational separation of the provider and consumer.

Platform services are also classified into two categories:

  • Platform as a Service (PaaS): Provides a platform allowing customers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure typically associated with developing and deploying an application.

  • Infrastructure as a Service (IaaS): Provides access to computing resources (that is, virtualized hardware and computing infrastructure) in Oracle Cloud across a public connection.

For a comprehensive list of the available Oracle Cloud SaaS, DaaS, PaaS, and IaaS services, go to https://www.oracle.com/cloud and from the Oracle Cloud menu, select that category of services that interests you. From the page that opens, you can find links to detailed information about each service.

Oracle Cloud securely integrates its different cloud services, customer applications, and cloud services from other vendors. For example; this integration let’s you,
  • Embed Oracle Sales Cloud within your own application running on Oracle Java Cloud Service - SaaS Extension.

  • Extend Oracle Fusion Customer Relationship Management Cloud Service with a custom application.

  • Tie together an Oracle Cloud service with functionality from other sites, such as Salesforce.

  • Use an Oracle Cloud service as the infrastructure for building your own applications.

Identity Domain

Learn about the basic concepts behind an Identity Domain in Oracle Identity Cloud Service.

An identity domain is a construct for managing users and roles, integration standards, external identities, secure application integration through Oracle Single Sign-On (SSO) configuration and OAuth administration. OAuth is an authorization protocol (a set of rules) that allows a third-party website or application to access a user's data without the user sharing login credentials. An identity domain controls the authentication and authorization of the users signing in to a cloud service in Oracle Cloud, and what cloud service features they can access.

An Oracle Cloud service account is a unique customer account that can have multiple cloud services of different service types. For example, you could have three different cloud services, such as Oracle Java Cloud Service, Oracle Database Cloud Service, and Oracle Cloud Infrastructure Compute Classic as part of a single Oracle Cloud service account.

Every Oracle Cloud service belongs to an identity domain. Multiple services can be associated with a single identity domain to share user definitions and authentication. Users in an identity domain can be granted different levels of access to each service associated with the domain to ensure a segregation of duties.

Note:

The term tenant is a synonym for identity domain. Oracle Cloud is a multitenant system, much like the tenants of a building. So, an identity domain represents one tenant of a multitenant system.

SAML, OAuth, and OpenID Connect

Learn about the basic concepts behind the SAML, OAuth, and OpenID Connect technologies used in Oracle Identity Cloud Service.

Security Assertion Markup Language (SAML) supports both authentication and authorization and is an open framework for sharing security information on the internet through XML documents. SAML includes three parts:

  • SAML Assertion: How you define authentication and authorization information.

  • SAML Protocol: How you ask (SAML Request) and get (SAML Response) the assertions you need.

  • SAML Bindings and Profiles: How SAML assertions ride on (Bindings) and in (Profiles) industry-standard transport and messaging frameworks.

The OAuth 2.0 token service provided by the Oracle Cloud identity infrastructure provides secure access to the Representational State Transfer (REST) endpoints of cloud services by other cloud services and user applications.

OAuth 2.0 provides the following benefits:

  • It increases security by eliminating the use of passwords in service-to-service REST interactions.

  • It reduces the lifecycle costs by centralizing trust management between clients and servers. OAuth reduces the number of configuration steps to secure service-to-service communication.

Oracle Identity Cloud Service leverages the power of OpenID Connect and OAuth to deliver a highly-scalable, multi-tenant token service for securing programmatic access to custom applications by other custom applications, and for federated SSO and authorization integration with these applications:

  • Use OAuth 2.0 to define authorization in Oracle Identity Cloud Service for your custom applications. OAuth 2.0 has an authorization framework, commonly used for third-party authorization requests with consent. Custom applications can implement both two-legged and three-legged OAuth flows.

  • Use OpenID Connect to externalize authentication to Oracle Identity Cloud Service for your custom applications. OpenID Connect has an authentication protocol that provides Federated SSO, leveraging the OAuth 2.0 authorization framework as a way to federate identities in the cloud. Custom applications participate in an Open ID Connect flow.

Using the OAuth 2.0 and OpenID Connect standards provides the following benefits:

  • Federated SSO between the custom application and Oracle Identity Cloud Service. Resource owners (users accessing the custom application) need a single login to access Oracle Identity Cloud Service plus all applications integrated. Oracle Identity Cloud Service handles the authentication and credentials itself, insulating custom applications. This capability is provided by OpenID Connect with OAuth 2.0.

  • Authorization to perform operations on third-party servers with consent. Resource owners can decide at runtime whether the custom applications should have authorization to access data or perform tasks for them. This capability is provided by OAuth 2.0.

SCIM

Learn about the basic concepts behind the SCIM technology used in Oracle Identity Cloud Service.

With Oracle Identity Cloud Service REST APIs, you can use a System for Cross-Domain Identity Management (SCIM) to securely manage your Oracle Identity Cloud Service resources, including identities and configuration data. These APIs provide an alternative to using the web-based user interface when you want to use Oracle Identity Cloud Service for your own UI or for clients.

You can manage users, groups, and applications, perform identity functions and administrative tasks, and manage your identity domain settings.

Oracle Identity Cloud Service provides SCIM templates to help you integrate your applications for provisoning and synchronization. See Use the SCIM Interface to Integrate Oracle Identity Cloud Service with Custom Applications.

Other Oracle Identity Cloud Service Key Concepts

Learn about the basic concepts behind the technologies used in Oracle Identity Cloud Service.

  • 2-Step Verification: An authentication method that requires users to use more than one way of verifying their identity, providing a second layer of security to their accounts.

  • Access request: Allowing users to request group and application access from the Catalog, and view their access requests as well as the groups and applications to which they have access.

  • Access token: A token that contains all the rights that a user has to access an application.

  • Account recovery: This automated process is designed to help Oracle Identity Cloud Service users regain access to their accounts if they have trouble signing in, they’re locked out, or they forget their passwords.

  • Adaptive Security: This feature provides strong authentication capabilities for users, based on their behavior within Oracle Identity Cloud Service, and across multiple heterogeneous on-premises applications and cloud services. Adaptive Security is used to analyze a user's risk profile within Oracle Identity Cloud Service, based on their historical behavior, such as too many unsuccessful login attempts and too many unsuccessful MFA attempts, and real-time device context, such as impossible travel between locations, and logins from unknown devices, unfamiliar locations, and suspicious IP addresses. With this enriched context and risk information, Adaptive Security risk profiles each user, and arrives at its own risk score and an overall consolidated risk level (High, Medium, Low) that can be used with Oracle Identity Cloud Service policies to enforce a remediation action, such as allowing or denying the user from accessing Oracle Identity Cloud Service and its protected applications and resources, requiring the user to provide a second factor to authenticate into Oracle Identity Cloud Service, and so on.

  • Administrator role: A role that provides user accounts with administrative capabilities in Oracle Identity Cloud Service.

  • Application: See Custom application and Oracle application.

  • App Catalog application: An application that contains a preconfigured application template.

  • Application role: An entitlement in an Oracle application.

  • Application template: How a custom application is represented in Oracle Identity Cloud Service.

  • Bridge: A link between a Microsoft Active Directory enterprise directory structure and Oracle Identity Cloud Service. Oracle Identity Cloud Service can synchronize with this directory structure so that any new, updated, or deleted user or group records are transferred into Oracle Identity Cloud Service. Because of this, the state of each record is synchronized between Microsoft Active Directory and Oracle Identity Cloud Service.

  • Bulk loading: Loading a large amount of user, group, or application data into Oracle Identity Cloud Service automatically.

  • Bypass code: A second verification method for Oracle Identity Cloud Service users when they forget their phones, don’t have service, or can’t access their computers. Users can generate bypass codes after they enroll in 2-Step Verification, and then store the codes in a safe place.

  • Confidential application: A custom application that's accessed by multiple users, hosted in a secure and protected place (server), and uses OAuth 2.0.

  • Cross-Origin Resource Sharing (CORS): Client applications that run on one identity domain can obtain data from another identity domain.

  • Custom application: An application (such as a mobile application, a web page, a client application, or a server application) that you can integrate with Oracle Identity Cloud Service. By default, for security purposes, custom applications are trusted or confidential.

  • Default settings: Oracle Identity Cloud Service settings that are applied to a customer's entire identity domain. These settings include the time zone, password recovery email, signing certificate settings, contact information, and language for the identity domain.

  • Delegated administration: Providing user accounts with administrative capabilities in Oracle Identity Cloud Service.

  • Delegated authentication: Enabling users to use their Microsoft Active Directory passwords to sign in to Oracle Identity Cloud Service to access resources and applications protected by Oracle Identity Cloud Service.

  • Digital certificate: An electronic passport that allows a person, computer, or organization to exchange information securely over the Internet using the public key infrastructure (PKI). A digital certificate may be referred to as a public key certificate.

  • Federated SSO: Provides a higher level of security and control for an identity provider because a security token is used to authenticate the user against both the identity provider and Oracle Identity Cloud Service.

  • Group: The link between user accounts and applications in Oracle Identity Cloud Service. Groups are designed to ease the administration of privileges that you grant to user accounts.

  • Identity provider: This type of provider, also known as an Identity Assertion provider, provides identifiers for users who want to interact with Oracle Identity Cloud Service using a website that's external to Oracle Identity Cloud Service.

  • Identity provider policy: Criteria that Oracle Identity Cloud Service uses to display specific identity providers for users to sign in to Oracle Identity Cloud Service when they are accessing particular apps.

  • Job: A batch execution of importing or exporting users, groups, or application roles in Oracle Identity Cloud Service.

  • Mobile application: A custom application that's hosted directly on the resource owner's browser, machine, or mobile device.

  • Multi-Factor Authentication (MFA): A method of authentication that requires the use of more than one factor to verify a user’s identity.

  • Network perimeter: A defined list of IP addresses that Oracle Identity Cloud Service can evaluate to determine whether users who use these IP addresses can sign in to Oracle Identity Cloud Service.

  • Oracle Mobile Authenticator (OMA) app: A mobile device app that users can use as a second verification method.

  • Oracle application: A complete and modular enterprise application, engineered from the ground up to be cloud-ready and to coexist seamlessly in mixed environments.

  • Password policy: A set of password-related criteria that you set in Oracle Identity Cloud Service for all users in an identity domain.

  • Password recovery email address: A user's email address to which Oracle Identity Cloud Service password recovery notifications are sent. By default, a user's primary email address is also the user's password recovery email address. However, a user has the option of specifying a password recovery email address that is different than the primary email address.

  • Primary email address: A user's email address to which all Oracle Identity Cloud Service notifications are sent.

  • Profile: A collection of useful data about you in Oracle Identity Cloud Service. Your profile includes contact information, account information, and also settings that determine the time zone and language that displays for your account in the Identity Cloud Service console.

  • Provisioning: Managing the lifecycle of user accounts in Software as a Service (SaaS) applications, such as creating and deleting accounts using Oracle Identity Cloud Service.

  • Provisioning Bridge: A link between on-premises apps and Oracle Identity Cloud Service. The Provisioning Bridge can synchronize with these apps so that any new, updated, or deleted user or group records are transferred into Oracle Identity Cloud Service. As a result, the state of each record is synchronized between the apps and Oracle Identity Cloud Service.

  • Refresh token: A secure mechanism to obtain a new access token when the current access token expires.

  • Resource server application: A third-party custom application that provides services that a web application can consume on behalf of the user.

  • SAML application: A custom application that's accessed by multiple users, hosted in a secure and protected place (server), and uses SAML 2.0.

  • Security Questions: Questions presented to users as part of 2-Step Verification. See 2-Step Verification.

  • Self-registration profile: A profile created by an administrator to manage different sets of users, approval policies, and applications in Oracle Identity Cloud Service.

  • Service provider: A website such as Oracle Identity Cloud Service that hosts applications.

  • Sign-on policy: Criteria that Oracle Identity Cloud Service uses to allow or deny access to apps that are assigned to users.

  • Social Login: Accessing Oracle Identity Cloud Service using credentials from trusted public identity providers such as LinkedIn, Facebook, Twitter, Google, and Microsoft. Users can also log in to these providers to create an account in Oracle Identity Cloud Service if they don't have one.

  • Synchronization: Controlling how operations such as creating and deleting accounts in SaaS applications are reflected in Oracle Identity Cloud Service.

  • Tag: A key-value pair that is used to organize and identify an application.

  • Trusted partner: Any application or organization, remote to Oracle Identity Cloud Service, that communicates with Oracle Identity Cloud Service.

  • User account: How a user is represented in Oracle Identity Cloud Service. A user account enables the user to access the Oracle Cloud service to which they belong. In Oracle Identity Cloud Service, there is a one-to-one relationship between a user and a user account.

  • User life cycle: The process flow of how a user account is created, managed, and deleted in Oracle Identity Cloud Service based on certain events or time factors.