About Oracle Identity Cloud Service

Oracle Identity Cloud Service provides identity management, single sign-on (SSO), and identity governance for applications on-premise, in the cloud, or for mobile devices. Employees and business partners can access applications at any time, from anywhere, and on any device in a secure manner.

Oracle Identity Cloud Service integrates directly with existing directories and identity management systems, and makes it easy for users to get access to applications. It provides the security platform for Oracle Cloud, which allows users to securely and easily access, develop, and deploy business applications such as Oracle Human Capital Management (HCM) and Oracle Sales Cloud, and platform services such as Oracle Java Cloud Service, Oracle Business Intelligence (BI) Cloud Service, and others.

Administrators and users can use Oracle Identity Cloud Service to help them effectively and securely create, manage, and use a cloud-based identity management environment without worrying about setting up any infrastructure or platform details.

Using Oracle Identity Cloud Service, you can:

Standard License Tier Features for Oracle Identity Cloud Service

Learn more about License Tiers.

Most features are already enabled for Standard Tier License tenants. See About Oracle Identity Cloud Service Pricing Models. If you don’t see any of these features in Oracle Identity Cloud Service and want to use them, you must file a Service Request with My Oracle Support.

Category Feature Description
Application Gateway

App Gateway

Use App Gateway to integrate applications hosted either on a compute instance, in a cloud infrastructure, or in an on-premises server with Oracle Identity Cloud Service for authentication purposes. See Understand App Gateway.


Authorization Policy for Enterprise Applications

Enterprise applications that are protected using App Gateway can now make use of authorization policies. Administrators can define, allow or deny authorization policies using authenticated IdP, group membership, network perimeter, day and time of day as authorization conditions See Configure an Authorization Policy.

Device Fingerprint Device Fingerprint

User device attributes are processed and the fingerprint is stored in a browser cookie to uniquely identify a user's system.

See: About Device Fingerprints.

EBS Asserter

EBS Asserter

Use the Oracle Identity Cloud Service E-Business Suite Asserter component from Oracle Identity Cloud Service to integrate your Oracle E-Business Suite environment with other cloud and non-cloud services using Oracle Identity Cloud Service Single Sign-On (SSO).

See Use the E-Business Suite Asserter to Enable SSO for Oracle E-Business Suite with Oracle Identity Cloud Service.

Identity Provisioning

Provisioning Bridge

The Provisioning Bridge provides synchronization of users and groups between your on-premises apps and Oracle Identity Cloud Service. Learn how you can create, manage, and remove Provisioning Bridges in Oracle Identity Cloud Service.

See Understand the Provisioning Bridge and Why Use the Provisioning Bridge?.

Identity Provisioning

Lifecycle Rules

Manage the complete user life cycle and automate the process of the joiner, mover and leaver. If there is any change in a User attribute, you can propagate that to the downstream application (for example, if a user gets disabled, then all accounts owned by this user would be disabled automatically).


IDP Discovery Rules

Identity Provider (IDP) Discovery enables you to organize the login page based on the username, for example, if you want corporate SSO login for some users and you want them to be logged in using social Identity Providers. Depending on the application being accessed and who is accessing it you can completely customize the way user can login.



The LDAP2SCIM proxy will allow application clients to integrate with Oracle Identity Cloud Service using LDAP protocol. This is a beta only feature currently available on invitation basis.

Passwordless Login

Tired of resetting passwords? Passwordless authentication is available.

Instead of passwords, proof of identity can be verified based on possession of something that uniquely identifies the user (for example, a one-time password (OTP), a registered mobile device, or a hardware token).

Once enabled, users can access protected resources either by using a user name and password or passwordless authentication. Users use self-service to set up passwordless authentication.

See Manage Passwordless Authentication.


Just-In-Time (JIT) Provisioning

Using SAML, JIT provisioning automates user account creation for target service providers when the user first tries to perform SSO and the user does not exist.

In addition to automatic user creation, JIT implementation allows granting and revoking group memberships as part of provisioning. JIT implementation also updates provisioned users so the users’ attributes in the Service Provider store can be kept in sync with the Identity Store user store attributes.

See Understand SAML Just-In-Time Provisioning.

SAML JIT Provisioning uses Oracle Identity Cloud Service REST APIs. See Create an Identity Provider.

For more information about how to use SCIM APIs, see REST API for Oracle Identity Cloud Service.


AD Bridge High Availability

Set up High Availability and Load Sharing so that you don’t have a single point of failure for your AD Bridge architecture. See About Multiple AD Bridges for High Availability and Load Balancing.

AD Bridge

AD Bridge – Sync Only

Synchronize users and groups from selected organizational units (OUs) in Microsoft Active Directory (AD) into Oracle Identity Cloud Service. You can perform either an incremental sync or a full sync. Learn about syncing new OUs and read some example use cases. See Understand Full and Incremental Sync.
Security Delegated Authentication

With delegated authentication, identity domain administrators and security administrators don’t have to synchronize user passwords between an on-premises Microsoft Active Directory (AD) enterprise directory structure and Oracle Identity Cloud Service. Users can use their AD passwords to sign in to Oracle Identity Cloud Service to access resources and applications protected by Oracle Identity Cloud Service.

See Understand Delegated Authentication.

Security Duo as an authentication factor.

Use Duo Security factors to securely authenticate and to sign into apps secured by Oracle Identity Cloud Service.

See Configure Duo Security Settings.


X.509 Certificate Authentication for Identity Providers

Use an X.509 authenticated identity provider with certificate-based authentication to comply with Personal Identity Verification (PIV) card requirements.

See Enable X.509 Certificate Authentication, Import a Trusted Partner Certificate, and Add an X.509 Authenticated Identity Provider.


Phone call as an authentication factor.

Use a phone call to securely authenticate and to sign into apps secured by Oracle Identity Cloud Service.

See Configure Multi-Factor Authentication Settings and Configure One-Time Passcode Text Messages.


FIDO Security

Use FIDO Authentication as an MFA Factor so that users use platform authentication, such as Windows Hello or Mac Touch ID, or cross platform authentication, using devices such as Yubikeys.

See Configure FIDO Security.


Group-Based Password Policies

You can have multiple password policies in Oracle Identity Cloud Service and associate them with different groups and set the priorities. Group password policies allow you to define password policies and associated rules to enforce password settings on the group level. You can create multiple policies with more- or less-restrictive rules.

Security Network Perimeters

For security purposes, identity domain administrators, security administrators, and application administrators can define network perimeters in Oracle Identity Cloud Service. A network perimeter contains a list of IP addresses.

See Understand Network Perimeters.


Secure Oracle Database with RADIUS Proxy

Enterprises can now secure their Oracle Database instances with two-factor authentication using RADIUS Proxy.

Using RADIUS Proxy, Oracle Identity Cloud Service can:
  • Manage all database Administrators and all database Users.
  • Define access controls using Database Roles to be managed by using Identity Cloud Service Groups.
User Experience

Customize the sign in page by creating your own HTML code and translations.

Instead of using the default sign in page, administrators can create a Hosted Sign In page to change the look and feel of the sign-in experience. You create a Hosted Sign In page by adding a background image as well as designing custom HTML code and specifying translations (specifying translations is optional.).

See Create Hosted Sign In Pages.