Understand Identity Provider Policies

An identity provider policy allows identity domain administrators, security administrators, and application administrators to define which identity providers are visible in the Sign In page either when they're accessing a specific app or attempting to access resources that are protected by Oracle Identity Cloud Service.

Oracle Identity Cloud Service also uses identity provider policies to determine whether users authenticate into Oracle Identity Cloud Service through identity providers or with their local credentials.

There are three types of identity providers available with Oracle Identity Cloud Service:

  • SAML identity provider: This type of identity provider supports the SAML 2.0 (Security Assertion Markup Language 2.0) standard. You use a SAML identity provider when you want to establish trust between an SAML-compatible identity provider such as Active Directory Federation Services so that users in your organization can access resources protected by Oracle Identity Cloud Service.

    If you want your users to be redirected to a specific SAML identity provider automatically so that they can access an app, then ensure that the identity provider policy associated with the app has only the SAML identity provider assigned to it. If multiple identity providers are assigned to the identity provider policy, then users will be prompted to select one of the identity providers from the Sign In page.

  • Social identity provider: By linking an Oracle Identity Cloud Service user account to a user's social accounts, the user can access Oracle Identity Cloud Service using their social credentials, such as Facebook, Google, Linkedin, Microsoft, and Twitter.

  • Local identity provider (Local IDP): Authentication into Oracle Identity Cloud Service happens locally by the user providing their credentials (user name and password) in the Sign In page.

The identity provider policy allows you to configure whether local authentication will be displayed in the Sign In page for the user.

Suppose you've created several social identity providers and SAML identity providers, and you want to configure which of these identity providers will appear in the Sign In page when the user attempts to authenticate into Oracle Identity Cloud Service using a particular app. Without identity provider policies, you couldn't configure this. So, if you had all of these SAML and social identity providers activated and set to appear in the Sign In page, they would all be displayed.

Oracle Identity Cloud Service provides you with a default identity provider policy that has a local identity provider (Local IDP) assigned to it. This way, at the bare minimum, users can authenticate into Oracle Identity Cloud Service with their user names and passwords. However, you can build upon this default policy by assigning other identity providers to it. Both the My Profile console and the Identity Cloud Service console use the identity providers that are assigned to the default identity provider policy.

In addition to the default identity provider policy, you can create identity provider policies and associate them with specific apps. Suppose you have multiple apps and you want to assign different identity providers to each app. For example, you may have two apps, and you want users to authenticate into Oracle Identity Cloud Service from Facebook or Linkedin. So, you can have one identity provider policy specifically for one app and the Facebook social identity provider, and another identity provider policy exclusively for the second app and the Linkedin social identity provider.

Oracle Identity Cloud Service displays a maximum of four identity providers on the Sign In page. If you assign more than four identity providers to an identity provider policy, then a View all link appears on the page. Click the link and all identity providers associated with the policy appear.