1. Administering Oracle Identity Cloud Service
  2. Configure Security Settings
  3. Manage Oracle Identity Cloud Service Sign-On Policies
  4. Understand Sign-On Policies

Understand Sign-On Policies

A sign-on policy allows identity domain administrators, security administrators, and application administrators to define criteria that Oracle Identity Cloud Service uses to determine whether to allow a user to sign in to Oracle Identity Cloud Service or prevent a user from accessing Oracle Identity Cloud Service.

Oracle Identity Cloud Service provides you with a default sign-on policy that contains a default sign-on rule. Oracle Identity Cloud Service evaluates the criteria of the rule for any user attempting to sign in to Oracle Identity Cloud Service. By default, this rule allows all users to sign in to Oracle Identity Cloud Service. This means whichever authentication the user uses, either local authentication, by supplying a user name and password, or authentication by using an external identity provider, will be sufficient. However, you can build upon this policy by adding other sign-on rules to it. By adding these rules, you can prevent some of your users from signing in to Oracle Identity Cloud Service. Or, you can allow them to sign in, but prompt them for an additional factor to access resources that are protected by Oracle Identity Cloud Service, such as the My Profile console or the Identity Cloud Service console.

For example, you can create two sign-on rules for the default sign-on policy. The first rule prevents any users from signing in to Oracle Identity Cloud Service if they’re using an IP address that falls within the range of a network perimeter that you defined. The second rule allows users who belong to a particular group (for example, the UA_Developers group) to sign in to Oracle Identity Cloud Service; however, they will be prompted for a second factor as part of the 2-Step Verification process. All other users will be able to sign in without being prompted for a second factor.

Because you can define multiple sign-on rules for a sign-on policy, Oracle Identity Cloud Service must know the order in which the rules are to be evaluated. To do this, you can set the priority of the rules. For the example above, you can have the network perimeter sign-on rule evaluated first, and the UA_Developers group rule evaluated next. If a user meets the criteria of the network perimeter sign-on rule (that is, the IP address used to attempt to sign in to Oracle Identity Cloud Service falls within the IP range that you defined in the network perimeter), the user is prevented from accessing Oracle Identity Cloud Service-protected resources. Users who attempt to sign in to Oracle Identity Cloud Service from IP addresses that don't fall within this range don't meet the criteria of this sign-on rule, and so, the rule with the next highest priority is evaluated. For this example, this is the UA_Developers group rule. Any users who attempt to sign in, and who also belong to the UA_Developers group, will be prompted for an additional factor to sign in to Oracle Identity Cloud Service. Users who aren't members of the UA_Developers group don't meet the criteria of this rule, and so, the rule with the next highest priority is evaluated. For this example, this is the default sign-on rule. Because, this rule, by default, allows all users to sign in to Oracle Identity Cloud Service, the user will be able to sign in without being prompted for a second factor.

Important:

For the default sign-on rule, never set access for all of your users to be denied because if users don't meet the criteria of any other rules you define that allow them to sign in to Oracle Identity Cloud Service, they will be prevented from accessing Oracle Identity Cloud Service-protected resources. Also, configure Oracle Identity Cloud Service to evaluate this sign-on rule last because, by default, it allows all users to sign in to Oracle Identity Cloud Service.

In addition to the default sign-on policy, you can create sign-on policies and associate them with specific apps. When a user uses one of these apps to attempt to sign in to Oracle Identity Cloud Service, Oracle Identity Cloud Service checks to see if the app has any sign-on policies associated with it. If so, then Oracle Identity Cloud Service evaluates the criteria of the sign-on rules assigned to the policy. If there are no sign-on policies for the app, then the default sign-on policy is evaluated by Oracle Identity Cloud Service.