D Changes to IDCS and OCI IAM Operations

Oracle recently merged the Identity Cloud Services (IDCS) operations into the native Oracle Cloud Infrastructure (OCI) and Identity Access Management (IAM) service, no longer offering IDCS as a separate service. The following information describes the changes and what they mean to both IDCS and OCI IAM users.

As of January 17, 2022, new Oracle® Communications Security Shield Cloud Service (Security Shield) customers will manage their tenancies through OCI Identity Domain.

During February 2022, Oracle begins migrating existing IDCS instances to the new OCI Identity Domain model. Existing customers can manage their tenancies through IDCS until their migration completes.

During March, 2022, tenancy management through IDCS ends. All customers manage their Security Shield tenancies through OCI Identity Domain from this date forward.

Note:

The updated service will not be deployed to all regions at once. Banners on the IDCS and OCI sign on screens will indicate when identity domains are enabled in your region and where to find more information.

Topics:

• OCI Identity Domains: What Oracle IDCS Customers Need to Know
• OCI Identity Domains: What OCI Customers Need to Know

OCI Identity Domains: What Oracle IDCS Customers Need to Know

Oracle recently merged the capabilities of Oracle Identity Cloud Service (IDCS) into the native Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) service. As a native OCI service, customers will see improved performance and scale, immediate availability in more global regions, and a new cross-region disaster recovery feature.

What is OCI Identity Domain?

Oracle Cloud Infrastructure (OCI) Identity Domain is the access control plane for Oracle Cloud. An identity domain is a container for managing users and roles, federating and provisioning of users, secure application integration through Oracle Single Sign-On (SSO) configuration, and SAML and OAuth based Identity Provider administration.

For more information about Identity Domains, see IAM with Identity Domains and Managing Identity Domains.

What Changed for IDCS and Identity Domain?

Oracle recently made new features and capabilities available for the Oracle Cloud Infrastructure (OCI) Identity Domain service. As part of the upgraded service, Oracle migrated the features and functionality of the existing Oracle Identity Cloud Service (IDCS) into OCI Identity Domain.

OCI Identity Domain supports the following core functions:

• OCI Identity Domain continues to serve as the critical access control plane for Oracle Cloud.
• OCI Identity Domain supports a wide range of enterprise Identity Domain use cases for complex, hybrid IT environments.
• OCI Identity Domain provides a developer-friendly Identity Domain engine for custom and consumer applications.

By unifying administration and user experiences across key Identity Domain functions, the new service helps simplify administration, reduce cost of ownership, and improve time-to-value. The service spans Cloud and on-premises, providing the flexibility to handle a wide variety of Identity Domain use cases across employee, partner, and consumer scenarios. As a native service of OCI, you can use the diverse feature set of OCI Identity Domain across any geography.

The updated OCI Identity Domain service introduces Identity Domains. Oracle will migrate your existing IDCS instances, called stripes, to Identity Domain instances. Existing Security Shield customer will see their access to IDCS portal diverted to Identity Domain. No changes are required to applications, users, or groups in domains that formerly existed as IDCS instances or to local users in OCI tenancies. See Identity Domains.

• Identity domains are the next generation of IDCS instances. Each existing IDCS instance is now an identity domain.
• Each OCI identity domain represents a stand-alone identity and access management solution.
• Identity domains each have their own settings, configurations, and security policies to ensure optimal security.

How Does The Upgrade to OCI Identity Domain Impact Existing Identity Cloud Service Instances?

None of the existing Oracle Identity Cloud Service (IDCS) features or functionality will change as part of the migration to Oracle Cloud Infrastructure (OCI) Identity Domain. Oracle will merge IDCS into OCI Identity Domain, where it will become an integral component.

As a native service of OCI, OCI Identity Domain takes advantage of infrastructure that offers consistently high performance, enterprise scalability, availability in all the Oracle global cloud regions, and an extensive set of regulatory compliance and security certifications.

The OCI Identity Domain service will serve all current IDCS use cases, including providing a standalone Identity as a Service (IDaaS) solution for managing access across numerous third-party applications. IDCS customers migrating to OCI Identity Domain do not need to consume any other OCI services to continue using the services previously provided by IDCS.

Oracle will prepare each IDCS instance to be managed through the OCI console as an identity domain. All existing configurations, security settings, user and group populations, and access assignments will continue to exist with no interruption. Users who authenticate through custom sign-on screens may not even know that a change occurred.

The system will re-route IDCS Administrators from the existing IDCS administrative console to the Identity Domain console where IDCS instances will be listed as OCI Identity Domains. Administrators can browse to their list of domains and will be able to manage domains in a way similar to the current IDCS console experience. See Managing Identity Domains.

The upgrade makes no changes to pricing, metering, or included features for Security Shield instances. You will continue to use your existing Security Shield entitlements and any others you are entitled to use.

What is New in OCI Identity Domain for IDCS Customers?

The migration to Oracle Cloud Infrastructure (OCI) Identity Domain and the introduction of identity domains adds Oracle Identity Cloud Service (IDCS) features natively to the OCI Identity Domain service.

• Single-Point of Identity Domain Management—Identity administration is now available through the OCI Admin console under Identity & Security, Domains. Administrators will see the same set of features and functionality that they are used to in IDCS for managing users, groups, applications, security settings, and other configurations.
• No Impact for Existing Users, Policies, Configuration, or Access—The OCI Identity Domain upgrade maintains all existing security policies, configurations, and user populations. Expect no impact to security settings or to the user experience. Oracle did not remove functionality or change any policy configurations.
• Disaster Recovery—In most regions, OCI Identity Domain now provides a cross-region disaster recovery feature for recovering identity domain data in a scenario where an entire OCI region becomes unavailable. The disaster recovery feature is included and does not require any changes or updates to existing applications.

Post-Upgrade Guidance

Administrative Access

Identity Cloud Service (IDCS) Administrators become Identity Domain Administrators upon migration. Identity Domain Administrators get full access to their identity domains. Be sure that use of the OCI Administrators group is consistent with your security policies.

The Oracle® Communications Security Shield Cloud Service (Security Shield) Administrators group grants access to many aspects of the service. Oracle recommends reserving the Security Shield Administrators group for emergency scenarios, rather than for day-to-day administration of the tenancy. Best practices include

• discontinuing the use of the Administrators account after initial setup.
• setting a complex password on the account.
• storing the Administrators account credentials safely in a secure location such as a physical safe.

Where Can I Get More Information?

Use the following resources to find more information about Oracle Cloud Infrastructure (OCI) and Identity Domains.

• IAM with Identity Domains
• oracle.com
• In North America, call +1.800.ORACLE1 (672-2531)
• Outside North America, find your local Oracle office at oracle.com/contact

OCI Identity Domains: What OCI Customers Need to Know

Oracle recently merged the capabilities of Oracle Identity Cloud Service (IDCS) into the native Oracle Cloud Infrastructure (OCI) service. The merger provides OCI customers with a rich, enterprise-class set of identity and access management features for use with OCI and Oracle Cloud applications.

What is OCI Identity Domain?

Oracle Cloud Infrastructure (OCI) Identity Domain is the access control plane for Oracle Cloud. An identity domain is a container for managing users and roles, federating and provisioning of users, secure application integration through Oracle Single Sign-On (SSO) configuration, and SAML and OAuth based Identity Provider administration.

For more information about Identity Domains, see IAM with Identity Domains and Managing Identity Domains.

What Changed for Security Shield?

Oracle recently made new features and capabilities available for the Oracle Cloud Infrastructure Identity (OCI) and Identity Domain service. As part of the upgraded service, Oracle merged all features and functionality of the existing Oracle Identity Cloud Service (IDCS) into OCI Identity Domain.

OCI Identity Domain supports the following core functions:

• OCI Identity Domain continues to serve as the critical access control plane for Oracle® Communications Security Shield Cloud Service (Security Shield).
• OCI Identity Domain supports a wide range of enterprise Identity Domain use cases for complex, hybrid IT environments.
• OCI Identity Domain provides a developer-friendly Identity Domain engine for custom and consumer applications.

Identity Domain is also flexible enough to handle a wide variety of Identity Domain use cases across employee, partner, and consumer scenarios.

The updated OCI Identity Domain service introduces Identity Domains. Oracle will migrate your existing IDCS instances, called stripes, to Identity Domain instances. Existing Security Shield customer will see their access to IDCS portal diverted to Identity Domain. No changes are required to applications, users, or groups in domains that formerly existed as IDCS instances or to local users in OCI tenancies. See Identity Domains.

Identity Domain characteristics include:

• Each OCI Identity Domain represents a stand-alone identity and access management solution.
• Each identity domain represents a different user population, but certain use cases may require users to exist in multiple domains.
• Identity domains each use their own settings, configurations, and security policies to ensure optimal security.
• OCI Identity Domain is an Identity as a Service (IDaaS) solution with the flexibility to cover virtually any Identity Domain use cases across employees, partners, and consumers.

How Do the Changes to OCI IAM Impact Existing OCI Tenancies?

OCI administrators are already be familiar with the Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) service that enables authentication into OCI and management of access entitlements for OCI resources by way of OCI IAM policies. Many customers choose to use Oracle Identity Cloud Service (IDCS) to also enable more advanced IAM deployments, which creates an additional layer of IAM to manage and sometimes incurs additional cost.

The introduction of identity domains adds the following features natively to the OCI IAM service to help simplify administration and operational management.

• Powerful IAM Functionality at No Additional Cost—Oracle brought all the enterprise IAM capabilities of IDCS into OCI IAM natively. IAM functionality such as advanced authentication techniques and user life cycle management are now natively available and included in your existing OCI tenancies for use with your subscribed* Oracle services.

  Note:

  *Upgrades are available to provide IAM support beyond subscribed Oracle services.
• Single-Point Authentication—The OCI IAM upgrade simplifies the OCI sign-on screen.
• Single-Point of IAM Management—Customers who previously used IDCS with OCI tenancies may notice simplified administration by way of a single pane for all users. Identity administration is now available through the OCI Admin console under Identity & Security, Domains.
• No Impact for Existing Users, Policies, Configuration, or Access—The OCI IAM upgrade maintains all existing security policies, configurations, and user populations. Expect no impact to security settings or to the user experience. Oracle did not remove functionality or change any policy configurations.
• Disaster Recovery—OCI IAM now provides a cross-region disaster recovery feature for recovering identity domain data in a scenario where an entire OCI region becomes unavailable. The disaster recovery feature is included and does not require any changes or updates to existing applications.

Post-Upgrade Guidance

Administrative Access

Identity Cloud Service (IDCS) Administrators become Identity Domain Administrators upon migration. Identity Domain Administrators get full access to their identity domains. Be sure that use of the OCI Administrators group is consistent with your security policies.

The Oracle® Communications Security Shield Cloud Service (Security Shield) Administrators group grants access to many aspects of the service. Oracle recommends reserving the Security Shield Administrators group for emergency scenarios, rather than for day-to-day administration of the tenancy. Best practices include

• discontinuing the use of the Administrators account after initial setup.
• setting a complex password on the account.
• storing the Administrators account credentials safely in a secure location such as a physical safe.

Where Can I Get More Information?

Use the following resources to find more information about Oracle Cloud Infrastructure (OCI) and Identity Domains.

• IAM with Identity Domains
• oracle.com
• In North America, call +1.800.ORACLE1 (672-2531)
• Outside North America, find your local Oracle office at oracle.com/contact