Note:
- This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
- It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.
Modify Security Policy For OCI Console Sign-On Policy to Disable Multi-Factor Authentication for Federated Users
Introduction
To enhance security, Oracle has successfully seeded the “Security Policy For OCI Console” sign-on policy in all existing tenancies. According to the best practice recommendations, you must activate it to enable Multi-Factor Authentication (MFA) for users with administrative privileges on the Oracle Cloud Infrastructure (OCI) Console.
For new tenancies, the “Security Policy For OCI Console” sign-on policy is activated by default and all users with administrative privileges will have to enroll for MFA to access the OCI Console.
The “Security Policy For OCI Console” sign-on policy has been seeded with two rules by default and specifically applies to the OCI Console.
Rule 1: MFA for administrators
Rule 2: MFA for all users
The “Security Policy For OCI Console” sign-on policy works on priority basis and hence the rules should be placed accordingly. To exclude federated users from OCI MFA, we will add a new Rule and update it with the Highest Priority under the “Security Policy For OCI Console” sign-on policy.
For more details about this plan and for best practice recommendations from Oracle, see Oracle Cloud Infrastructure-Identity and Access Management (OCI-IAM) MFA
Objectives
Learn about Oracle’s MFA enablement plan and how you can exclude federated users from OCI MFA when they access the OCI Console.
Prerequisites
OCI IAM administrator access of any Identity Domain.
Task 1: Add a new rule for federated users
-
From the OCI Console main menu, navigate to Identity, Domains, Your Domain, Security, Sign On Policy and select Security Policy for OCI Console.
Note: If your tenancy was federated with your Identity Provider (IDP), this policy will be in Deactivated state.
-
Select Security Policy for OCI Console sign-on policy and then click Add sign-on rule.
-
Add a rule name for your corporate and under Conditions (Authenticating identity provider), select your configured Identity Provider.
-
With all the settings kept to default, click Add sign-on rule.
Note: Add your Identity Providers where users have MFA enabled. As we are setting a rule to allow the access for federated users from your identity provider, it is the responsibility of your identity provider to handle MFA and secure access to the OCI console for federated users.
Task 2: Edit the Priority of Sign-On Rules
-
Select Rule for Federated Users and then click Edit priority.
-
Update the rule to Priority 1 in the list and click Save changes.
Task 3: Activate the Security Policy for OCI Console
-
Check if the OCI Console Application is added to this sign-on policy under Apps section.
-
Click Activate sign-on policy to Activate this policy.
Note: The tasks and navigation outlined in this tutorial are from OCI Identity Domains tenancy. If you still have Oracle Identity Cloud Service, you must perform these tasks in Oracle Identity Cloud Service.
Related Links
Acknowledgments
Author - Chetan Soni (Cloud Solutions Engineer)
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Modify Security Policy For OCI Console Sign-On Policy to Disable Multi-Factor Authentication for Federated Users
F87318-01
September 2023
Copyright © 2023, Oracle and/or its affiliates.