The image shows the logical architecture for setting up an OCI IAM Identity Domain environment. It contains two sections, anon-premises implementation and an OCI account.

The on-premises section contains either an identity provider or availability domain comprising three directories: a development users directory, a test users directory, and a production users directory. The OCI account contains admins and a default availability domain. Beneath that, there are three environments: a development environment, a text environment, and a production environment. Each of these environments contains users respective to their environment; i.e., dev users, test users, and production users. The also each contain a respective OCI IAM indentity domain and instances of Oracle SaaS (for example, ERP, HCM, EPM, and OTM), Oracle PaaS, and other third party applications.

Traffic travels between the on-premises directories and the OCI IAM indentity domains through IDP federation. It also travels between the on-premises directories and the users through OCI IAM identity domains. This traffic is then distributed to the various applications and services through each environment's OCI IAM indentity domain.