Learn About Migrating from an On-Premises Access Management System to Oracle Identity Cloud Service

Customers are starting to evolve from using an on-premises application environment to an environment that contains both on-premises and cloud applications, or are replacing some on-premises applications with cloud applications.

An on-premises environment:
  • Contains applications from multiple vendors, but the applications may rely on a unique, proprietary, and central authentication mechanism (the corporate authentication mechanism).
  • Has applications that are tightly coupled to this authentication mechanism.
  • Is utilized by users who are familiar with the authentication flow and sign-on screen that are provided by this authentication mechanism.

On the other hand, cloud applications:

  • Come from multiple vendors, each using their own central authentication mechanism or no central authentication mechanism at all.
  • Are loosely coupled with their authentication mechanism. For this reason, you can replace this authentication mechanism with an external mechanism.
  • Are utilized for users who are shielded from the cloud environment's authentication flow.
  • Require less effort to integrate with other applications, because they follow standards.

Before You Begin

Oracle Identity Cloud Service provides identity management, single sign-on (SSO), and identity governance for applications on-premises, in the cloud, or in mobile devices. Users can securely access applications at any time, from anywhere, and on any device. Oracle Identity Cloud Service integrates directly with existing directories and identity management systems, and makes it easy for users to access applications. It provides the security platform for Oracle Cloud, which allows users to securely and easily access, develop, and deploy business applications and platform services.

Reasons for migrating from an on-premises access management system to Oracle Identity Cloud Service:

  • Integrated infrastructure and platform services to enable simpler and more efficient business.
  • The ability to deliver faster time to market for new initiatives concerning security aspects.
  • A strict adherence to security standards to meet compliance requirements.
  • A consolidated platform for many Oracle and non-Oracle applications.

Oracle Identity Cloud Service is flexible enough so that your cloud and on-premises applications can work with it. However, time and effort are needed to enable cloud and on-premises applications to function so that users can access these applications through SSO. For this reason, Oracle provides you with a roadmap to migrate your on-premises access management system to Oracle Identity Cloud Service in stages.

This solution provides details about the roadmap, explains its stages, discusses how you can identify the stage that best fits your needs, and explains how to migrate from one stage to another.


The roadmap to migrate your environment from an on-premises access management system to Oracle Identity Cloud Service comprises four stages. These stages progress from completely isolated on-premises and cloud environments to a fully integrated environment. Each stage addresses the benefits, goals, tasks to reach it, and the requirements to proceed to the next stage.

The following diagram highlights the major architectural components of each stage:

In this architectural diagram, the on-premises access management system represents the legacy authentication mechanism, and Oracle Identity Cloud Service represents the cloud-based one. The corporate user trusted source is represented by an enterprise Lightweight Directory Access Protocol (LDAP). The on-premises applications are grouped by integration methods, such as OAuth, SAML, reverse proxy methods, and so on.

About the Roadmap

The stages of the roadmap are called hybrid cloud stages because they represent on-premises and cloud-based applications coexisting in a customer's environment.

  • In the first stage, your on-premises environment is completely segregated from the cloud environment.
  • The integration of the two environments begins in the second stage, when you integrate your on-premises authentication mechanism as an identity provider with Oracle Identity Cloud Service as a service provider. As a result, you can access your applications through single sign-on (SSO). SSO happens transparently to the user because the sign-in process hasn't changed.
  • In the third stage, you reconfigure or rebuild your on-premises applications to integrate them directly with Oracle Identity Cloud Service.
  • In the fourth stage, the dependency of the on-premises access management system is removed completely: All applications use the Oracle Identity Cloud Service SSO mechanism, and you can enhance security for your sign-in process. You can set up sign-in and identity provider policies, configure Multi-Factor Authentication (MFA), enable Adaptive Security, and customize the Oracle Identity Cloud Service Sign In page.

For stages 2, 3, and 4, Oracle Identity Cloud Service must be able to synchronize users with your corporate user store. You can propagate users created in your enterprise Lightweight Directory Access Protocol (LDAP) into Oracle Identity Cloud Service so that they can sign in to Oracle Identity Cloud Service through SSO. Also, if you remove users from the LDAP, then they are also deleted from Oracle Identity Cloud Service, and they can't sign in to access resources that are protected by Oracle Identity Cloud Service.