About Multiple Instances

Customers want to have separate environments for a single cloud service or application (for example, one environment for development and one for production).

Each environment may have different identity and security requirements so customers need to create separate environments to meet this criteria. You can create and manage multiple instances of Oracle Identity Cloud Service to protect your applications and Oracle Cloud services.

There are several benefits of using multiple instances of Oracle Identity Cloud Service. By having separate Oracle Identity Cloud Service environments, the users who work in one environment won't impact the work of users in another environment. Using multiple instances can help you maintain the isolation of administrative control over each environment. This is necessary if, for example, your security standards prevent development user IDs from existing in the production environment, or require that different administrators have control over different environments.

When multiple instances are utilized, you will have a primary instance, the instance which comes with your Oracle Cloud account, and one or more secondary (additional) instances. The cloud account administrator is the owner of the primary instance. This administrator can:

  • Create secondary instances and be the identity domain administrator for them.
  • Create secondary instances and, as part of the instance creation process, assign users to be identity domain administrators of the instances.
  • Delegate the creation of secondary instances to other administrators.

The identity domain administrator is assigned to the secondary instance during the creation of the instance. Although the identity domain administrator of a secondary instance may have the same user name as a user in the primary instance, they are different users who might have different privileges in each instance, and will have separate passwords. This administrator can switch between the primary and secondary instances to work in each instance. See Identify and Switch Instances for more information about how to switch instances.

The identity domain administrator of a secondary instance has superuser privileges of that instance and can use the Oracle Identity Cloud Service feature set of the instance. In the secondary instance, the identity domain administrator can:

  • Manage users, groups, applications, system configuration, and security settings.
  • Perform delegated administration by assigning users to different administrative roles.
  • Enable and disable Multi-Factor Authentication (MFA), configure MFA settings, and configure authentication factors.
  • Create self-registration profiles to manage different sets of users, approval policies, and applications.

Regarding secondary instances, there are no new administrator or user processes to learn. The process to perform any administrator or user task in a secondary instance is identical to the process for performing it in the primary instance.

Important: The identity domain administrator of a secondary instance can't create a secondary instance of Oracle Identity Cloud Service from their instance. There can't be a parent-child relationship between secondary instances. All secondary instances must be created from the cloud account, either by the cloud account administrator or by another administrator (provided the cloud account administrator gives them permissions to do so). In addition to the cloud account administrator creating the primary instance, this administrator or another administrator can create up to nine secondary instances.

The figure below shows an example of the relationship among various administrators of multiple instances.

Figure shows an example of the relationship among various administrators of multiple instances

In Example Corp, Mark Franklin is the cloud account administrator of the examplecorp cloud account, and is the owner of the primary Oracle Identity Cloud Service instance. He has superuser privileges for this cloud account. Mark wants to have separate Oracle Identity Cloud Service environments for development and production purposes. He creates a user account for Jerome Travers, Example Corp's IT manager, and assigns the Identity Instance Creation cloud account role to him. This role gives Jerome the permissions to create and manage Oracle Identity Cloud Service secondary instances. By assigning the Identity Instance Creation role to Jerome, Mark delegates the creation of secondary instances to Jerome.

Jerome creates two secondary instances and assigns Angela Johnson, Example Corp's development manager, to be the identity domain administrator of the development instance, and Lyle Robert, Example Corp's production manager, to be the identity domain administrator of the production instance. Because they're identity domain administrators, Angela and Lyle have superuser privileges for their respective secondary Oracle Identity Cloud Service instances. They can manage users, groups, applications, and configuration data in their instances. All work that happens in one instance is isolated from work performed in the other instance so there's a complete separation of work in the development and production instances.

The diagram below shows the scenario in which Jerome Travers creates a secondary instance and assigns himself to be the identity domain administrator for that instance. Jerome now has access to two instances:
  • The primary instance because Mark Franklin, the cloud account administrator, created an account for Jerome in that instance and assigned the Identity Instance Creation role to him.
  • The secondary instance because Jerome is the identity domain administrator of that instance.

This diagram illustrates Jerome Travers having access to both a primary and a secondary instance.

If Jerome signs in to Oracle Identity Cloud Service through the secondary instance, accesses the Oracle Cloud Infrastructure Classic Console, and clicks the Identity Domain menu in the upper-right corner, below the top menu bar, then two menu items appear: one for the primary instance and one for the secondary instance.

Jerome can use the Identity Domain menu to switch to the console associated with the primary Identity Cloud Service instance. He can perform actions associated with any roles assigned to him for either the primary or secondary instance. Because Mark assigned the Identity Instance Creation role to him for the primary instance, Jerome can create other secondary instances for the cloud account.

The following table lists the different steps that must be performed to set up secondary instances, the administrators involved for each instance, and what each administrator's tasks are for a particular step.

Table 1-1 Table 1-1 Example of Administrative Responsibilities During a Typical Workflow of Setting Up Multiple Instances

Step Detail Cloud Account Administrator Administrator Assigned to the Identity Instance Creation Role Secondary Instance 1 Administrator (for example, Development) Secondary Instance 2 Administrator (for example, Production)
Setup the Oracle Cloud account.
  • Receives the cloud account administrator and identity domain administrator roles for the primary instance.
  • Signs in to Oracle Identity Cloud Service to reset their password.
  • Accesses the Oracle Cloud Infrastructure Classic Console from the Identity Cloud Service console.
No responsibilities for this administrator. No responsibilities for this administrator. No responsibilities for this administrator.
Create a user in the primary instance.
  • Creates an account for the user who will create or manage secondary instances.
No responsibilities for this administrator. No responsibilities for this administrator. No responsibilities for this administrator.
Delegate the ability to create or manage secondary instances.
  • Assigns the Identity Instance Creation cloud account role to this user so that the user can create, modify, and remove secondary instances.

See Before Creating a Secondary Instance to learn more about how to assign this cloud account role.

  • Receives a notification that contains information about how to sign in to the primary Oracle Identity Cloud Service instance of the Oracle Cloud account.
  • Uses the Access your Cloud Services link in the notification to sign in with their user name and the temporary password that's generated by Oracle Identity Cloud Service.
  • Resets their password.
  • Clicks the Dashboard link on the Guided Journey page of the Oracle Cloud Infrastructure Classic Console to create or manage a secondary instance.
No responsibilities for this administrator. No responsibilities for this administrator.
Create a secondary instance (for example, Development). No responsibilities for this administrator.
  • Creates a secondary Development instance.
  • Assigns the Secondary Instance 1 administrator to be the owner of this instance.
  • Becomes an identity domain administrator of the secondary instance.
  • Receives a notification email regarding this new administrator role as well as how to sign in to the secondary Oracle Identity Cloud Service instance of the Oracle Cloud account.
  • Clicks the link to the right of the Admin Console URL field to access the Identity Cloud Service console for this instance.
  • Resets their password.
No responsibilities for this administrator.
Create a secondary instance (for example, Production). No responsibilities for this administrator.
  • Creates a secondary Development instance.
  • Assigns the Secondary Instance 2 administrator to be the owner of this instance.
No responsibilities for this administrator.
  • Becomes an identity domain administrator of the secondary instance.
  • Receives a notification email regarding this new administrator role as well as how to sign in to the secondary Oracle Identity Cloud Service instance of the Oracle Cloud account.
  • Clicks the link to the right of the Admin Console URL field to access the Identity Cloud Service console for this instance.
  • Resets their password.
Administer the secondary instance. No responsibilities for this administrator. No responsibilities for this administrator.
  • Uses the Identity Cloud Service console to create and manage more users, if needed, in this secondary instance, as well as to perform additional tasks as an identity domain administrator.
  • Uses the Identity Cloud Service console to create and manage more users, if needed, in this secondary instance, as well as to perform additional tasks as an identity domain administrator.

Oracle Identity Cloud Service instances can also be created in data regions that are different from the data region that customers designate when they sign up for Oracle Cloud (the home data region). Before creating secondary instances in another data region, customers must extend their subscription to that region. They can then use the Oracle Cloud Infrastructure Classic Console to create secondary instances for the region. See Extending Your Subscription to Another Data Region.

The figure below shows an example of the relationship among various administrators of multiple instances.

This diagram illustrates an example of the relationship between administrators of multiple data regions

In Example Corp (examplecorp), Mark Franklin, the cloud account administrator, extends the company's subscription to the Latin America (LAD) data region. Mark then creates a user account for Bruce Collins, Example Corp's IT manager for LAD, and assigns the Identity Instance Creation role to him. This role gives Bruce permissions to create and manage Oracle Identity Cloud Service secondary instances.

Bruce creates the latinamericaprod secondary instance and assigns himself to be the identity domain administrator of that instance. He can use the Identity Cloud Service console to manage users, groups, applications, and configuration data in the instance.

To learn more about the Identity Cloud Service console, see Access Service Consoles.

Note:

The instructions in the rest of this section describe how to create and manage multiple instances through the Identity Cloud Service console. To learn how to perform thes same tasks using the Instance Management feature, see Manage Oracle Identity Cloud Service Secondary Instances.

Before Creating a Secondary Instance

Before you create a secondary instance for Oracle Identity Cloud Service, ensure that:

  • You've either set up an Oracle Cloud account or had an account created for you. See Create Users and Assign Roles in Getting Started with Oracle Cloud.
  • You’re either the cloud account administrator or you've been assigned to the Identity Instance Creation role so that you can create the secondary instance. See Learn About Cloud Acount Roles in Getting Started with Oracle Cloud.
  • You're in the primary instance of the data region for which you want to create a secondary instance. See Identify and Switch Instances.
  • You're familiar with the pricing model for your instance. This pricing model represents the billing metric for the instance you're creating. See Understanding the User Per Month Pricing Model for more information about this pricing model.

Create a Secondary Instance

From the Oracle Cloud Infrastructure Classic Console, you can create a secondary instance for Oracle Identity Cloud Service.

To create this secondary instance, use the Identity Domain menu to select the primary instance of the data region for which you want to create the secondary instance. See Identify and Switch Instances for more information about using the Identity Domain menu.

Only cloud account administrators or administrators who have been assigned to the Identity Instance Creation cloud account role can create a secondary instance.

Each Oracle Identity Cloud Service instance has an instance name and a URL. The instance name is assigned to your instance for Oracle Identity Cloud Service when it's created. The name must be unique within the identity domain.

If you're a user who's assigned to be the administrator of the secondary instance, then use the URL in the notification email that's sent to you to access the instance. If you're a cloud account administrator, then you can access the URL from the Oracle Cloud Infrastructure Classic Console.

If you exceed the maximum number of instances that you can create, then you’ll get an error when you click Create Instance from the console.

  1. Log in to the Identity Cloud Service console.
  2. On the Oracle Cloud home page, click the Oracle Cloud page header.
  3. If you aren't now on the Oracle Cloud Infrastructure Classic page:
    1. Click the avatar icon, and then select Service User Console.
    2. On the Oracle Cloud My Home page, click the Oracle Cloud My Home page header to go to the Oracle Cloud Infrastructure Classic page.
  4. In the Oracle Cloud Infrastructure Classic Console, use the Identity Domain menu to select the primary instance of the data region for which you want to create a secondary instance, and then click Create Instance.
  5. In the Create Instance dialog box, click the All Services tab.
  6. In the Identity Cloud box, click Create. The Create New Oracle Identity Cloud Service Instance wizard opens. This wizard steps you through the process of creating an instance.
  7. Complete the Instance Details page. Specify the following:
    1. Name: Specify a unique name for your instance. This name identifies your service within your identity domain. The instance name must start with a letter, and can have up to 25 lowercase letters and numbers. You can't use spaces and special characters. The name that you provide will appear on Oracle Identity Cloud Service's Sign In page for that instance.
    2. From the Plan list, select Oracle Identity Cloud Service.
    3. License Type: Specify the User per Month pricing model for your instance.
    4. In the Initial Administrator Details section, specify the administrator credentials for the instance that you're creating. Enter the email address, user name, first name, and last name, as required, in the respective fields.

      To have the administrator access the Oracle Cloud Infrastructure Classic Console with their email address, select the Use email as user name check box, and then in the Email field, enter the email address for the administrator account.

      To have the administrator access this console with their user name, don't select the Use email address as user name check box, and then, in the User Name field, enter the user name for the administrator.

      If you’re entering an existing administrator's login credentials, then ensure that the email address and user name are correct. Administrator details are populated automatically based on the logged-in user’s details only if such information is available.

      If you're assigning a user to be the administrator of this instance, and this user is already the administrator of either the primary instance or another secondary instance, then the user can switch between the instances to work in each instance. See Identify and Switch Instances for more information about how to switch instances.

  8. Click Create.
  9. In the Confirmation window, click Create.

The instance is created and the status of the instance is set to Initialized. Oracle Cloud sends a Your new Oracle Identity Cloud Service instance in Oracle Cloud <cloudaccountname> is ready email notification to the administrator of the instance when the instance is active and ready to use. <cloudaccountname> is a placeholder for the name of the Oracle Cloud account that was used to create the secondary instance. For example, if the user name of the cloud account is examplecorp, then the name of the notification will appear as Your new Oracle Identity Cloud Service instance in Cloud Account examplecorp is ready.

Notification containing information about the new Oracle Identity Cloud Service instance

The notification contains details about the user name and password for the administrator of the secondary instance as well as how this administrator can use this information to access both the Oracle Cloud Infrastructure Classic Console (Access your Cloud Services) and the Identity Cloud Service console (Admin Console URL).

Use the Oracle Cloud Infrastructure Classic Console to access the Overview tab of the Service: Oracle Identity Cloud Service page to verify that the instance you created appears. See Modify a Secondary Instance to learn how to access this tab.

You can click the instance name (for an active instance) or you can click the Open Service Console link to access the Identity Cloud Service console. For more information on managing the service instance, see Verify That Your Services Are Ready and Manage Your Oracle Cloud Service in Getting Started with Oracle Cloud.

Identify and Switch Instances

Important: If you're a subscriber to the Universal Credits pricing model, then this Oracle Identity Cloud Service feature is available.

After you create a secondary Oracle Identity Cloud Service instance, there are two instances: the primary instance and the secondary instance.

To ensure that you're accessing the secondary instance, and not the primary one, it's important that you learn how to distinguish when you're accessing the primary or secondary instance, and how to switch between them.

You can identify and switch instances from one of the following locations:

  • Sign In page: If you're signing in to the secondary instance, then the name of the secondary instance appears in parenthesis after the name of the Oracle Cloud account. For example, if the name of the Oracle Cloud account is examplecorp and the name of the secondary instance is development, then examplecorp (development) appears on the Sign In page. If you're signing in to the primary instance of your home data region, then only the Oracle Cloud account name appears on the Sign In page (for this example, examplecorp). If you're signing in to the primary instance of another data region, then the name of the instance appears in parenthesis after the name of the Oracle Cloud account. For example, if the name of the primary instance is identityLAD, then examplecorp (identityLAD) appears on the Sign In page.

  • Oracle Cloud Infrastructure Classic Console: If you have been assigned to the Identity Instance Creation cloud account role in the primary instance or you have been designated to be the identity domain administrator of the secondary instance, then you can access this console. To use the Oracle Cloud Infrastructure Classic Console to switch between instances, a user must sign in to the secondary instance.

    If you have access to this console and you click the Identity Domain menu in the upper-right corner, below the top menu bar, then menu items appear. These menu items represent the primary and secondary instances that you have for all of your data regions. See Extending Your Subscription to Another Data Region.

    The top-most menu item is the primary instance of your home data region (for example, examplecorp - North America). The primary instance of the home data region is represented by the name of the cloud account and the name of the data region. All other primary and secondary instances contain the name of the cloud account, the name of the data region, and the name of the instance.

    The Identity Domain menu lists the instances for each region.

    In this example, Example Corp (examplecorp) has signed up for Oracle Cloud and designated North America as its home data region. Then the subscription has been extended to the Latin America (LAD) data region. Because North America is the home data region, the primary instance appears as examplecorp - North America. examplecorp - North America - development and examplecorp - North America - production are secondary instances of this data region.

    For the LAD data region, examplecorp - LAD - identityLAD is the primary instance and examplecorp - LAD - latinamericaprod is the secondary instance.

    One menu item that appears in the Identity Domain menu is labeled (traditional). For this example, this item is examplecorp - North America (traditional). This is associated with a traditional cloud account which doesn't apply if you're using multiple instances.

    If you're a user who has been assigned to be the identity domain administrator of secondary instances, then you'll see the primary instance and those instances to which you've been assigned.

    If you have signed in using a secondary instance then an Info box appears, alerting you that you're in a secondary instance.

    Figure 1-1 Secondary Instance Info Notification


    This Info notification alerts you that you are in a secondary instance.

    Although the Info box doesn't identify the name of the secondary instance, it's useful to confirm that you have signed in using a secondary instance of Identity Cloud Service.

  • Navigation Drawer: In the Oracle Cloud Infrastructure Classic Console, expand the Navigation Drawer, and then expand Users. All of the data regions for which you have primary and secondary instances appear. See Extending Your Subscription to Another Data Region.

    By default, the first data region that appears is your home data region. All other data regions for which you have primary and secondary instances appear below the home data region.

    When you expand a data region, the first instance that appears is the primary instance. All secondary instances appear below the primary instance in the order that they were created.

    For the home data region, the primary instance appears as identity (Primary). For all other data regions, the primary instance appears as identity<data_region>. For example, if you have a primary instance for the LAD data region, then it would appear as identityLAD.

    This figure shows the navigation drawer menu for regions.

    For this example, Example Corp has subscribed to two data regions: one in North America and one in Latin America (LAD). Because the North America data region is the home data region, the primary instance appears as identity (Primary). development and production are secondary instances of the North America data region.

    For the LAD data region, identityLAD is the primary instance and latinamericaprod is the secondary instance.

    If you click the name of an instance, the User Management page appears for that instance. In the User Management page, click Identity Console in the upper-right corner and the Identity Cloud Service console opens.

  • Identity Cloud Service console: The names of both the primary or secondary instance and the Oracle Cloud account that was used to create this instance appear in this console. To access this information, click the user icon in the upper-right corner of the console, and then select About from the drop-down menu. The Cloud Account Name and Instance Name fields display the names of the Oracle Cloud account and the instance.

Important: By default, there's no single sign-on between Identity Cloud Service instances. If you switch between Identity Cloud Service instances, then you must sign in to each instance.

Modify a Secondary Instance

If you need to change information about a secondary instance, then you can modify it.

Prerequisite: You can modify a secondary instance only if you created the instance or are the administrator of that instance.

You may want to modify a secondary instance (for example, change the tier of its pricing model).

For the secondary instance, you may have selected the Foundation tier for the User per Month pricing model. However, you may want to use one of the Standard tiers so that you can integrate Oracle Identity Cloud Service with other Oracle Cloud services. These services include Oracle Platform-as-a-Service and Software-as-a-Service. Also, there are custom applications hosted on these two services and they leverage the identity management features and SSO for these services.

You can make change your license from Enterprise to any of the choices that say Monthly. No other license changes are permitted.

You can modify a secondary instance only if you created the instance or are the administrator of that instance.

  1. Log in to the Identity Cloud Service console.
  2. On the Oracle Cloud home page, click the Oracle Cloud page header.
  3. If you aren't now on the Oracle Cloud Infrastructure Classic page:
    1. Click the avatar icon, and then select Service User Console.
    2. On the Oracle Cloud My Home page, click the Oracle Cloud My Home page header to go to the Oracle Cloud Infrastructure Classic page.
  4. On the Oracle Cloud Infrastructure Classic page, in the Active Services section, locate the Identity Cloud tile.
  5. Click the Action menu Action menu in the tile, and then select View Details. The Overview tab of the Service: Oracle Identity Cloud Service page appears. In this tab, the Service Instances pane lists all available instances.
  6. To filter the list, select from the following type of instances:
    • Active: Lists all active and available instances.
    • Inactive: Lists all instances that don't have an Active status. For example, you might see instances with the following statuses: Initialized, Initialization-in-progress, Canceled, Terminated, or Termination-in-progress.
    • All: Lists all instances.
  7. Locate the secondary instance that you want to modify.
  8. Click the Action menu to the right of the Open Service Console link, and then select Modify from the Action list. You can modify the pricing model for the secondary instance.
  9. In the License Type menu, select the pricing model that you want to change for your instance, and then click Modify.
  10. In the Confirmation window, click Modify.
Oracle Cloud sends a Your service instance has been updated email notification to the administrator. In the notification, details appear about the modification to the secondary instance (for this example, the change to the pricing model).

Remove a Secondary Instance

If you no longer need a secondary instance, then remove it.

Prerequisite: You can remove a secondary instance only if you created the instance or are the administrator of that instance.

  1. Log in to the Identity Cloud Service console.
  2. On the Oracle Cloud home page, click the Oracle Cloud page header.
  3. If you aren't now on the Oracle Cloud Infrastructure Classic page:
    1. Click the avatar icon, and then select Service User Console.
    2. On the Oracle Cloud My Home page, click the Oracle Cloud My Home page header to go to the Oracle Cloud Infrastructure Classic page.
  4. In the Oracle Cloud Infrastructure Classic Console, locate the Identity Cloud tile.
  5. Click the Action menu Action menu in the tile, and then select View Details.
  6. In the Service Instances pane of the Overview tab of the Service: Oracle Identity Cloud Service page, filter the list of instances. See Modify a Secondary Instance.
  7. Locate the secondary instance that you want to remove.
  8. Click the Action menu to the right of the Open Service Console link, and then select Delete from the Action list.
  9. In the Delete Service Instance window, click Delete.
Oracle Cloud begins to remove the instance, and changes its the status to Termination in progress. After the instance is removed completely, Oracle Cloud updates the status of the service instance to Purged. Oracle Cloud sends a Your service instance has been terminated email notification to the administrator. In the notification, details appear about the instance, including the name of the instance that was removed and the Oracle Cloud account that was associated with it.