1. Administering Oracle Identity Cloud Service
  2. Configure Security Settings
  3. Manage Oracle Identity Cloud Service Identity Provider Policies
  4. Understand Identity Provider Policies

Understand Identity Provider Policies

An identity provider policy allows identity domain administrators, security administrators, and application administrators to define which identity providers are visible in the Sign In page either when they're accessing a specific app or attempting to access resources that are protected by Oracle Identity Cloud Service.

Oracle Identity Cloud Service also uses identity provider policies to determine whether users authenticate into Oracle Identity Cloud Service through identity providers or with a local authentication factor.

The following type of identity providers available with Oracle Identity Cloud Service:

  • SAML identity provider: This type of identity provider supports the SAML 2.0 (Security Assertion Markup Language 2.0) standard. You use a SAML identity provider when you want to establish trust between an SAML-compatible identity provider such as Active Directory Federation Services so that users in your organization can access resources protected by Oracle Identity Cloud Service.

    If you want your users to be redirected to a specific SAML identity provider automatically so that they can access an app, then ensure that the identity provider policy associated with the app has only the SAML identity provider assigned to it. If multiple identity providers are assigned to the identity provider policy, then users will be prompted to select one of the identity providers from the Sign In page.

  • Social identity provider: By linking an Oracle Identity Cloud Service user account to a user's social accounts, the user can access Oracle Identity Cloud Service using their social credentials, such as Facebook, Google, Linkedin, Microsoft, and Twitter.

  • Passwordless authentication provider: Allows users to bypass the standard web-form-based authentication. Passwordless authentication allows access to the protected resource without the need for entering the user name and password every time. However, the first time Sign In uses the standard login form.

  • Local identity provider (Local IDP): Authentication into Oracle Identity Cloud Service happens locally by the user providing their credentials (user name and password) in the Sign In page.

In addition to the identity providers, Oracle Identity Cloud Service comes equipped with the following out-of-the-box local authentication factors. To make these local authentication factors available so that you can assign them to identity provider policies, you must first enable them. See Configure Authentication Factors.
  • Email: Oracle Identity Cloud Service sends a one-time passcode to the user’s primary email address for use as a verification method to authenticate into Oracle Identity Cloud Service. The user’s primary email address is defined in the user’s Oracle Identity Cloud Service account.
  • Mobile App Notification: Oracle Identity Cloud Service sends a push notification that contains an approval request to allow or deny a login attempt. Push notifications are an easy and quick way to authenticate. After the user enters their user name and password, a login request is sent to the app on their phone. The user taps Allow to authenticate.
  • Mobile App Passcode: An authenticator app such as the Oracle Mobile Authenticator (OMA) app generates a one-time passcode. This passcode can be generated even when the user's device is offline. After the user enters their user name and password, a prompt appears for the passcode. The user obtains a generated passcode from the app, and then enters the code to access Oracle Identity Cloud Service.
  • Text Message: After the user enters their user name and password, Oracle Identity Cloud Service sends a passcode as a text message to the user's device. The user enters the code to access Oracle Identity Cloud Service.
  • User Name-Password: The user authenticates into Oracle Identity Cloud Service by user providing their credentials (user name and password) in the Sign In page.

The identity provider policy allows you to configure whether local authentication is displayed in the Sign In page for the user.

Suppose you've created several social identity providers and SAML identity providers, and you want to configure which of these identity providers will appear in the Sign In page when the user attempts to authenticate into Oracle Identity Cloud Service using a particular app. Without identity provider policies, you couldn't configure this. So, if you had all these SAML and social identity providers activated and set to appear in the Sign In page, they would all be displayed.

Oracle Identity Cloud Service provides you with a default identity provider policy that contains a default identity provider rule. This rule has the User Name-Password local authentication factor assigned to it. This way, at the bare minimum, users can authenticate into Oracle Identity Cloud Service with their user names and passwords. However, you can build upon this default policy by adding other identity provider rules to it. By adding these rules, you can prevent some of your identity providers from being available to users to authenticate into Oracle Identity Cloud Service. Or you can allow other identity providers to be available only to those users who access Oracle Identity Cloud Service from an IP address contained in one of your network perimeters. Both the My Profile console and the Identity Cloud Service console use the identity provider rules that are assigned to the default identity provider policy.

Suppose your company has restrictions as to who can sign in to Oracle Identity Cloud Service locally (by supplying their user names and passwords) and who must use an external identity provider. Company employees must authenticate into Oracle Identity Cloud Service by using Active Directory Federation Services (AD FS), contractors and partners must use their own SAML identity providers, and all other users (such as consumers) can use either their user names and passwords or a social identity provider.

To accomplish this goal, you can create two identity provider rules for the default identity provider policy. The first rule is applicable only to company employees. These users must sign in Oracle Identity Cloud Service with AD FS which is the employee identity provider. The second rule is applicable only to those users that have user names that end with @partner1.com. They can sign in with the partner 1 SAML identity provider. The third rule is applicable only to those users that have user names that end with @partner2.com. They can sign in with the partner 2 SAML identity provider. The final rule is a catch-all rule for all users (consumers). These users can use either their Oracle Identity Cloud Service passwords or a social identity provider.

Because you can define multiple identity provider rules for an identity provider policy, Oracle Identity Cloud Service must know the order in which the rules are to be evaluated. To do this, you can set the priority of the rules. For the example above, you can have the company employee rule evaluated first. If a user meets the criteria of this rule (that is, the user is an employee), then the user must authenticate into Oracle Identity Cloud Service with AD FS. Users who aren't employees don't meet the criteria of this identity provider rule, and so, the rule with the next highest priority is evaluated. For this example, this is the partner 1 rule where the user's user name must end with @partner1.com. These users must access Oracle Identity Cloud Service by using the partner 1 SAML identity provider. For users who aren't employees or who don't have user names that end with partner1@com, Oracle Identity Cloud Service evaluates the rule with the next highest priority number: the partner 2 rule where the user's user name must end with @partner2.com. These users must use the partner 2 SAML identity provider to authenticate into Oracle Identity Cloud Service. All other users meet the criteria of the catch-all rule so they can use either their Oracle Identity Cloud Service passwords or a social identity provider to sign-in to Oracle Identity Cloud Service.

In addition to the default identity provider policy, you can create identity provider policies and associate them with specific apps. Suppose you have multiple apps and you want to assign different identity providers to each app. For example, you may have two apps, and you want users to authenticate into Oracle Identity Cloud Service from Facebook or Linkedin. So, you can have one identity provider policy specifically for one app and the Facebook social identity provider, and another identity provider policy exclusively for the second app and the Linkedin social identity provider.

Oracle Identity Cloud Service displays a maximum of four identity providers on the Sign In page. If you assign more than four identity providers to an identity provider policy, then a View all link appears on the page. Click the link and all identity providers associated with the policy appear.