Managing Identity Domains
An identity domain is a container for managing users and roles, federating and provisioning of users, secure application integration through Oracle Single Sign-On (SSO) configuration, and SAML/OAuth based Identity Provider administration. It represents a user population in Oracle Cloud Infrastructure and its associated configurations and security settings (such as MFA).
Identity domains are like other OCI resources. As an administrator, you can create, move, tag, and delete an identity domain. Oracle Cloud Infrastructure access policies can be written to allow users in a given domain to access resources in other domains. You can also assign user accounts to predefined administrator roles to delegate administrative responsibilities within a domain. For more information about administrator roles and the privileges associated with each role, see Understanding Administrator Roles.
You manage identity domains (for example, creating or deleting a domain) using the user interface or the IAM API. You manage resources (for example, users and groups) within an identity domain using the user interface or with the SCIM-based IAM Identity Domains API.
Each tenancy includes a Default identity domain created in the root compartment that contains the initial tenant administrator user and group and a default Policy that allows administrators to manage any resource in the tenancy. The Default identity domain lives with the lifecycle of the tenancy and can’t be deleted.
You can create additional identity domains within a tenancy. Multiple identity domains are useful when you need separate environments for a single cloud service or application (for example, one environment for development and one for production). For added security, you can configure each identity domain to have its own credentials (for example, Password and Sign-On policies). You can also configure an identity domain for consumer-facing applications and allow consumer users to perform self-registration and social login.
You can upgrade a domain to a different domain type. Each identity domain type is associated with a different set of features and object limits. For information to help you decide which domain type is appropriate for what you want to do, see IAM Identity Domain Types.
Users in identity domains can request access to groups and applications. Users can also perform self-service tasks such as updating profile information, changing passwords, and configuring settings for 2-Step Verification.
Information for Existing IAM and IDCS Administrators
Managing identity domains includes the following topics:
- Creating an Identity Domain
- Listing Identity Domains
- Listing License Types
- Getting an Identity Domain's Details
- Editing an Identity Domain's Details
- Moving an Identity Domain Between Compartments
- Activating an Identity Domain
- Deactivating an Identity Domain
- Changing an Identity Domain's Type
- Copying an Identity Domain's OCID
- Replicating an Identity Domain to Multiple Regions
- Resetting All Passwords for an Identity Domain
- Deleting an Identity Domain
Required Policy or Role
- Be a member of the Administrators group
- Be granted the Identity Domain Administrator role
- Be a member of a group granted
To understand more about policies and roles, see The Administrators Group, Policy, and Administrator Roles, Understanding Administrator Roles, and Understanding Policies.