Managing Identity Domains

An identity domain is a container for managing users and roles, federating and provisioning of users, secure application integration through Oracle Single Sign-On (SSO) configuration, and SAML/OAuth based Identity Provider administration. It represents a user population in Oracle Cloud Infrastructure and its associated configurations and security settings (such as MFA).


Identity domains are like other OCI resources. As an administrator, you can create, move, tag, and delete an identity domain. Oracle Cloud Infrastructure access policies can be written to allow users in a given domain to access resources in other domains. You can also assign user accounts to predefined administrator roles to delegate administrative responsibilities within a domain. For more information about administrator roles and the privileges associated with each role, see Understanding Administrator Roles.

You manage identity domains (for example, creating or deleting a domain) using the user interface or the IAM API. You manage resources (for example, users and groups) within an identity domain using the user interface or with the SCIM-based IAM Identity Domains API.

Each tenancy includes a Default identity domain created in the root compartment that contains the initial tenant administrator user and group and a default Policy that allows administrators to manage any resource in the tenancy. The Default identity domain lives with the lifecycle of the tenancy and can’t be deleted.

You can create additional identity domains within a tenancy. Multiple identity domains are useful when you need separate environments for a single cloud service or application (for example, one environment for development and one for production). For added security, you can configure each identity domain to have its own credentials (for example, Password and Sign-On policies). You can also configure an identity domain for consumer-facing applications and allow consumer users to perform self-registration and social login.

You can upgrade a domain to a different domain type. Each identity domain type  is associated with a different set of features and object limits. For information to help you decide which domain type is appropriate for what you want to do, see IAM Identity Domain Types.

Users in identity domains can request access to groups and applications. Users can also perform self-service tasks such as updating profile information, changing passwords, and configuring settings for 2-Step Verification.

Information for Existing IAM and IDCS Administrators

If you're an existing IAM or IDCS administrator and you don't see identity domains in your regions, read the following information to learn what to expect when the update happens.
If you're an existing IAM or IDCS administrator and your region has been updated recently, read the following information to learn about what to expect post update.

Managing identity domains includes the following topics:

Required Policy or Role

To manage identity domain settings, you must have one of the following access grants:
  • Be a member of the Administrators group
  • Be granted the Identity Domain Administrator role
  • Be a member of a group granted manage domains

To understand more about policies and roles, see The Administrators Group, Policy, and Administrator Roles, Understanding Administrator Roles, and Understanding Policies.