Oracle Cloud Infrastructure Documentation

Adding a Sign-On Policy

Add a sign-on policy.

This procedure adds a sign-on policy in a deactivated state. After completing this task, you must activate the policy to begin enforcing it in the identity domain.

Criteria that you can define for sign-on policies include:

  • The identity providers to be used to authenticate the user

  • The groups of which the user is a member

  • Whether the user is an identity domain administrator

  • Whether to exclude a user

  • The IP address that the user is using to sign in to the identity domain

  • Whether the user is forced to sign in to the identity domain again (for authentication purposes), or is authenticated the next time they sign in to the identity domain

  • Whether the user is prompted for an additional factor to sign in to the identity domain

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Security and then Sign-on policies.
  3. Click Create sign-on policy.
  4. Add a Name and Description, and then click Add policy.

    After you click Add policy, the sign-on policy is saved in a deactivated state. You must activate the policy to use it.

  5. In the Add sign-on rules screen, click Add sign-on rule to add a sign-on rule to this policy.
  6. Use the following table to configure the rule, and then click Add sign-on rule:
    Field Description
    Rule name Enter the name of the sign-on rule.
    Authenticating identity provider Enter or select all identity providers that are used to authenticate the user accounts evaluated by this rule.
    Group membership Enter or select the groups that the user must be a member of to meet the criteria of this rule. You must enter at least three characters to initiate a search of groups.
    Administrator If the user must be assigned to administrator roles in the identity domain to meet the criteria of this rule, then select this check box.
    Keep me signed in

    Select this option to apply the rule only if a valid Keep me signed in session exists for the user.

    You must enable Keep me signed in, to use this condition. See Managing Session Settings to enable Keep me signed in.

    The sign-on policy overrides the Keep-me signed in session. This means that even though a user is signed in using Keep-me signed in, after the session expires, if the policy requires reauthentication or multifactor authentication (MFA), then the user is challenged to reauthenticate or challenged to provide MFA.
    Exclude users

    Enter or select the users to exclude from the rule. You must enter at least three characters to initiate a search of users.

    Important: Ensure you exclude one Identity Domain Administrator from each policy. This ensures that at least one administrator always has access to the identity domain should issues arise.
    Filter by client IP address There are two options associated with this field: Anywhere and Restrict to the following network perimeters.

    • If you select Anywhere, then users can sign in to the identity domain using any IP address.

    • If you select Restrict to the following network perimeters, then the Network perimeters text box appears. In this text box, enter or select network perimeters that you defined. For more information, see Creating a Network Perimeter. Users can sign in to the identity domain using only IP addresses that are contained in the defined network perimeters.
    Allow access or Deny access Select whether a user is allowed to access the Console if the user account meets the criteria of this rule. When you select Allow access, the following additional options are presented.
    Prompt for reauthentication

    Select this check box to force the user to re-enter credentials to access the assigned application even when there's existing IAM Domains session.

    When selected, this option prevents Single Sign On for the applications assigned to the Sign On policy. For example, an authenticated user must sign on to a new application.

    If not selected, and the user has previously authenticated, they can access the application using their existing Single Sign On session without needing to enter credentials.
    Prompt for an additional factor

    Select this check box to prompt the user for an additional factor to sign in to the identity domain.

    If you select this check box, then you must specify whether the user is required to enroll in Multi-Factor Authentication and how often this additional factor is to be used to sign in.

    Select Any factor to prompt the user to enroll and verify any factor enabled in the MFA tenant level settings.

    Select Specified factors only to prompt the user to enroll and verify a subset of factors enabled in the MFA tenant level settings. After you select Specified factors only, you can select factors that must be enforced by this rule.
    Frequency

    • Select Once per session or trusted device, so that for each session that the user has opened from an authoritative device, they must use both their user names and passwords, and a second factor.

    • Select Every time, so that each time users sign in from a trusted device, they must use their user names and passwords, and a second factor.

    • Select Custom interval, and then specify how often users must provide a second factor to sign in. For example, if you want users to use this additional factor every two weeks, then click Number, enter 14 in the text field, and then click the Interval menu to select Days. If you configured multifactor authentication (MFA), then this number must be less than or equal to the number of days a device can be trusted according to MFA settings. For more information, see Managing Multi-Factor Authentication.
    Enrollment

    This menu contains two options: Required and Optional.

    Important: Set Enrollment as Optional until you are finished with testing the sign-on policy.

    • Select Required to force the user to enroll in Multi-Factor Authentication.

    • Select Optional to give users the option of skipping enrolling in Multi-Factor Authentication. Users see the inline enrollment setup process after they enter their user name and password, but can click Skip. Users can then enable MFA later from the 2–step verification setting in the Security settings of My Profile. Users aren’t prompted to set up a factor the next time that they sign in.

      Note: If you set Enrollment to Required, and later change it to Optional, the change only affects new users. Users already enrolled in Multi-Factor Authentication will not see the inline enrollment process and will not be able to click Skip when signing in.
  7. Optionally, in the Add sign-on rules screen, click Add sign-on rule to add another sign-on rule to this policy. Otherwise, click Next.
    Note

    If you added multiple sign-on rules to this policy, then you can change the order that they will be evaluated. See To Change the Priority of a Sign-On Rule for the Policy.
  8. In the Add apps screen, click Add app to add apps to this policy.
  9. In the Add app window, select the check box for each app that you want to add to the policy. Then, click Add app.
    Note

    You can add an app to only one sign-on policy. If the app isn’t assigned to any sign-on policy explicitly, then the default sign-on policy applies to the app.

  10. When you are ready, click Close.