IAM Identity Domain Types
Learn about identity domain types and the features and limits associated with each.
An IAM identity domain is deployed with one of five identity domain types. Each identity domain type is associated with a different set of features and object limits. Use this information to decide which domain type is appropriate for what you want to do.
This section summarizes:
- The different identity domain types
- SKUs associated with each
- Object limits
- Data types and limits
- Rate limits
- Meters for each identity domain type
- How to change to a different identity domain type
Understand Identity Domain Types
IAM has five different identity domain types to suit different organizational needs. Start here to understand which suits your requirements best, and which type to choose when you create an identity domain.
Here's a summary of the identity domain types. Decide which looks closest to what you need and check the features and limits that you get with that identity domain type to decide which best suits your purposes.
Free
When you create an OCI tenancy, you are automatically provisioned with a Free Tier identity domain. This domain type allows you to use IAM to manage access to OCI Infrastructure as a Service and PaaS resources. Use this domain type to start to use and understand IAM, and to manage access to OCI Infrastructure as a Service and PaaS resources. It includes everything you need. But if you find you need extra features or higher limits, you can change to a different identity domain type.
Use case: Your organization uses Oracle Cloud and your employees need secure access to subscribed OCI services. Your users might currently be managed in Active Directory or a third-party Identity Provider. As you consider how IAM can help manage access to third-party applications, you can sign up for a 30-day Oracle Cloud promotion and try extra features.
Oracle Apps
Many Oracle services and applications automatically provision an Oracle Apps identity domain which allows you to use the IAM service to manage access to the subscribed services. It should include everything you need. But if you require additional features or higher limits, you can change to a different identity domain type.
Use Case: Your organization has a vested interest in Oracle SaaS, PaaS, or GBU applications, and you would like your users to seamlessly authenticate across Oracle cloud applications without having to present credentials each time. You want to use modern authentication and authorization features for your users such as passwordless authentication, FIDO2 hardware tokens, and/or adaptive security. You might also have one or two non-Oracle applications for which you’d like users to seamlessly sign on without having to reauthenticate.
Oracle Apps Premium
Oracle Apps Premium identity domains add support for hybrid IAM scenarios including the proxies, gateways, and bridges which extend the IAM service to on-prem or OCI-hosted Oracle applications such as Oracle E-Business Suite, PeopleSoft, and Oracle Database. This identity domain type is intended primarily for use with Oracle applications but also allows for use with a limited number of non-Oracle applications.
Use Case: Your organization is already using Oracle SaaS, PaaS, or GBU applications. You would like your users to seamlessly authenticate to on-premises or cloud-hosted Oracle applications such as E-Business Suite, JD Edwards, PeopleSoft, Oracle Database, and/or Oracle Linux. You want to use modern authentication and authorization features for your users such as passwordless authentication, FIDO2 hardware tokens, and adaptive security. You might also want bidirectional synchronization with AD or other on-prem systems and you might have a few non-Oracle applications for which you’d like users to seamlessly sign on without having to reauthenticate.
Premium
Premium identity domains provide the full IAM feature set for employee and workforce use-cases giving you enterprise-ready access management across hybrid IT environments. It gives you support for all apps and services, and for unlimited third-party applications. If you are standardizing on Oracle as your enterprise identity and access manager provider, this is the identity domain type you want.
Use Case: You want a full-featured Identity-as-a-Service (IDaaS) solution that helps you manage workforce authentication and access to all of your Oracle and non-Oracle applications whether they’re SaaS apps, on-premises enterprise apps, or apps that are hosted in the cloud. You want to use modern authentication and authorization features for your users such as passwordless authentication, FIDO2 hardware tokens, and adaptive security. You might also want automated provisioning and deprovisioning of accounts across these systems.
External User
External identity domains provide a robust IAM feature set for non-employee use-cases, consumer-facing IAM, and custom app development. The functionality provides relevant features for these scenarios such as user self-service, social login, and consent management.
External identity domains are only licensed for non-employee user accounts. If your business needs mean that you have employee user accounts stored within an External identity domain, they are only permitted to be stored in External identity domains if they also exist in another identity domain of type Free, Oracle Apps, Oracle Apps Premium or Premium.
Use Case: You want a full-featured Identity-as-a-Service (IDaaS) solution that helps you manage authentication and access to custom or consumer-facing applications. The solution should support social login, user self-service password and profile management, and terms of use consent. And you might need the solution to scale to support millions of users.
Feature Availability for Identity Domain Types
Understand the features available for the different identity domain types.
This table shows the features available to each domain type.
Feature | Free | Oracle Apps | Oracle Apps Premium | Premium | External User |
---|---|---|---|---|---|
Core IAM features | |||||
User and group management | ![]() |
![]() |
![]() |
![]() |
![]() |
End-user self-registration | - | ![]() |
![]() |
![]() |
![]() |
Self-service profile management | ![]() |
![]() |
![]() |
![]() |
![]() |
Account recovery (self-service password reset by way of email, SMS, security questions) | ![]() SMS is not part of the Free domain type |
![]() |
![]() |
![]() |
![]() |
Default password policy | ![]() |
![]() |
![]() |
![]() |
![]() |
Group-based password policy | ![]() |
![]() |
![]() |
![]() |
![]() |
Support for External Apps1 | |||||
Outbound SSO to third-party apps | ![]() Limit of 2 external apps |
![]() Limit of 2 external apps |
![]() Limit of 6 external apps |
![]() Unlimited |
![]() Unlimited |
Provisioning to third-party apps using App Catalog | ![]() Limit of 2 external apps |
![]() Limit of 2 external apps |
![]() Limit of 6 external apps |
![]() Unlimited |
- |
OAuth/token mgmt for third-party apps | ![]() Limit of 2 external apps |
![]() Limit of 2 external apps |
![]() Limit of 6 external apps |
![]() Unlimited |
![]() Unlimited |
Generic SCIM app template | ![]() Limit of 2 external apps |
![]() Limit of 2 external apps |
![]() Limit of 6 external apps |
![]() Unlimited |
![]() Unlimited |
Manage Access to Oracle Cloud Infrastructure | |||||
All current Infrastructure as a Service IAM features | ![]() |
![]() |
![]() |
![]() |
- |
Manage access to OCI resources | ![]() |
![]() |
![]() |
![]() |
- |
Dynamic groups (for OCI) | ![]() |
![]() |
![]() |
![]() |
- |
Credential types specific to OCI | ![]() |
![]() |
![]() |
![]() |
- |
Security Options | |||||
External IdPs and social login (Federation / Inbound SSO) | ![]() 3 external IdPs |
![]() 3 external IdPs |
![]() 20 external IdPs |
![]() 20 external IdPs |
![]() 20 external IdPs |
Flexible IdP routing policies | ![]() |
![]() |
![]() |
![]() |
![]() |
Terms of use | ![]() |
![]() |
![]() |
![]() |
![]() |
Just in time provisioning | ![]() |
![]() |
![]() |
![]() |
![]() |
PIV / CAC card support | ![]() |
![]() |
![]() |
![]() |
![]() |
Schema extension | ![]() |
![]() |
![]() |
![]() |
![]() |
Delegated administration | ![]() |
![]() |
![]() |
![]() |
![]() |
Uni-directional Active Directory sync which supports inbound sync from AD to the IAM identity domain | ![]() |
![]() |
![]() |
![]() |
- |
Authentication Options: Oracle Mobile Authenticator (MFA) and adaptive security (MFA - TOTP and push, phone call, security questions, FIDO2, DUO, email). | ![]() SMS is not part of the Free domain type |
![]() |
![]() |
![]() |
![]() |
Passwordless authentication | ![]() |
![]() |
![]() |
![]() |
![]() |
Sign in policies (conditions - authenticated by, groups, administrators, exclusions, network perimeter, built-in risk engine) | ![]() |
![]() |
![]() |
![]() |
![]() |
Application SDKs | ![]() |
![]() |
![]() |
![]() |
![]() |
Oracle SaaS Integration | |||||
SSO for Oracle Cloud services | ![]() |
![]() |
![]() |
![]() |
![]() |
User provisioning for Oracle Cloud services (with account form, custom attributes, filters, and so on) | ![]() |
![]() |
![]() |
![]() |
- |
OAuth/Token management for Oracle App and SaaS extensions2 | ![]() |
![]() |
![]() |
![]() |
- |
Reports | |||||
Auditing and reporting | ![]() |
![]() |
![]() |
![]() |
![]() |
Branding | |||||
Customized look and feel | ![]() |
![]() |
![]() |
![]() |
![]() |
Hosted sign-in | - | - | ![]() |
![]() |
![]() |
Advanced and hybrid identity and access management features | |||||
Advanced IAM | |||||
Bi-directional sync with LDAP by way of provisioning bridge | - | - | ![]() |
![]() |
- |
Bi-directional sync with AD bridge | - | - | ![]() |
![]() |
- |
Delegated authentication by way of AD bridge | - | - | ![]() |
![]() |
- |
SSO for any application | ![]() |
![]() |
![]() |
![]() |
![]() |
Hybrid IAM | |||||
Application Gateway (for any enterprise app) | - | - | ![]() Oracle enterprise apps only |
![]() Any enterprise app |
![]() Any enterprise app |
EBS Asserter3 | - | - | ![]() |
![]() |
![]() |
RADIUS proxy (all - Oracle DB, VPNs, network devices, and so forth) | - | - | ![]() Oracle DB only |
![]() All - Oracle DB, VPNs, Network Devices, and so on |
- |
Linux PAM | - | - | ![]() |
![]() |
- |
1 External or third-party apps are defined as either commercial applications offered by a provider other than Oracle or as custom-developed applications (including, for example, applications built on OCI using Visual Builder Cloud Service).
2 SaaS Extensions are custom-developed applications that are only used as extensions to subscribed Oracle SaaS applications such as HCM, ERP, SCM, and so on. The sole purpose of these applications is to augment Oracle SaaS apps.
3 The right to use Oracle E-Business Suite Asserter also includes the right to use WebLogic Server Enterprise Edition solely for the purposes of running the asserter application in accordance with all terms and conditions as described in the Oracle Fusion Middleware Licensing Information User Manual.
IAM Identity Domain Object Limits
Understand the number of different types of object allowed in each identity domain type.
You can create different identity domain types subject to the limit allowed by your subscription type. To find out the identity domain limits for each subscription type, see IAM With Identity Domains Limits.
Resource | Free | Oracle Apps | Oracle Apps Premium | Premium | External User |
---|---|---|---|---|---|
Users | 2,000 | 1,000,000 | 1,000,000 | 1,000,000 | 100,000,000 |
Groups | 250 | 10,000 | 100,000 | 100,000 | 100,000 |
Users in a group | 2,000 | 10,000 | 100,000 | 100,000 | 100,000 |
Groups per user | 250 | 500 | 5,000 | 5,000 | 5,000 |
Default password and group-based password policies | 10 | 10 | 10 | 10 | 10 |
Non Oracle apps1 | 2 | 2 | 10 | 5,000 | 5,000 |
Oracle Cloud apps | 2,000 | 2,000 | 2,000 | 2,000 | - |
Enterprise apps | - | - | 500 (Only Oracle enterprise apps) |
500 | 500 |
RADIUS proxy | - | - | 50 | 50 | - |
Active Directory (AD) domains | 2 | 10 | 20 | 20 | - |
Active domain bridges per AD domain | 4 | 10 | 10 | 10 | - |
Provisioning bridges | 4 | 10 | 10 | 10 | - |
Application Gateway | - | - | 20 | 20 | 20 |
External Identity Providers and Social Login (IdPs)(Federation / inbound SSO) | 5 | 5 | 30 | 30 | 30 |
IdP policies | 5 | 5 | 100 | 100 | 100 |
Terms of use | 500 | 500 | 500 | 500 | 500 |
Sign in policies | 5 | 5 | 200 | 200 | 200 |
Self-registration profiles | - | 50 | 50 | 50 | 50 |
Dynamic groups | 50 | 50 | 50 | 50 | - |
API key per user | 3 | 3 | 3 | 3 | - |
Auth token per user | 2 | 2 | 2 | 2 | - |
OAuth2 client credentials per user | 10 | 10 | 10 | 10 | - |
SMTP credentials | 2 | 2 | 2 | 2 | - |
Customer secret key per user | 2 | 2 | 2 | 2 | - |
DB credentials per user | 2 | 2 | 2 | 2 | - |
1 Non Oracle or third-party apps are defined as either commercial applications offered by a provider other than Oracle or as custom-developed applications (including, for example, applications built on OCI using Visual Builder Cloud Service).
Data Types for Custom Attributes
See the supported data types for custom attributes and their limits. These apply to all identity domain types.
Data Type | Limit |
---|---|
4K char String Indexed (searchable) | 84 |
40 char String Indexed (searchable) | 5 |
4K char String Unindexed | 36 |
40 char String Unindexed | 15 |
Integer | 20 |
API Rate Limits
Understand the rate limiting for APIs for different identity types.
Oracle APIs are subject to rate limiting to protect the API service usage for all of Oracle's customers. If you reach the API limit for the identity domain type, then IAM returns a 429 error code.
Free | Oracle Apps | Oracle Apps Premium | Premium | External User | |
---|---|---|---|---|---|
AuthN / sec | 10 | 50 | 80 | 95 | 90 |
AuthN / min | 150 | 1000 | 2100 | 4500 | 3100 |
Token Mgmt / sec | 10 | 40 | 50 | 65 | 60 |
Token Mgmt / min | 150 | 1000 | 1700 | 3400 | 2300 |
Others / sec (excluding bulk, import and export) | 20 | 50 | 55 | 90 | 80 |
Others / min (excluding bulk, import and export) | 150 | 1500 | 1750 | 5000 | 4000 |
Bulk / sec | 1 | 1 | 1 | 2 | 2 |
Bulk / min | 1 | 2 | 3 | 6 | 6 |
Import and export / day | 1 | 2 | 3 | 5 | 5 |
Other Restrictions
- Payload size: 1 MB
- Bulk API: 50 operations limit per call
- Only one of these can be run at a time:
- Import: For Users, Groups & App Role Memberships
- Full sync from apps
- Bulk APIs
- Export: For Users, Groups & App Role Memberships
- CSV Import: 100 K rows limit per CSV & Max file size: 10 MB
- CSV Export: 100 K rows limit
Meters for Identity Domain Types
Understand the meters used for different identity domain types.
Free and Oracle Apps identity domain types do not use meters.
Oracle Apps Premium, Premium, and External User identity domain types use these meters:
-
Users per Month: The number of active and inactive users in the system, reported per hour. These meters are aggregated at the end of the billing cycle.
-
SMS: The number of SMS messages sent from the system, reported every hour. These meters are aggregated at the end of the billing cycle.
-
Tokens: The number of tokens issued by the system, reported every hour.
-
Replicated Users per Month: If you configure replication to more regions, this meter applies to the number of active and inactive users in each replicated region, reported per hour. These meters are aggregated at the end of the billing cycle.
After you have provisioned your service, Oracle Cloud Infrastructure has tools to help you analyze and understand the costs associated with your account. See Checking Your Expenses and Usage.
Changing your Identity Domain Type
- You cannot change the default domain to External User identity domain type.
- Your subscription type controls the number of identity domains of each type. If the change would exceed the number of identity domains of that type for your subscription type, you cannot change to the new identity domain type. See IAM With Identity Domains Limits.
- If the number of objects of any type in your identity domain is higher than is allowed in the target identity domain type, you cannot change to the new identity domain type. See IAM Identity Domain Object Limits.
- The features available in your current identity domain type are checked. See Feature Availability for Identity Domain Types. A warning message appears reminding you to exercise caution when changing from one identity domain type to another. You can proceed after the warning message, but some of your existing features might no longer work.