IAM Identity Domain Types

Learn about identity domain types and the features and limits associated with each.

An IAM identity domain  is deployed with one of five identity domain types. Each identity domain type  is associated with a different set of features and object limits. Use this information to decide which domain type is appropriate for what you want to do.

This section summarizes:

This section has information about identity domains and the various features and limits associated with each identity domain type. For information about IAM tenancy level limits, see IAM With Identity Domains Limits.

Understand Identity Domain Types

IAM has five different identity domain types to address different organizational needs. Start here to understand which suits your requirements best, and which type to choose when you create an identity domain.

Here's a summary of the identity domain types. Decide which provides the best fit for your requirements and check the features and limits below to that you get with that identity domain type to select the identity domain type that's right for you.

Free

When you create an OCI tenancy, you are automatically provisioned with a Free identity domain. This domain type allows you to use the IAM service to manage access to OCI Infrastructure and Platform resources. Use this domain type to learn about the IAM service, and to manage access to OCI IaaS and PaaS resources. This domain type should include everything you need to manage OCI. But if you require higher limits or additional features, you can change to a different identity domain type.

Example Use case: Your organization uses Oracle Cloud and your cloud administrators need secure access to manage subscribed OCI services.

Oracle Apps

Some Oracle PaaS services and SaaS applications offer their customers an Oracle Apps identity domain which allows you to use the IAM service to manage access to the subscribed service. In most cases, the identity domain is either provided by the service at provisioning time or a pre existing domain will automatically become an Oracle Apps domain when a registered service is attached to it. This domain type should include everything you need to manage access to your subscribed Oracle service. But if you require higher limits or additional features, you can change to a different identity domain type.

Example Use Case: Your organization subscribes to an Oracle PaaS or SaaS service that provides an Oracle Apps identity domain with their service. You can use this domain type to manage access to Oracle PaaS and SaaS services. You might also have one or two third-party applications for which you'd like users to seamlessly sign-in without having to reauthenticate.

Oracle Apps Premium

Oracle Apps Premium identity domains add support for hybrid IAM scenarios which extend the IAM service to manage access for on-premises or OCI hosted Oracle applications such as Oracle E-Business Suite, PeopleSoft, and Oracle Database. While this identity domain type is intended primarily for use with Oracle applications, it also allows you to manage access for a limited number of third-party or custom applications.

Example Use Case: Your organization would like to enable authentication and single sign-on for your workforce users to access Oracle SaaS applications as well as on-premises or cloud-hosted Oracle applications such as E-Business Suite, JD Edwards, PeopleSoft, Siebel, and/or Oracle Database. You might also want bidirectional synchronization with Microsoft Active Directory or other on-premises systems and you might have a few third-party or custom applications for which you'd like users to seamlessly sign-in without having to reauthenticate.

Premium

Premium identity domains provide the full IAM feature set and highest limits for employee and workforce use cases giving you enterprise-ready access management across hybrid IT environments. It includes all supported integration types and unlimited third-party applications. This is the ideal domain type if you are standardizing on OCI IAM as your enterprise identity and access management provider.

Example Use Case: You want an Identity-as-a-Service (IDaaS) solution to manage workforce authentication and access to all of your Oracle and third-party applications whether they're SaaS apps, on-premises enterprise apps, or apps that are hosted in the cloud. You want to use modern authentication and authorization features such as passwordless authentication, FIDO2 hardware tokens, and adaptive security. You might also want automated provisioning and deprovisioning of accounts across these systems.

External User

External identity domains provide a robust IAM feature set for non employee use cases, consumer-facing apps, and custom app development. This domain type provides relevant features for these scenarios such as user self-service, social sign in, and consent management.

Note

External identity domains are only licensed for non employee user accounts. If your business needs require that you have employee user accounts stored within an External identity domain (for example, if an app only supports one identity provider), that is allowed only if those user accounts also exist in another identity domain of type Free, Oracle Apps, Oracle Apps Premium, or Premium.

Example Use Case: You want a full-featured Identity-as-a-Service (IDaaS) solution that helps you manage authentication and access to custom or consumer-facing applications. The solution should support social sign in, user self-service password and profile management, and terms of use consent. And you might need the solution to scale to support millions of users.

Feature Availability for Identity Domain Types

Understand the features available for the different identity domain types.

This table shows the features available to each domain type.

Feature Free Oracle Apps Oracle Apps Premium Premium External User
Core IAM features
User and group management Checkmark Checkmark Checkmark Checkmark Checkmark
End-user self-registration - Checkmark Checkmark Checkmark Checkmark
Self-service profile management Checkmark Checkmark Checkmark Checkmark Checkmark
Account recovery (self-service password reset by way of email, SMS, security questions) Checkmark

SMS is not part of the Free domain type

Checkmark Checkmark Checkmark Checkmark
Default password policy Checkmark Checkmark Checkmark Checkmark Checkmark
Group-based password policy Checkmark Checkmark Checkmark Checkmark Checkmark
Support for External Apps1
Outbound SSO to third-party apps Checkmark

Limit of 2 external apps

Checkmark

Limit of 2 external apps

Checkmark

Limit of 10 external apps

Checkmark

Unlimited

Checkmark

Unlimited

Provisioning to third-party apps using App Catalog Checkmark

Limit of 2 external apps

Checkmark

Limit of 2 external apps

Checkmark

Limit of 10 external apps

Checkmark

Unlimited

-
OAuth/token mgmt for third-party apps Checkmark

Limit of 2 external apps

Checkmark

Limit of 2 external apps

Checkmark

Limit of 10 external apps

Checkmark

Unlimited

Checkmark

Unlimited

Generic SCIM app template Checkmark

Limit of 2 external apps

Checkmark

Limit of 2 external apps

Checkmark

Limit of 10 external apps

Checkmark

Unlimited

Checkmark

Unlimited

Manage Access to Oracle Cloud Infrastructure
All current Infrastructure as a Service IAM features Checkmark Checkmark Checkmark Checkmark -
Manage access to OCI resources Checkmark Checkmark Checkmark Checkmark -
Dynamic groups (for OCI) Checkmark Checkmark Checkmark Checkmark -
Credential types specific to OCI Checkmark Checkmark Checkmark Checkmark -
Security Options
External IdPs and social login (Federation / Inbound SSO) Checkmark

5 external IdPs

Checkmark

5 external IdPs

Checkmark

30 external IdPs

Checkmark

30 external IdPs

Checkmark

30 external IdPs

Flexible IdP routing policies Checkmark Checkmark Checkmark Checkmark Checkmark
Terms of use Checkmark Checkmark Checkmark Checkmark Checkmark
Just in time provisioning Checkmark Checkmark Checkmark Checkmark Checkmark
PIV / CAC card support Checkmark Checkmark Checkmark Checkmark Checkmark
Schema extension Checkmark Checkmark Checkmark Checkmark Checkmark
Delegated administration Checkmark Checkmark Checkmark Checkmark Checkmark
Uni-directional Active Directory sync which supports inbound sync from AD to the IAM identity domain Checkmark Checkmark Checkmark Checkmark -
Authentication Options: Oracle Mobile Authenticator (MFA) and adaptive security (MFA - TOTP and push, phone call, security questions, FIDO2, DUO, email). Checkmark

SMS is not part of the Free domain type

Checkmark Checkmark Checkmark Checkmark
Passwordless authentication Checkmark Checkmark Checkmark Checkmark Checkmark
Sign in policies (conditions - authenticated by, groups, administrators, exclusions, network perimeter, built-in risk engine) Checkmark Checkmark Checkmark Checkmark Checkmark
Application SDKs Checkmark Checkmark Checkmark Checkmark Checkmark
Oracle SaaS Integration
SSO for Oracle Cloud services Checkmark Checkmark Checkmark Checkmark Checkmark
User provisioning for Oracle Cloud services (with account form, custom attributes, filters, and so on) Checkmark Checkmark Checkmark Checkmark -
OAuth/Token management for Oracle App and SaaS extensions2 Checkmark Checkmark Checkmark Checkmark -
Reports
Auditing and reporting Checkmark Checkmark Checkmark Checkmark Checkmark
Branding
Customized look and feel Checkmark Checkmark Checkmark Checkmark Checkmark
Hosted sign-in - - Checkmark Checkmark Checkmark
Advanced and hybrid identity and access management features
Advanced IAM
Bi-directional sync with LDAP by way of provisioning bridge - - Checkmark Checkmark -
Bi-directional sync with AD bridge - - Checkmark Checkmark -
Delegated authentication by way of AD bridge - - Checkmark Checkmark -
SSO for any application Checkmark Checkmark Checkmark Checkmark Checkmark
Hybrid IAM
Application Gateway (for any enterprise app) - - Checkmark

Oracle enterprise apps only

Checkmark

Any enterprise app

Checkmark

Any enterprise app

EBS Asserter3 - - Checkmark Checkmark Checkmark
RADIUS proxy (all - Oracle DB, VPNs, network devices, and so forth) - - Checkmark

Oracle DB only

Checkmark

All - Oracle DB, VPNs, Network Devices, and so on

-
Linux PAM - - Checkmark Checkmark -

1 External or third-party apps are defined as either commercial applications offered by a provider other than Oracle or as custom-developed applications (including, for example, applications built on OCI using APEX). Note that custom applications built using Visual Builder Cloud Service do not count against the limit on external apps.

2 SaaS Extensions are custom-developed applications that are only used as extensions to subscribed Oracle SaaS applications such as HCM, ERP, SCM, and so on. The sole purpose of these applications is to augment Oracle SaaS apps. These do not count against the limit on external apps.

3 The right to use Oracle E-Business Suite Asserter also includes the right to use WebLogic Server Enterprise Edition solely for the purposes of running the asserter application in accordance with all terms and conditions as described in the Oracle Fusion Middleware Licensing Information User Manual.

IAM Identity Domain Object Limits

Understand the number of different types of object allowed in each identity domain type.

You can create different identity domain types subject to the limit allowed by your subscription type. To find out the identity domain limits for each subscription type, see IAM With Identity Domains Limits.

This table shows the limits of the number of each type of object for each identity domain type.
Resource Free Oracle Apps Oracle Apps Premium Premium External User
Users 2,000 1,000,000 1,000,000 1,000,000 100,000,000
Groups 250 10,000 100,000 100,000 100,000
Users in a group 2,000 10,000 100,000 100,000 100,000
Groups per user 250 500 5,000 5,000 5,000
Default password and group-based password policies 10 10 10 10 10
Non Oracle apps 1 2 2 2 10 2 5,000 5,000
Oracle Cloud apps 2,000 2,000 2,000 2,000 -
Enterprise apps - - 500

(Only Oracle enterprise apps)

500 500
RADIUS proxy - - 50 50 -
Active Directory (AD) domains 2 10 20 20 -
Active domain bridges per AD domain 4 10 10 10 -
Provisioning bridges 4 10 10 10 -
Application Gateway - - 20 20 20
External Identity Providers and Social Login (IdPs)(Federation / inbound SSO) 5 5 30 30 30
IdP policies 5 50 100 100 100
Terms of use 500 500 500 500 500
Sign in policies 5 50 200 200 200
Self-registration profiles - 50 50 50 50
Dynamic groups 50 50 50 50 -
API key per user 3 3 3 3 -
Auth token per user 2 2 2 2 -
OAuth2 client credentials per user 10 10 10 10 -
SMTP credentials 2 2 2 2 -
Customer secret key per user 2 2 2 2 -
DB credentials per user 2 2 2 2 -
OAuth Client Certificate 20 200 200 20,000 20,000
OAuth Partner Certificates 20 20 100 100 100
Trusted Partner Certificates 20 20 100 100 100

1 Non Oracle or third-party apps are defined as either commercial applications offered by a provider other than Oracle or as custom-developed applications (including, for example, applications built on OCI using APEX). Note that custom applications built using Visual Builder Cloud Service do not count against the limit on external apps.

2 The limits for the number of non Oracle or third-party apps for the domain types Oracle Apps and Oracle Apps Premium are temporarily not enforced. They will be enforced in future.

Data Types for Custom Attributes

See the supported data types for custom attributes and their limits. These apply to all identity domain types.

Data Type Limit
4K char String Indexed (searchable) 84
40 char String Indexed (searchable) 5
4K char String Unindexed 36
40 char String Unindexed 15
Integer 20

API Rate Limits

Understand the rate limiting for APIs for different identity domain types.

Oracle APIs are subject to rate limiting to protect the API service usage for all Oracle's customers. If you reach the API limit for the identity domain type, then IAM returns a 429 error code.

Rate Limits for all Identity Domain Types

API Group Per Free Oracle Apps Oracle Apps Premium Premium External User
AuthN second 10 50 80 95 90
AuthN minute 150 1000 2100 4500 3100
Token Mgmt second 10 40 50 65 60
Token Mgmt minute 150 1000 1700 3400 2300
Others second 20 50 55 90 80
Others minute 150 1500 1750 5000 4000
Bulk second 5 5 5 5 5
Bulk minute 200 200 200 200 200
Import and export day 4 8 10 10 10

APIs in API Groups

API limits apply to the total of all APIs within a group.

Authentication
  • /sso/v1/user/login
  • /sso/v1/user/secure/login
  • /sso/v1/user/logout
  • /sso/v1/sdk/authenticate
  • /sso/v1/sdk/session
  • /sso/v1/sdk/idp
  • /sso/v1/sdk/secure/session
  • /mfa/v1/requests
  • /mfa/v1/users/{userguid}/factors
  • /oauth2/v1/authorize
  • /oauth2/v1/userlogout
  • /oauth2/v1/consent
  • /fed/v1/user/request/login
  • /fed/v1/sp/sso
  • /fed/v1/idp/sso
  • /fed/v1/idp/usernametoken
  • /fed/v1/metadata
  • /fed/v1/mex
  • /fed/v1/sp/slo
  • /fed/v1/sp/initiatesso
  • /fed/v1/sp/ssomtls
  • /fed/v1/idp/slo
  • /fed/v1/idp/initiatesso
  • /fed/v1/idp/wsfed
  • /fed/v1/idp/wsfedsignoutreturn
  • /fed/v1/user/response/login
  • /fed/v1/user/request/logout
  • /fed/v1/user/response/logout
  • /fed/v1/user/testspstart
  • /fed/v1/user/testspresult
  • /admin/v1/SigningCert/jwk
  • /admin/v1/HTTPAuthenticator
  • /admin/v1/PasswordAuthenticator
  • /admin/v1/Asserter
  • /admin/v1/MyAuthenticationFactorInitiator
  • /admin/v1/MyAuthenticationFactorEnroller
  • /admin/v1/MyAuthenticationFactorValidator
  • /admin/v1/MyAuthenticationFactorsRemover
  • /admin/v1/TermsOfUseConsent
  • /admin/v1/MyTermsOfUseConsent
  • /admin/v1/TrustedUserAgents
  • /admin/v1/AuthenticationFactorInitiator
  • /admin/v1/AuthenticationFactorEnroller
  • /admin/v1/AuthenticationFactorValidator
  • /admin/v1/MePasswordResetter
  • /admin/v1/UserPasswordChanger
  • /admin/v1/UserLockedStateChanger
  • /admin/v1/AuthenticationFactorsRemover
  • /admin/v1/BypassCodes
  • /admin/v1/MyBypassCodes
  • /admin/v1/MyTrustedUserAgents
  • /admin/v1/Devices
  • /admin/v1/MyDevices
  • /admin/v1/TermsOfUses
  • /admin/v1/TermsOfUseStatements
  • /admin/v1/AuthenticationFactorSettings
  • /admin/v1/SsoSettings
  • /admin/v1/AdaptiveAccessSettings
  • /admin/v1/RiskProviderProfiles
  • /admin/v1/Threats
  • /admin/v1/UserDevices
  • /session/v1/SessionsLogoutValidator
  • /ui/v1/signin
Tokens
  • /oauth2/v1/token
  • /oauth2/v1/introspect
  • /oauth2/v1/revoke
  • /oauth2/v1/device
Import/Export
  • /job/v1/JobSchedules?jobType=UserImport
  • /job/v1/JobSchedules?jobType=UserExport
  • /job/v1/JobSchedules?jobType=GroupImport
  • /job/v1/JobSchedules?jobType=GroupExport
  • /job/v1/JobSchedules?jobType=AppRoleImport
  • /job/v1/JobSchedules?jobType=AppRoleExport
Bulk
  • /admin/v1/Bulk
  • /admin/v1/BulkUserPasswordChanger
  • /admin/v1/BulkUserPasswordResetter
  • /admin/v1/BulkSourceEvents
Other

Any API not in one of the other API Groups is included in the Other API Group

Other Restrictions

These restrictions are for Bulk, Import, and Export for all tiers:

  • Payload size: 1 MB
  • Bulk API: 50 operations limit per call
  • Only one of these can be run at a time:
    • Import: For Users, Groups & App Role Memberships
    • Full sync from apps
    • Bulk APIs
    • Export: For Users, Groups & App Role Memberships
  • CSV Import: 100 K rows limit per CSV & Max file size: 10 MB
  • CSV Export: 100 K rows limit

Meters for Identity Domain Types

Understand the meters used for different identity domain types.

Free and Oracle Apps identity domain types do not use meters.

Oracle Apps Premium, Premium, and External User identity domain types use these meters:

  • Users per Month: The number of active and inactive users in the system, reported per hour. These meters are aggregated at the end of the billing cycle.

  • SMS: The number of SMS messages sent from the system, reported every hour. These meters are aggregated at the end of the billing cycle.

  • Tokens: The number of tokens issued by the system, reported every hour.

  • Replicated Users per Month: If you configure replication to more regions, this meter applies to the number of active and inactive users in each replicated region, reported per hour. These meters are aggregated at the end of the billing cycle.

After you have provisioned your service, Oracle Cloud Infrastructure has tools to help you analyze and understand the costs associated with your account. See Checking Your Expenses and Usage.

Changing your Identity Domain Type

When you change the identity domain type, IAM validates the change you are making.
  1. You cannot change the default domain to External User identity domain type.
  2. Your subscription type controls the number of identity domains of each type. If the change would exceed the number of identity domains of that type for your subscription type, you cannot change to the new identity domain type. See IAM With Identity Domains Limits.
  3. If the number of objects of any type in your identity domain is higher than is allowed in the target identity domain type, you cannot change to the new identity domain type. See IAM Identity Domain Object Limits.
  4. The features available in your current identity domain type are checked. See Feature Availability for Identity Domain Types. A warning message appears reminding you to exercise caution when changing from one identity domain type to another. You can proceed after the warning message, but some of your existing features might no longer work.
  5. You cannot change a Free, Premium, or External User identity domain to an Oracle Apps identity domain.