Simplifying OCI Login with the Right Identity Domain

Introduction

Many organizations connect their Identity Providers (IDPs) with multiple Identity Domains inside Oracle Cloud Infrastructure (OCI) for user authentication to various applications. Using separate Identity Domain for each application offers flexibility and allows administrators to easily manage and delegate permissions.

While it is beneficial, with multiple Identity Domains, sometimes users might struggle to remember or identify the correct one for OCI login. This can lead to frustration and wasted time in the login process.

In this blog post, we'll explore methods OCI administrators can implement to streamline the login process, ensuring seamless access to OCI resources for their end users.

Solutions for Streamlined Login

Option 1 – IDP-Initiated Single Sign-On (SSO)

This method leverages your organization's existing IDP to initiate the login flow. Users access OCI through a familiar portal within the IDP, eliminating the need to choose an Identity Domain on the OCI login page. This option provides a seamless experience to users but might not be supported by all IDPs.

Example - In Entra ID, under My Account, click on My Apps and click on your organization's Oracle SSO application. It opens a new tab and takes you to OCI Console.

Option 2 – Bookmarking with Query String

This approach allows users to save a customized login URL as a bookmark. The URL includes query strings specifying the tenant’s name and domain name associated with the user login. This approach is simple and user-friendly for individual users but requires URL manipulation and may not be ideal for large-scale deployment.

Example URL: https://cloud.oracle.com/?tenant=<tenant_name>&domain=<domain_name>

Add-On options - IDP Rules Based on User Claims

In both options discussed above, users will be redirected to the Identity Domain login screen where they need to provide their credentials or click on the SSO button to be redirected to their preferred IDP provider. This process can be further automated by leveraging OCI IAM IDP Policies.

OCI IAM IDP Policies allow defining rules within the Identity Domain that automatically select the appropriate IDP based on user attributes (claims) retrieved during authentication. For example, a rule could direct users with an email address from a specific domain to a designated IDP or all users accessing a specific domain are auto redirected to an IDP for authentication.

Above options (IDP initiated and URL redirected) along with IDP Rules offers a centralized and automated solution for redirecting the users.

For detailed instructions on setting up IDP rules, refer to this blog post: Using OCI Identity provider policy to automatically set an identity provider based on username attribute.

In addition, customers can optionally hide their Identity Domains from the login dropdown by simply disabling the domain selector option under Edit Domain (Identity -> Domains -> your_domain_name -> Edit domain). This action will hide the Identity domain from the dropdown list on the tenancy login screen. Note that disabling the Default Identity domain is not allowed.

Conclusion

These methods provide organizations with options to streamline the OCI login process. Choosing the most suitable approach depends on your specific needs and user base. By implementing one or a combination of these approaches, you can ensure your users access OCI resources efficiently.