In this post, I will discuss Oracle Identity and Access Management (IAM) in Oracle Cloud Infrastructure. The focus will be on the different approaches for provisioning users within IAM and how IAM can be used to authenticate applications deployed both on-premises and in the cloud.
First, let us review the available options for provisioning users in IAM and synchronizing users between IAM and an identity provider (IdP).
User provisioning in IAM:
IAM supports multiple methods for user provisioning, including:
Manual Creation:
Use OCI console to manually create users.Bulk Import:
importing a properly formatted CSV file containing user details (First
Name, Last Name, Email, Username) directly through the OCI Console.Just-In-Time Provisioning:
It’s a feature where a user account is created automatically at the
moment the user login based on information sent by federated identity
provider (IdP). It works during authentication not before.
JIT-provisioned users cannot receive updates or automatically de-provisioned because JIT only runs during the login.
For lifecycle updates, SCIM is needed.Self-Registration:
Self-registration in OCI allows external users to create their
own accounts and access applications without needing help from an
administrator.
It uses profiles to control the registration process, such
as defining the form fields, restricting allowed email domains, setting
consent terms, and automatically assigning users to the appropriate
groups.System for Cross-Domain Identity Management (SCIM):
SCIM is a standard protocol used to automate user and group provisioning
across identity systems. SCIM allows external IdPs to automatically
provision users into OCI IAM.Active Directory Bridge:
Active directory bridge is an Oracle software component used to
synchronize and provision users from Microsoft Active Directory (AD) into
Oracle OCI IAM.
It acts as a connector between your on-premises AD and OCI IAM.OCI Provisioning Bridge:
Provisioning Bridge provides a secure connection between your on-premises
applications (including directories like Oracle Internet Directory,
OpenLDAP , or Oracle E-Business Suite) and OCI IAM enable bidirectional
synchronization of users and groups.
After users are synchronized from the on-premises business application to
IAM , you can also use the Provisioning Bridge to provision users to the
application.
The choice of user provisioning method in OCI IAM depends on the source of identities, the level of automation required, and the type of users (internal or external). While manual and bulk methods are suitable for small or initial setups, enterprise environments typically rely on automated solutions such as SCIM, Active Directory Bridge, or Provisioning Bridge to ensure consistent and scalable identity management.
The diagram below summarizes common scenarios and the corresponding recommended methods.
Application Authentication Using IAM:
After reviewing the available methods for provisioning users in IAM, an important question arises: how can IAM be used to authenticate access to enterprise applications, not just to the Oracle OCI console? This raises the need to understand the mechanisms and services provided to enable application authentication using IAM.
You can use IAM to authenticate access to applications on premises and on cloud using different method (ex: SAML, OpenID Connect, OAuth 2.0).
For applications that do not natively support modern authentication protocols like SAML or OpenID Connect Oracle offer APP Gateway.
App Gateway:
App gateway is a software appliance used to integrate web applications
(on premises or cloud-hosted) with OCI IAM for authentication.
It acts like a reverse proxy that protect the applications by enforcing
login through OCI IAM.
Its role is to:
- Intercept user requests to the application.
- Redirect the user to OCI IAM for authentication.
- Validate the identity token.
- Forward the authenticated request to the backend application.
You can use App Gateway is to expose intranet web applications to
internet access.
For example, if you have web application that is hosted and accessed over an intranet and you want to expose access to this application over the internet, use App Gateway to proxy any internet request and to require users to authenticate with IAM before accessing the intranet web application.
In this case, you deploy App Gateway in the network DMZ while the application remains in the intranet zone.
For organizations running the Oracle E‑Business Suite (EBS) on‑premises who need Single Sign‑On (SSO) and modern security features such as Multi‑Factor Authentication (MFA)—without deploying on‑premises SSO components like OAM or OID—Oracle provides the EBS Asserter as a simplified solution.
EBS Asserter:
The OCI IAM E-Business Suite Asserter is a lightweight Java application.
It helps businesses simplify the deployment topology for Oracle
E-Business Suite single sign-on (SSO) by replacing Oracle Access Manager
and Oracle Internet Directory.
You can use the E-Business Suite Asserter when you want to:
Have your Oracle E-Business Suite working in SSO with other applications.
Enhance security to access your Oracle E-Business Suite by enabling OCI
IAM security features such as multi-factor authentication, sign-on
policies, account recovery, and adaptive security.
The OCI IAM E-Business Suite Asserter is deployed to a separate Oracle
WebLogic Server instance. The E-Business Suite Asserter interacts with
OCI IAM through OCI IAM REST API and redirects the user's web browser to
OCI IAM and to Oracle E-Business Suite.
In addition to using the EBS Asserter, you can also leverage the
Provisioning Bridge to synchronize user accounts from E‑Business Suite to
OCI IAM, ensuring that user identities remain consistent between the EBS
instance and OCI IAM.
Moreover, Oracle provides a set of prebuilt application templates through the Application Catalog, designed to simplify and accelerate the integration of external applications.
The Application Catalog is a collection of partially configured templates for widely used SaaS applications—such as AWS and Google Workspace—allowing organizations to quickly onboard and integrate these applications into OCI IAM with minimal configuration effort.
This helps streamline identity management and enables secure, centralized authentication across multiple platforms.
Summary
In this article, I demonstrated several approaches for integrating Oracle Cloud Infrastructure (OCI) IAM with on‑premises Identity Providers (IdPs), along with methods to maintain synchronization between directories and provision users into OCI IAM effectively. These options help organizations extend their existing identity infrastructure to the cloud while enabling secure authentication, federation, and lifecycle automation.
I hope you found this overview helpful.
Top comments (0)