People who need access

Authentication method:

Login sessions

To access the user interface of an Oracle Integration instance or the Oracle Cloud Infrastructure Console, people must sign in. To sign in, a user must be a member of an identity domain. The identity domain authenticates the user.

To learn more, see Managing Identity Domains in the Oracle Cloud Infrastructure documentation.

Authorization method:

Service roles within the Oracle Integration application

Service roles govern access to actions within an Oracle Integration instance, including actions that you perform using the Oracle Integration built-in APIs and customer-built APIs.

See Oracle Integration Roles and Privileges in Provisioning and Administering Oracle Integration 3.

Choose an identity and access management tool

Oracle Cloud Infrastructure Identity and Access Management, or Oracle Cloud Infrastructure IAM, is an identity and access management tool in which you create Oracle Integration users, groups, and policies.

Alternatively, you can use SAML 2.0 federation to federate Oracle Cloud Infrastructure IAM with an identity system that your organization already uses. When you federate an identity system with Oracle Cloud Infrastructure IAM, you delegate the responsibility of managing access for Oracle Integration to the other identity system.

If your organization already uses an identity system, federating offers many benefits. You don't need to create new accounts for Oracle Integration users, and users don't need to remember yet another user name and password.

If your organization doesn't use Oracle Cloud Infrastructure IAM as its identity system, federate Oracle Cloud Infrastructure IAM with your organization's identity system

Use SAML 2.0 federation to federate Oracle Cloud Infrastructure IAM with your organization's existing identity and access management system

See Federating with Identity Providers in the Oracle Cloud Infrastructure documentation.

Configure access

• If your tenancy uses identity domains, see Workflow for Access in an Identity Domain in Provisioning and Administering Oracle Integration 3.

• If your tenancy doesn't use identity domains, see Workflow for Access Without an Identity Domain in Provisioning and Administering Oracle Integration 3.

Add an additional layer of security by enabling multifactor authentication (MFA)

When to enable MFA

Oracle recommends enabling MFA only for users that access the Oracle Integration user interface.

When not to enable MFA

Do not enable MFA for user accounts that access REST APIs, including the Oracle Integration built-in APIs and the customer-built APIs.

An MFA configuration restricts the authentication methods for invoking the APIs. For example, an MFA-enabled user typically cannot authenticate using basic auth. Additionally, when authenticating using an OAuth 2.0 token, the user account must use specific grants, such as the User Assertion grant or the Authorization Code grant, and not the Resource Owner Password Credentials grant.

How to enable MFA

• Write a policy that enables multifactor authentication (MFA) and assign it to the appropriate user groups. Do not modify the default sign-on policy. Instead, create a new sign-on policy. If you modify the default sign-on policy, you won't be able to invoke customer-built APIs using your REST clients.

  If you use Oracle Cloud Infrastructure IAM as your identity system, see Managing Multifactor Authentication in the Oracle Cloud Infrastructure documentation.