IDCS vs OCI IAM
Oracle Identity Cloud Service (IDCS) is the identity provider for Oracle SaaS applications (Fusion Cloud, Oracle Cloud Applications). It manages Fusion Cloud users, groups, and application roles.
OCI IAM manages access to OCI infrastructure resources (compute, storage, networking) and PaaS services (OIC, VBCS, ATP).
In modern Oracle Cloud tenancies (post-2022), Oracle is merging these into a unified OCI IAM with Identity Domains — IDCS is becoming a domain within OCI IAM.
Key IDCS concepts for PaaS developers
Users: individual identities — both human users and application service accounts
Groups: collections of users mapped to application roles
Application roles: Fusion Cloud roles that grant access to modules (e.g. FIN_ACCOUNTS_PAYABLE_MANAGER_JOB)
OAuth clients: registered applications that use OAuth 2.0 to authenticate OIC integrations and VBCS service connections
Creating an OAuth client for OIC integrations
- IDCS Admin Console → Applications → Add Application → Confidential Application
- Configure client credentials: generate Client ID and Client Secret
- Assign token scopes that match the APIs your OIC integration will call
- In OIC: create a Security Credentials entry with the Client ID/Secret
Service accounts for integrations
For OIC integrations calling Fusion APIs, create a dedicated service account in IDCS:
- Give it a strong, non-expiring password (or use OAuth)
- Assign only the Fusion roles needed (principle of least privilege)
- Document it — integration service accounts are often overlooked during offboarding
SAML and SSO configuration
VBCS apps can use IDCS as a SAML 2.0 identity provider, enabling SSO with corporate identity systems (Active Directory, Okta). Configure:
- In IDCS: add a SAML application for your identity provider (e.g. AD FS)
- Configure attribute mappings (email, first/last name, groups)
- VBCS picks up the authenticated user from the SAML assertion
Troubleshooting authentication issues
Most OIC 401 errors come from: expired credentials, wrong OAuth scope, or token URL mismatch between IDCS and OCI IAM domains. Always test OAuth flows with Postman before building the full OIC integration.