All posts · General

Oracle IDCS and OCI IAM: Identity Management for Oracle Cloud

Identity Cloud Service and OCI IAM control authentication and authorisation across all Oracle Cloud services. Here's what Oracle Cloud developers need to know.

Anurag Jangra · January 14, 2026 · 6 min read · ... views

IDCS vs OCI IAM

Oracle Identity Cloud Service (IDCS) is the identity provider for Oracle SaaS applications (Fusion Cloud, Oracle Cloud Applications). It manages Fusion Cloud users, groups, and application roles.

OCI IAM manages access to OCI infrastructure resources (compute, storage, networking) and PaaS services (OIC, VBCS, ATP).

In modern Oracle Cloud tenancies (post-2022), Oracle is merging these into a unified OCI IAM with Identity Domains — IDCS is becoming a domain within OCI IAM.

Key IDCS concepts for PaaS developers

Users: individual identities — both human users and application service accounts

Groups: collections of users mapped to application roles

Application roles: Fusion Cloud roles that grant access to modules (e.g. FIN_ACCOUNTS_PAYABLE_MANAGER_JOB)

OAuth clients: registered applications that use OAuth 2.0 to authenticate OIC integrations and VBCS service connections

Creating an OAuth client for OIC integrations

  1. IDCS Admin Console → Applications → Add Application → Confidential Application
  2. Configure client credentials: generate Client ID and Client Secret
  3. Assign token scopes that match the APIs your OIC integration will call
  4. In OIC: create a Security Credentials entry with the Client ID/Secret

Service accounts for integrations

For OIC integrations calling Fusion APIs, create a dedicated service account in IDCS:

  • Give it a strong, non-expiring password (or use OAuth)
  • Assign only the Fusion roles needed (principle of least privilege)
  • Document it — integration service accounts are often overlooked during offboarding

SAML and SSO configuration

VBCS apps can use IDCS as a SAML 2.0 identity provider, enabling SSO with corporate identity systems (Active Directory, Okta). Configure:

  1. In IDCS: add a SAML application for your identity provider (e.g. AD FS)
  2. Configure attribute mappings (email, first/last name, groups)
  3. VBCS picks up the authenticated user from the SAML assertion

Troubleshooting authentication issues

Most OIC 401 errors come from: expired credentials, wrong OAuth scope, or token URL mismatch between IDCS and OCI IAM domains. Always test OAuth flows with Postman before building the full OIC integration.

Think Beyond the Implementation

Questions worth sitting with after reading this

01

Why is this architecture appropriate for this specific context — and where would it be the wrong choice?

02

What assumptions did we make that aren't stated explicitly? What happens if those assumptions are wrong?

03

What would break first if the requirements changed — volume doubled, a third system was added, or the deadline halved?

04

What alternatives did we reject, and why? Was the decision made on evidence — or habit?

AJ
Anurag Jangra
Oracle Cloud PaaS Consultant · OIC & VBCS Specialist

4.5+ years delivering enterprise Oracle Cloud integrations and VBCS applications across manufacturing, IT services, and financial sectors. OCI Certified — writes about real-world OIC, VBCS, SQL, and BI Publisher patterns from production experience.

Chat on WhatsApp