OIC instance in OCI

 

OCI vs OIC – Know the Difference in Oracle Cloud When you're exploring Oracle Cloud, two terms that sound similar — but do very different jobs — are: 🔹 OCI – Oracle Cloud Infrastructure 🔹 OIC – Oracle Integration Cloud Here’s a quick breakdown to clear the confusion 👇 🔷 What is OCI? (Oracle Cloud Infrastructure) OCI is Oracle’s core cloud platform — a suite of Infrastructure-as-a-Service (IaaS) offerings. It provides the foundation to build and run any application with services like: 🖥️ Compute (VMs, bare metal) 💾 Storage (block, object) 🌐 Networking (VCN, Load Balancer) 🔐 Identity & Access (IAM, Vault) 🧠 Think of OCI as the “ground floor” where cloud apps and services are built and hosted. 🔷 What is OIC? (Oracle Integration Cloud) OIC is a Platform-as-a-Service (PaaS) built on top of OCI. It’s designed to help you: 🔗 Connect Oracle and third-party apps (like ERP, HCM, Salesforce, etc.) 🔁 Automate business workflows ⚙️ Expose and consume REST/SOAP APIs 👨💻 Build integrations with low-code tools 🧠 Think of OIC as the “connector layer” that moves data between systems. 📌 Key Differences: 👉 Type • OCI – IaaS (Infrastructure) • OIC – PaaS (Integration Platform) 👉 Purpose • OCI – Host applications, storage, security • OIC – Connect apps and automate processes 👉 Used By • OCI – Cloud/Infra Engineers, DevOps • OIC – Integration Developers, Architects 👉 Example Use • OCI – Launch a virtual machine • OIC – Integrate Oracle ERP with Salesforce 👉 Relationship • OCI – Base platform • OIC – Runs on top of OCI 🚀 In short: OCI is the engine room of Oracle Cloud. OIC is one of the many tools that runs on OCI — designed to simplify integration.

Back End

Front End

SAML in OCI

 

First, set the roles clearly (very important)

• Nizam → Apple employee

• Azure AD (or On-prem AD + ADFS/Okta) → Identity Provider (IdP)

• OCI Identity Domain → Service Provider (SP)

• OCI Console → What Nizam wants to access

👉 OCI does NOT authenticate users directly in this setup.
👉 OCI trusts Apple’s Identity system via SAML.

---

Why SAML is needed (big picture)

Enterprises never want separate passwords for each cloud.

So:

• User identity = Enterprise control (AD / Azure AD / Okta)

• Cloud access = Federated using SAML

• Result = Single Sign-On (SSO)

That’s why you wrote correctly:

99% customers map cloud auth with on-prem AD / OKTA

---

Now the STEP-BY-STEP FLOW (mapped to your numbers)

---

🔹 STEP 1: Nizam tries to access OCI Console

📌 (Your arrow #1)

• Nizam opens browser

• Goes to:
  https://cloud.oracle.com

• Selects Apple’s OCI Identity Domain

• Enters email: nizam@apple.com

👉 At this point:

• OCI sees: This domain uses SAML

• OCI knows: I am NOT responsible for password validation

---

🔹 STEP 2: OCI redirects Nizam to Apple Identity Provider

📌 (Your arrow #2)

OCI sends a SAML Authentication Request to Azure AD.

This request says:

“Hey Azure AD,
Someone named nizam@apple.com wants to log in.
Please authenticate him and tell me who he is.”

🔁 Browser is redirected to:

• Azure AD login page (or ADFS / Okta)

👉 OCI console is now waiting

---

🔹 STEP 3: Azure AD validates Nizam (real authentication)

📌 (Inside Apple on-prem / Azure AD box)

Now real security checks happen:

• Password verification

• MFA (OTP / Authenticator / SMS)

• Conditional access

• Device trust

• Location rules

If ❌ fails → OCI never sees Nizam
If ✅ success → Azure AD proceeds

---

🔹 STEP 4: Azure AD sends SAML Response back to OCI

📌 (Your arrow #3)

Azure AD creates a SAML Assertion (signed XML).

It contains:

• ✔ User identity: nizam@apple.com

• ✔ Group membership (e.g. OCI-Admins)

• ✔ Tenant / domain info

• ✔ Timestamp & signature

This message says:

“OCI, I confirm Nizam is authenticated.
Here are his attributes and groups.
You can trust this.”

👉 Browser auto-posts this back to OCI.

---

🔹 STEP 5: OCI validates trust (critical step)

OCI does NOT blindly accept the response.

OCI checks:

• Signature is valid?

• Certificate matches Azure AD?

• Assertion not expired?

• User exists in OCI Identity Domain?

• Group mapping exists?

If ❌ → Access denied
If ✅ → Login allowed

---

🔹 STEP 6: OCI maps Nizam to OCI Groups & Policies

Example mapping:

Azure AD Group → OCI Group
--------------------------------
OCI-Admins     → OCI_Admins
OCI-ReadOnly   → OCI_ReadOnly

OCI Policies:

Allow group OCI_Admins to manage all-resources in tenancy

👉 This defines what Nizam can do, not Azure AD.

---

🔹 STEP 7: Nizam gets OCI Console access 🎉

• OCI session is created

• Token/cookie issued

• OCI Console loads

Now Nizam can:

• View compartments

• Manage compute, DB, network

• According to OCI IAM policies

---

Important clarification (common confusion)

❌ Nizam does NOT log in to OCI directly
❌ OCI does NOT store his password

✔ OCI outsources authentication
✔ OCI keeps authorization

---

One-line summary (interview perfect answer)

OCI acts as a Service Provider, Azure AD acts as an Identity Provider, and SAML is used to federate authentication so that enterprise users can securely access OCI using their corporate credentials without managing passwords in OCI.

 

Create Bucket and IAM policy in OCI

 

The Oracle Cloud Infrastructure policy specifies who has access to which resources in OCI. Policies simply allow a group to manage certain types of resources in a specific compartment in certain ways.

Policy basic Syntax:

Allow group <group_name> | <group_ocid> to <verb> <resource-type> in compartment <compartment_name>

Allow group <group_name> | <group_ocid> to <verb> <resource-type> in tenancy

Verbs:

inspect: Resource listing without access to confidential information or user-specified metadata.
read: It includes inspect as well as the ability to get user-specified metadata as well as the resource itself.
use: Includes reading and working with existing resources. Includes updating the resource, except for resource types where “update” has the same effect as “create”. In general, this verb doesn’t include the ability to create or delete.
manage: Includes all permissions associated with the resource.

Resource types:

all-resources: All Oracle Cloud Infrastructure resource-types
compute-management-family: Compute
database-family: Autonomous Database, Bare Metal and Virtual Machine DB Systems
virtual-network-family: Networking

Admin:-

sankar is in storage admin group

Storage Policy:- 

Resources

Statements

Edit Policy Statements

allow group STORAGE-ADMIN to manage buckets in compartment test-dev-cmp

allow group STORAGE-ADMIN to manage instance-family in compartment test-dev-cmp where request.permission != 'INSTANCE_DELETE'

allow group STORAGE-ADMIN to use virtual-network-family in compartment test-dev-cmp

allow group STORAGE-ADMIN to use subnets in compartment test-dev-cmp

Sankar:-

Admin:-

allow group STORAGE-ADMIN to manage users in compartment test-dev-cmp

Note:- Sankar will be able to see the users or not

In order to have a users, group , domain , it should be added at root level.

Policy should be at root level

Default Domain - that's why sankar is not able to see users

Admin:-

Creating Group -  IAM-Group

Creating Policy - IAM-Policy

Adding Sankar into group 

Sankar - still facing issue because of IAM policy 

Admin:- Manage Vs Read

Sankar:- Now Sankar is able to see by adding policy 

Policy :-

Domain-Default Domain - User - Policy in OCI

 

The Oracle Cloud Infrastructure policy specifies who has access to which resources in OCI. Policies simply allow a group to manage certain types of resources in a specific compartment in certain ways.

Policy basic Syntax:

Allow group <group_name> | <group_ocid> to <verb> <resource-type> in compartment <compartment_name>

Allow group <group_name> | <group_ocid> to <verb> <resource-type> in tenancy

Verbs:

inspect: Resource listing without access to confidential information or user-specified metadata.
read: It includes inspect as well as the ability to get user-specified metadata as well as the resource itself.
use: Includes reading and working with existing resources. Includes updating the resource, except for resource types where “update” has the same effect as “create”. In general, this verb doesn’t include the ability to create or delete.
manage: Includes all permissions associated with the resource.

Resource types:

all-resources: All Oracle Cloud Infrastructure resource-types
compute-management-family: Compute
database-family: Autonomous Database, Bare Metal and Virtual Machine DB Systems
virtual-network-family: Networking

Scenario :-

In Domain we are going to create users and group

Users are created 

Now we need to create IAM policy for Amit and Sankar

Amit is - Linux Admin Guy 

Now Create group - VM-ADMIN

Create Policy

allow group VM-ADMIN to manage instance-family in tenancy

VM-ADMIN-POLICY at ROOT level 

Amit logged in to OCI console

Amit is not able to see anything 

We created a group and wrote a policy but we didn't add you in the group.

It doesn't work until and unless you add into the group.

Admin user :- Task

Adding Amit user into VM-ADMIN group

Now Amit's Task -

Note:- Amit won't be able to create any VM because he doesn't have any Networking access yet.

Administrator is going to Create Instance 

Now Amit is able to see Virtual Machin - VM-1

But Amit is not able to see   Users and Groups because amit is not IAM admin guy

We wrote Instance-Family 

VIMP:- below statement

Instance-Family is very important in order to give Virtual Machin Admin access

So, Amit can see any VM Machines which are created in any Compartment, admin guy at root level

===========2nd Scenario=====================================

 Sankar :- 

We will write a policy only for TEST Compartment and he will be only able to see Bucket

When you are creating Policy , there are only two steps 

Step 1) Create Group

Step 2) Create the policy 

Policy :-

By default Policy = Tenant Admin Policy 

ALLOW GROUP Administrators to manage all-resources IN TENANCY 

all-resources - Means you are having access to all resources in OCI

allow group VM-ADMIN to manage users in tenancy

allow group VM-ADMIN to manage groups in tenancy 

Note: Amit is not able to see the policy because admin didn't give 

Note: Amit is able to see the users because of below statements

allow group VM-ADMIN to manage users in tenancy

allow group VM-ADMIN to manage groups in tenancy 

Creating another Policy for Sankar user:-

allow group STORAGE-ADMIN to manage buckets in compartment test-dev-cmp

Let's create Bucket 

Now Sankar will check .. 

issue

Sankar doesn't have access so need to add policy 

Go to the policy

Before

Now Sankar screen:-

Sankar can start and stop the instance

Admin :- changing the policy statement for Sankar

changed from Manage to Read 

Now after changing the policy, sankar is not able to Stop the instance

allow group STORAGE-ADMIN to inspect instance-family in compartment test-dev-cmp

Sankar screen

Note:- Sankar won't be able to shape of the machine , as we updated policy --> inspect 

Sankar only able to IP address but not the name of VM instance 

Admin-

use - it will be only getting information 

Sankar -

Admin:-

Storage level - STORAGE_ADMIN

Sankar:- is not able to delete the VM