1

I have a free tier Oracle account. I set it up by following the prompts, I've never had any Oracle Cloud training. I've used AWS for close on a decade, I figured I could work it out.

Yesterday Oracle Cloud helpfully sent me an email suggested I set up MFA, along with a link to their MFA documentation. That's a reasonable suggestion, I thought I'd give it a go.

I started at step one: "Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Security and then MFA.". I opened the "Identity" area (see pic below), "Domains" doesn't seem to be anywhere in there.

Oracle Cloud Identity Panel

I searched around a few different websites, I tried a few different suggestions, but I found that the Oracle Console doesn't match any of the sites screenshots or procedures.

When I went into the Oracle Cloud identity console I could see two users. One is simply "me@mydomain.com", the other is "oracleidentitycloudservice/me@mydomain.com". It seems Oracle has created me a local user and federated user based on the same email address. I don't know why it's done that, I thought I set up one user. In AWS we have root users and IAM / SSO users, I imagine it's a similar type of setup.

Two users

On the Oracle Cloud login page I found a drop down section I could sign in as a local user ("Direct Sign In"). Once I worked that out I went into the identity section and set up MFA for the local user, no problem.

Oracle Cloud Sign In

I then signed in as the federated user, but following the same process there's no button to set up MFA. I imagine there's a policy somewhere that needs to be changed, but I can't work it out. Does anyone know how to do this?

enter image description here

This should really be simpler.

Update 16/7: The answer given, while helpful, does not work. Oracle have sent an email 14/7/2023 saying they are going to enforce MFA on local users, but their instructions on how to enable MFA do not work. Does anyone know how to enable MFA for Oracle or federated and ideally local users?

Tim
  • 31,888
  • 7
  • 52
  • 78

1 Answers1

2

First thing first, you should create a local (non-federated) admin before you change the 2FA settings, just in case.

Log in to Oracle cloud, and from the hamburger menu on the top-left, select "Identity & Security" -> "Federation". Select the provider with which you identify yourself. Most probably you'll see only "OracleIdentityCloudService", so click that. On the details page, click on the "Oracle Identity Cloud Service Console" link.

On the Identity Cloud Service page, select Security -> MFA from the hamburger menu on the top left, then you can select what second factor(s) you would like to configure. Note that the mobile app factors require the Oracle mobile authenticator to be installed. One would think that the "mobile app passcode" would use some standard TOTP, but of course it doesn't. Don't forget to press "Save" when you are done. In the Security -> Factors menu you can customize your second/factor authentication methods.

When you are done, select "Sign-On policies" from the menu. Most probably there is only one policy, named "Default Sign-On Policy", so click that one. If there are more, select the one you want to enable 2FA for. On the "Sign-on rules" page select the rule you want to change. There should be only one rule, so press the menu button on the right and select "Edit" Clicking on the rule's name does not let you edit the rule, so you have to use the menu.

In the popup window, tick the "Prompt for reauthentication" and the "Prompt for an additional factor" checkboxes. If you want to restrict the usable factors, you can do it here as well. If you aredone, click save.

Log out from the cloud, and try to log in. You should be required to select a second factor from the ones you enabled.

As a side note, if you enabled "Bypass code" as a second factor, it is unusable until you generate a bypass code for yourself. This can be done on the Identity Cloud Service page, where you enabled 2FA, but for the bypass code, you have to select your profile (click top right on your user, then select "My Profile"), then select the "Security" tab, where you can generate one-time bypass codes for yourself.

Yea, this should be simpler.

Lacek
  • 7,233
  • 24
  • 28
  • Thank you very much for this. I will try it in a day or two when I have the time and right mindset to deal with an Oracle system. – Tim Feb 17 '23 at 03:57
  • Thanks again for this @Lacek . I get as far as "Multi-Factor Authentication (MFA) Settings" in the "Identity Cloud Service". When I tick "email" and hit the save button nothing happens. Nothing happens regardless if what I select in that page. I have successfully created a local administrator with MFA, is it practical / possible to remove the federated identity service entirely without closing the account? – Tim Feb 18 '23 at 19:47
  • That's odd. Later I'll try it with a freshly-created account, maybe it works differently with free tier (though it really shouldn't), or I remember the process wrong, and there is something I left out from my answer. As for having a nonfederated account only: I have never tried is, but I think a user is a user, regardless of the type of authentication, so I don't see why it wouldn't work (provided the proper permissions are granted to the nonfederated admin). – Lacek Feb 19 '23 at 13:39