Federating OCI access using a third-party IdP
OCI's recommendation is to have a federation established between your existing IdP and OCI to manage the OCI console login. As an administrator, it's your responsibility to create the federated trust between your existing IdP and OCI IAM. Once this trust is established, you can create the mapping between on-premises groups and IAM groups. For enterprises that use custom policies for user authentication, a federation is super important.
OCI's best practice is to have a federation administrators' group. This should then be mapped to the federated IdP administrator group. The administrators' group from the federated IdP holds administrative privileges and can manage customer tenancy.
As a best practice, you should have access to the OCI-level tenancy administrator user. If a situation occurs where you break the federation, then you can always use this account to log in to the OCI console and fix the problem.
...
