Skip to content

OCI Identity Domain Setup

The OCI Identity Domain enables AgentCube to exchange user identities for Oracle-scoped access tokens. This is required for SSO deployments regardless of which identity provider you use.

Free tier is sufficient

The OCI Identity Domain free tier supports confidential applications, JWT assertion, trusted certificates, and up to 5 external identity providers.

Step 1: Create or Identify Your Identity Domain

  1. Navigate to OCI ConsoleIdentity & SecurityDomains
  2. Select an existing domain or create a new one
  3. Note the domain URL — you will need it later

Step 2: Create a Confidential Application

  1. In your identity domain, go to Integrated applicationsAdd application
  2. Select Confidential Application
  3. Configure the application:
    • Name: AgentCube (or your preferred name)
    • Grant types: Enable both:
      • Client Credentials
      • JWT Assertion
  4. Under App roles, assign the Identity Domain Administrator role
  5. Activate the application
  6. Record the Client ID and Client secret

App role is required

The Identity Domain Administrator role is needed for the token exchange to work. Without it, JWT assertion requests will fail.

Step 3: Create Users

Users must exist in the OCI Identity Domain with usernames that match their corporate email addresses.

For example, if a user authenticates via Entra as [email protected], a user must exist in the identity domain with username [email protected].

Users can be created:

  • Manually — Identity Domain → Users → Create user
  • SAML JIT provisioning — Automatically on first login via federated SAML
  • Directory sync — Automated synchronization from your corporate directory

Step 4: Import the Signing Certificate

  1. Generate the signing key pair if you haven't already — see Signing Key Generation
  2. In your identity domain, go to SecurityTrusted partner certificates
  3. Click Import certificate
  4. Upload the public certificate file (.cer)
  5. Set an alias — for example, agentcube-mcp

Remember the alias

The alias you set here is used as the AGENTCUBE_SIGNING_KID environment variable. It must match exactly.

Step 5: Verify OIDC Discovery

Confirm the identity domain supports JWT bearer assertion:

curl https://{identity_domain_url}/.well-known/openid-configuration

In the response, verify that grant_types_supported includes:

urn:ietf:params:oauth:grant-type:jwt-bearer

Note the token_endpoint URL — this is used as OCI_TOKEN_ENDPOINT.

Configuration Values

OCI Value Environment Variable
Confidential app client ID OCI_CLIENT_ID
Confidential app client secret OCI_CLIENT_SECRET
Token endpoint URL OCI_TOKEN_ENDPOINT
Certificate alias AGENTCUBE_SIGNING_KID

Next Steps