Oracle's identity and access management licensing splits cleanly into two worlds, and the costliest mistakes happen at the boundary. On one side are the long-standing on-premises products — directory services, access management, identity governance — licensed as discrete components, often per user or per processor, and frequently running on Oracle middleware that carries its own licensing. On the other side is OCI Identity and Access Management, where baseline identity for OCI resources is part of the platform and richer workforce or consumer identity capabilities are delivered through Identity Domains at tiered levels. Knowing which world a given capability lives in is the whole game. This guide extends our Oracle licensing guide.
The on-premises identity suites
Oracle's traditional identity stack is component-based: access management, directory, identity governance and federation have historically been separate licensable products. Each carries its own metric — commonly per user or per processor — and most run on Oracle WebLogic Server, which means the WebLogic licensing beneath the identity products is part of the total cost. Buyers routinely budget for the identity licences and forget the middleware underneath them.
OCI IAM and Identity Domains
OCI IAM provides the access control that governs OCI resources, and a baseline level of identity capability is included with the platform. Beyond that baseline, Identity Domains offer tiers — from free and foundation levels up to richer workforce and consumer identity editions — with capabilities such as advanced multi-factor authentication, adaptive security, lifecycle management and large-scale consumer identity gated to higher tiers. The licensing question becomes: which tier does your use case actually require, and is it billed through OCI consumption?
| Dimension | On-premises suites | OCI Identity Domains |
|---|---|---|
| Packaging | Discrete licensable products | Tiered domains within OCI |
| Typical metric | Per user or per processor | Per user / consumption tier |
| Underlying platform cost | WebLogic / database may apply | Bundled in the OCI service |
| Best fit | Existing on-prem identity estates | Cloud-first and OCI-anchored estates |
The tier-creep risk: Identity Domains make it easy to switch on a higher-tier capability — adaptive MFA, advanced governance, large consumer-user volumes — to solve a single requirement, which can move the whole domain into a more expensive tier. Decide the minimum tier that meets each use case and govern upgrades deliberately, the same way you would govern a chargeable database option.
Workforce versus consumer identity
A central cost driver is whether you are licensing workforce identity (your employees and contractors) or consumer identity (customers and external users), because consumer populations scale into very large numbers and are often priced differently. Misclassifying a consumer-facing application as workforce identity — or sizing for peak rather than active users — distorts the cost model in both directions. Settle the user definition and the counting basis before you size the deal.
Hybrid and migration realities
Many organisations run a hybrid identity estate during migration: on-premises suites for legacy applications and OCI Identity Domains for new cloud workloads. During that overlap, both are licensed, and OCI consumption draws against any Universal Credits commitment you hold. Component-based licensing also makes identity a recurring audit topic, so usage of each module should be tracked against entitlement — see our audit defence guidance.
Getting it right
The defensible path is to map each identity use case to the specific product or tier it requires, account for any WebLogic or database licensing beneath the on-premises components, and avoid defaulting to a higher tier than the requirement justifies. For help structuring an Oracle identity platform or reconciling an existing estate, see our Oracle licensing experts service and the Oracle vendor hub.
The economics of migrating to Identity Domains
Many organisations face a decision between maintaining a mature on-premises identity suite and migrating to OCI Identity Domains. The economics turn on more than the licence line. On-premises suites carry the cost of the identity products, the WebLogic and database layers beneath them, and the operational burden of running the stack. Identity Domains fold infrastructure and operation into the OCI service but introduce per-user or per-tier consumption that scales with your population. For a large, stable workforce-identity deployment that is already paid for, staying put can be cheaper; for a growing or cloud-first estate, the managed model often wins. Model both on a multi-year basis with the full stack included, not just the headline identity licence.
Federation and hybrid coexistence
During a transition, federation lets on-premises and cloud identity systems trust one another, so users move between legacy and modern applications without a second login. This is operationally sensible but means both systems are live and licensed simultaneously. Plan the coexistence period deliberately: know which applications depend on which identity system, and set a target date to retire the legacy components so the dual-running cost does not become permanent.
Pin down the user definition
Across both worlds, the user definition is where cost is won or lost. Confirm whether you are counting active users, all provisioned accounts, or a wider population, and whether external and consumer identities are priced separately from workforce identities. A precise, contractually agreed definition aligned to the population each component actually serves prevents the slow inflation that otherwise creeps into identity spend. The metric detail connects back to our Oracle licensing guide.