Oracle Cloud Infrastructure Documentation

Identity Upgrade Checklist

Use this checklist as a guide to complete the required and recommended actions before and after the upgrade of the Fusion Applications environments to Identity and Access Management (IAM).

Important

If you encounter issues performing the checklist items or the post-identity upgrade verification, submit a Support Request (SR) and select these options to describe the issues:

  • Service Group: Oracle Cloud Applications
  • Service: Any Fusion Product
  • Service Category: SaaS Console Services (Outage, Provision, P2T/T2T, Resize, Environment, and User Management)
  • Sub-Category: Fusion Identity Upgrade

Pre-Identity Upgrade Steps

Item Action
1 Review the Identity Upgrade Overview documentation to understand the changes and the required and recommended actions for the environment.
2

Inform the Fusion Applications environments administrators, Identity administrators, and Security administrator (users who have the IT Security Administrator role in Fusion Applications) about this upcoming change and share this information with them. They might be required to perform actions before and after the identity upgrade.
3

If the administrators aren't subscribed to announcements about Fusion Applications environments, follow the instructions in Subscribing to Announcements to create an announcement subscription to receive notifications about specific types of announcements. For the identity upgrade, subscribe to the following announcement types (see About Notifications for a full list of relevant announcement types):

  • Scheduled maintenance
  • Planned change
  • Planned change completed
  • Planned change extended
  • Planned change rescheduled
4 Review the recording about the Fusion Identity Upgrade at Oracle Go Cloud Solution Events, or attend upcoming Fusion Application Identity Upgrade sessions.
5

Verify that you, Identity administrators, and Security administrators can access the new Oracle Cloud Console. If you or other administrators don't have the required permission, work with the OCI Tenancy administrator(s) to grant you access to the new Oracle Cloud Console.

Oracle Cloud Console—Viewing the identity upgrade schedule in the Fusion environment family

To view the identity upgrade schedule, you must be a Cloud/Tenancy administrator or a Fusion Applications environment administrator. Follow these steps to view the identity upgrade schedule in the Fusion environment family:

  1. Sign in to the Oracle Cloud Console and navigate to the Environment family page.
  2. On the Environment families page, select the name of the environment family. If you don't see the resources, ensure that you're in the correct compartment.
  3. On the Environment family details page, select Maintenance and scroll to the Identity upgrade section to view the schedule.
6

If the Fusion Applications environment is enabled with federated single sign-on (SSO), you must verify the permission granted to you. Verify that you can:

  • Access the menus in the Oracle Cloud Console to perform pre-upgrade actions. You can skip this step if the Fusion Applications environment isn't configured with federated SSO.
  • Access the corporate identity system and perform configuration. You can skip this step if the Fusion Applications environment isn't configured with federated SSO.
  • Access the Fusion Applications environments.

Oracle Cloud Console—Manage identity domain SSO settings

To perform the required pre-upgrade actions, you must have all the following access grants to manage identity domain settings:

  • You're a user and Cloud/Tenancy administrator for the Default or OracleIdentityCloudService identity domain.
  • You're also a user with the Identity Domain Administrator role or a member of the Domain_Administrator or IDCS_Administrator group for each of the Fusion identity domains. See the Prerequisites in  Step 3: Update and Test the Identity Providers.

To confirm you have access:

  1. On the environment family details page, select Environments.
  2. Select each of the Fusion Applications environments, select Details.
  3. Select Associated identity domains to ensure you can manage the configuration of the identity domain.

Configure the service providers or enterprise applications

Configure new service providers in the corporate identity system (such as Microsoft Entra (Azure AD), Okta, OCI IAM, and so on.) as part of the pre-upgrade actions, and download the configured SAML metadata file of the service providers. Confirm that you have the permission to perform the actions.

Test SSO Sign in

To complete the pre-upgrade actions, you must test the SSO sign-in. To test the SSO sign-in, you must have user access to the entire Fusion Applications environment through federated SSO.
7

Complete Pre-upgrade actions

Follow the instructions in the Pre-Upgrade actions section and complete the required actions. The steps are:

  1. Download SAML metadata from the Oracle Cloud Console.
  2. Configure the Service Provider (SP) in the corporate identity system that federates SSO.
  3. Update and test the identity providers in the Oracle Cloud Console.
  4. Acknowledge identity provider readiness in the Oracle Cloud Console.
8

Notify the Fusion Applications users that the Fusion Applications sign-in URL of the Fusion Applications environment doesn't change. However, the appearance of the Sign In page might be different.

Also:

  • If the environment is enabled with federated SSO that displays the company's Sign In page, then there's no impact to the user's Sign In page.
  • If the environment is not enabled with federated SSO that displays the company's Sign In page, notify the Fusion Applications users that they will see a new Sign In page. To learn more, see Changes in Oracle Fusion Cloud Applications Sign In Page.

If the environment is not enabled with federated SSO that displays the company's Sign In page, notify the Fusion Applications users that they might be required to reset their password after the identity upgrade.
9

Familiarize yourself with the documentation for managing security for the Fusion Applications environments in the Oracle Cloud Console.

To enable federated SSO after the identity upgrade, see Enabling Federated Single Sign-On (SSO) Before the Identity Upgrade.
10 Understand restrictions and plan activities accordingly. See Planning and Considerations for the Identity Upgrade.

Post-Identity Upgrade Steps

Item Action
1 After receiving notification from Oracle that the identity upgrade has completed, sign in to each of the Fusion Applications environments to ensure that sign-on is successful.
2 If the Fusion Applications environments are configured with federated SSO, ensure that the SSO sign-in experience is working correctly and the sign-in is successful.
3

If you have other Oracle Applications environments (such as Taleo, CPQ, and so on.) that use the Fusion Applications environments for identity provision, ensure that the post-upgrade actions are complete (see Post-upgrade tasks for environments used as the identity provider for other applications) and ensure that sign in to other Oracle Applications environments is successful.