Oracle Cloud Infrastructure Documentation

Identity Upgrade Overview

Learn how to prepare for and what to expect before and after the upgrade to Oracle Cloud Infrastructure Identity and Access Management (IAM).

If you received an email with the subject line: Upcoming Exception Migration to Identity and Access Management (IAM), your account has been selected for the upgrade to Oracle Cloud Infrastructure Identity and Access Management (IAM).

What Is Happening?

In an upcoming exception maintenance of Fusion Applications, the user identity service associated with your Fusion environments will be upgraded to Oracle Cloud Infrastructure Identity and Access Management (IAM).

The new OCI IAM experience in Oracle Cloud Console provides enhanced capabilities for managing authentication, sign-on policy, single sign-on (SSO), multi-factor authentication (MFA), and identity lifecycle management.

The identity upgrade process requires a downtime. The duration will be specified in the notification when you receive the identity upgrade schedule.

Upon completion of the identity upgrade, you will receive an email notification. If post-upgrade actions for an environment are required, you will be able to acknowledge that the actions are completed in the Oracle Cloud Console under the Fusion Applications environment family page.

Where can I learn more?

For more information regarding identity and access management using IAM, see IAM with Identity Domains.

If you have concerns, reach out to Oracle Support by opening a Support Request (SR). Select these options to describe your issues:

  • Service Group: Oracle Cloud Applications
  • Service: Any Fusion Product
  • Service Category: SaaS Console services (Outage, Provision, P2T/T2T, Resize, Environment and User Management)
  • Sub-Category: Fusion Identity Upgrade

Identity Upgrade Cadence

The identity upgrade is scheduled in a non-quarterly update month for your environment family.

Non-production cadence: Identity upgrade of environments on non-production cadence will be performed in the second week of the scheduled month at around the same time as the environment's maintenance slot.

Production cadence: Identity upgrade of environments on production cadence will be performed in the fourth week of the scheduled month at around the same time as the environment's maintenance slot.

The identity upgrade is scheduled to match as closely as possible to the same maintenance slot for the Fusion Applications quarterly update, however, your environments may be scheduled a few hours earlier or later.

Note that the first week of the month is defined as the first week that begins on a Sunday. For example, the first week of March, 2025 is Sunday, March 2, 2025 to March 8, 2025.

Required Actions

No action required: If your Fusion environment is not configured with federated SSO or used as the identity provider for other Oracle application environments, then there are no pre- or post- upgrade required actions. However, we recommend that you review this document to understand and prepare for this upgrade.

Action required before the identity upgrade: If your Fusion Applications environments use federated SSO with an identity provider, you are required to complete the following actions at least 72 hours before the scheduled downtime of the first environment to ensure continued access to your Fusion Applications. Steps for these tasks are detailed in Pre-upgrade tasks for federated SSO environments.

We recommend that you complete the required action as soon as possible, at least 10 days before the scheduled downtime of the first environment, to ensure that you have time for any troubleshooting. If you have not completed the required action 72 hours before the scheduled upgrade, the identity upgrade of the entire environment family will be automatically canceled. You then must open a Support Request (SR) to reschedule the identity upgrade.

Action required after Identity Upgrade: If you have other Oracle applications (such as Taleo, CPQ (Configure, Price, Quota), SelectMidns, etc.) using a Fusion environment as the federated SSO identity provider for users to log in to the applications, you must complete the post-upgrade tasks and test the single sign-on integration to ensure that federated SSO continues to function correctly. Sign on to these other Oracle applications will not function until you have completed the post-upgrade actions.

Notification and Scheduling

You will be notified by email when the identity upgrade is scheduled as follows:

  • If you have environments with federated SSO, you will be notified approximately 90 days in advance of the exception maintenance for the environment family.
  • If you do not have environments with federated SSO, you will be notified approximately 30 days in advance of the exception maintenance.

After your environments have been scheduled for upgrade, you can go to the Oracle Cloud Console to view the schedule for your Fusion environments, review the details of required actions (if applicable), and confirm completion of the required actions. To view the identity upgrade schedule:

  1. Sign in to the Oracle Cloud Console and navigate to your environment family: On the Applications Home of the Console, under Subscriptions, select Go to service on the Fusion Applications tile.
  2. On the Fusion Applications Overview page, select Environment families, and then select the name of your environment family. (If you don't see your resources, ensure that you are in the correct compartment).
  3. On the environment family details page, under Resources, select Maintenance, and then select the Identity Upgrade tab to view your schedule.

The Identity Upgrade tab is only available after your environments have been scheduled.

The Identity Upgrade tab shown on the environment family details page

Cancellation and Rescheduling

If there are pre-upgrade required actions for any of your Fusion Application environments, and the required actions are not completed 72 hours before the scheduled downtime of the first environment, the identity upgrade for all of your Fusion environments in the environment family will be automatically cancelled 72 hours before the scheduled downtime of the first environment.

Cancelled identity upgrade will be reflected in the Oracle Cloud Console.

Reschedule Identity Upgrade

To reschedule the identity upgrade, open a Support Request (SR) to schedule a downtime.

  • You will be offered a selection of downtime window as this is a scheduled maintenance.
  • Once reschedule is recorded, it will be shown in the Oracle Cloud Console.
  • You will be notified as described in Notification and Scheduling.

What to Expect After the Upgrade

After the Identity upgrade completes successfully, test that sign-on to Fusion environments is working as expected. If you encounter any issue, reach out to Oracle Support by submitting a Support Request (SR).

If you have other Oracle applications (such as Taleo, CPQ (Configure, Price, Quota), SelectMidns, etc.) that use the Fusion environment to federate SSO, you must complete the Post-Upgrade Tasks and test the single sign-on integration to ensure that federated SSO continues to function correctly for other Oracle applications. Sign-on to these other Oracle applications will not function until you have completed the post-identity upgrade actions.

Changes to Account Sign-In Page

The account sign-in page will be different for your applications users. Users who selected the Company Sign Sign-On button will see a different option.

Identity Upgrade Checklist

Use this checklist as a guide to help you complete required and recommend actions before and after the upgrade of your Fusion Applications environments to Identity and Access Management (IAM).

Important

If you encounter issues performing the checklist items or the post-identity upgrade verification, submit a Support Request (SR) and select these options to describe your issues:

  • Service Group: Oracle Cloud Applications
  • Service: Any Fusion Product
  • Service Category: SaaS Console Services (Outage, Provision, P2T/T2T, Resize, Environment, and User Management)
  • Sub-Category: Fusion Identity Upgrade

Pre-Identity Upgrade Steps

Completed Item Action
1 Review the entire Identity Upgrade Overview documentation to understand the changes and the required and recommended actions for your environment.
2

Inform your Fusion Applications environments administrators, identity administrators, and security administrator (users who have the IT Security Administrator role in Fusion Applications) about this upcoming change and share this information with them. They may be required to perform actions before and after the identity upgrade.
3

If your administrators aren't subscribed to announcements about Fusion Applications environments, follow the instructions in Subscribing to Announcements to create an announcement subscription and to receive notifications about specific types of announcements. For Identity Upgrade, subscribe to the following announcement types (see About Notifications for a full list of relevant announcement types):

  • Scheduled maintenance
  • Planned change
  • Planned change completed
  • Planned change extended
  • Planned change rescheduled
4 Review the recording about the Fusion Identity Upgrade at Oracle Go Cloud Solution Events.
5

Verify that you, identity administrators, and security administrators can access the new Oracle Cloud Console. If you or other administrators don't have the required permission, work with your OCI Tenancy administrator(s) to grant you access to the new Oracle Cloud Console.

Oracle Cloud Console—Viewing the identity upgrade schedule in the Fusion Environments Family

To view the identity upgrade schedule, you must be a Cloud/Tenancy administrator or a Fusion Applications environment administrator. Follow these steps to view the identity upgrade schedule in the Fusion Environments Family:

  1. Sign in to your Oracle Cloud account by entering the Tenancy name and selecting the identity domain (Default or OracleIdentityCloudService).
  2. In Fusion Applications in the Console, select Environment families.
  3. On the Fusion Applications environment family page, select the Environment family you want to view.
  4. On the Environment family details page, select Maintenance.
  5. Select the Identity upgrade tab to view the schedule.
6

If your Fusion Applications environment is enabled with federated single sign-on (SSO), you must verify the permission granted to you. Verify that you can access the menu in the Oracle Cloud Console to perform pre-upgrade actions. Skip this step if your Fusion Applications environment isn't configured with federated SSO.

Oracle Cloud Console—Manage Identity Domain SSO settings

To perform the required pre-upgrade actions, you must have one of the following access grants to manage identity domain settings:

  • You're a Cloud/Tenancy administrator, or
  • You're a member of the Domain Administrator group in each of the Fusion identity domains.

Test SSO Login

To complete the pre-upgrade actions, you must test your SSO login. To test your SSO login, you must have user access to the entire Fusion Applications environment via federated SSO.
7

Notify your Fusion Applications users that the Fusion Application Sign In URL of the Fusion Applications environment doesn't change. However, the appearance of the Sign In page might be different.

Additionally:

  • If your environment is enabled with federated SSO that displays your company's Sign In page, then there's no impact to the user's Sign In page.
  • If your environment is not enabled with federated SSO that displays your company's Sign In page, notify your Fusion Applications users that they'll see a new Sign In page. To learn more, see Changes in Oracle Fusion Cloud Applications Sign In Page.

If your environment is not enabled with federated SSO that displays your company's Sign In page, notify your Fusion Applications users that they may be required to reset their password after the identity upgrade.
8

Familiarize yourself with the documentation for managing security for your Fusion Applications environments in the Oracle Cloud Console.

To enable federated SSO after the identity upgrade, see Enabling Federated Single Sign-On (SSO) Before the Identity Upgrade.
9 Understand restrictions and plan activities accordingly. See Planning and Considerations for the Identity Upgrade.

Post-Identity Upgrade Steps

Completed Item Action
1 After receiving notification from Oracle that the identity upgrade has completed, sign in to each of the Fusion Applications environments to ensure that sign-on is successful.
2 If your Fusion Applications environments are configured with federated SSO, ensure that the SSO sign-on experience is working correctly and sign-on is successful.
3

If you have other Oracle Application environments (such as Taleo, CPQ, etc.) that use your Fusion Applications environments for identity provision, ensure that the pod upgrade actions are complete (see Post-upgrade tasks for environments used as the identity provider for other applications) and ensure that sign-on to your other Oracle Application environments is successful.

Pre-Upgrade Tasks

Tasks that are required pre-upgrade depend on whether you have enabled federated SSO in your environments. How do I know if my environments are federated or not federated?

In addition to federated SSO, your environments might also have an Identity Provider-initiated federation flow (an authentication flow that doesn't go through the Fusion Applications sign-on page) that needs to authenticate against a different identity system. The same pre-upgrade tasks also need to be completed.

Pre-upgrade tasks for non-federated SSO environments

If you don't have federated SSO, there are no pre-upgrade tasks for you to complete.

You can monitor the schedule and progress of the upgrade on the details page of the environment family.

Pre-upgrade tasks for federated SSO environments

If your Fusion Applications environment is configured with federated SSO that uses an identity provider to authenticate your users, you must complete the required actions before the identity upgrade. You're required to complete the following actions at least 72 hours before the scheduled downtime of the first environment. If the actions aren't completed, the identity upgrade of your Fusion environments will be canceled and must be rescheduled for another time.

The following pre-upgrade actions are required:

  1. Configure the Service Provider: Export the SAML metadata file for the environment's associated identity domain from the Oracle Cloud Console to configure the service provider in your corporate identity system.
  2. Configure and test the Service Provider in your corporate identity system that federate SSO.
  3. Acknowledge that the Service Provider setup is completed as part of the pre-upgrade required actions on the Oracle Cloud Console.

The following sections describes these steps in detail.

Download the SAML Metadata File

When your Fusion environment with federated SSO is scheduled for identity upgrade, Oracle will automatically create the corresponding Identity Providers in OCI IAM based on the Fusion environment's latest configuration. You're not required to create Identity Providers manually.

In this step, export (download) the SAML metadata file for the corresponding Fusion environment from the Oracle Cloud Console. The SAML file contains the necessary information to enter into your corporate identity system.

Follow these steps to download the SAML metadata file for a Fusion environment:

  1. Sign in to the Oracle Cloud Console.
  2. In Applications Home in the Console, under Subscriptions, select Go to service on the Fusion Applications tile.
  3. On the Fusion Applications Overview page, select Environment families, and then select the name of your environment family. (If you don't see your resources, ensure that you're in the correct compartment).
  4. On the environment family details page, under Resources, select Maintenance, and then select the Identity Upgrade tab to view your schedule.
  5. Select Action required in the Pre-upgrade actions column of the corresponding Fusion environment.
  6. Select Download to download the SAML metadata file.

If you have multiple identity providers configured, only download one copy of the SAML metadata file. The file is the same for all of your identity providers for the corresponding Fusion environment.

Configure and Test the Service Provider

After you download the SAML metadata file, use a text editor to view the file. Use the information in the file to configure a new service provider in your corporate identity system.

If you have multiple identity providers, you need to configure a new service provider for each identity provider.

After the service providers are configured, use your valid credentials for each identity provider to test the Sign In page. Follow these steps to test the sign-on process to confirm that integration of federated SSO is functioning correctly:

  1. Sign in to the Oracle Cloud Console.
  2. In Applications Home in the Console, under Subscriptions, select Go to service on the Fusion Applications tile.
  3. On the Fusion Applications Overview page, select Environment families, and then select the name of your environment family. (If you don't see your resources, ensure that you're in the correct compartment).
  4. On the environment family details page, under Resources, select Maintenance, and then select the Identity Upgrade tab to view your schedule.
  5. Select Action required in the Pre-upgrade actions column of the corresponding Fusion environment.
  6. Select Test login to launch the Sign In page.
  7. Enter valid credentials (username and password).
  8. Confirm that the credentials are successfully authenticated by your corporate identity system. If the credentials aren't successfully authenticated, ensure that the credentials are correct and that the service provider configuration in your corporate identity system is entered correctly.
  9. Repeat steps 7–9 for any additional identity providers. Proceed to the next step only after you have successfully completed the test sign-in for all of your identity providers.
  10. Select the Confirm Identity Provider readiness checkbox and then select Submit.

The environment Pre-upgrade actions column is updated to Confirmed.

Environment showing confirmed status.

Post-Upgrade Tasks

You'll be notified when the identity upgrade is completed for each of your environments.

Post-upgrade tasks for non-federated environments

If your Fusion Applications environment is not configured with federated SSO, verify that your users can successfully sign in to the Fusion Applications environments.

Post-upgrade tasks for environments configured with federated SSO

If your Fusion Applications environment is configured with federated SSO, verify that your users can successfully sign in to the Fusion Applications environments using SSO.

Post-upgrade tasks for environments used as the identity provider for other applications

If you have other Oracle applications (such as Taleo, CPQ (Configure, Price, Quota), SelectMinds, etc.) that use a Fusion environment to federate SSO for users to sign in to the applications, you must complete the post-identity upgrade actions and test the single sign-on integration to ensure that federated SSO continues to function correctly.

  1. Sign in to the Oracle Cloud Console.
  2. In Applications Home in the Console, under Subscriptions, select Go to service on the Fusion Applications tile.
  3. On the Fusion Applications Overview page, select Environment families, and then select the name of your environment family. (If you don't see your resources, ensure that you're in the correct compartment).
  4. On the environment family details page, under Resources, select Maintenance, and then select the Identity Upgrade tab to view your schedule.
  5. Select Action required in the Post-upgrade actions column of the corresponding Fusion environment.
  6. Follow the instructions to configure and activate an identity provider in your other Oracle applications:
    1. Download the SAML metadata.
    2. Use the information in the SAML metadata to configure, test, and activate a new identity provider in your other Oracle application.
    3. Acknowledge that the identity provider setup is complete in your other Oracle application.
  7. Repeat Step 6 for all your other Oracle applications that use the Fusion Applications environment as an identity provider.

Planning and Considerations for the Identity Upgrade

Be aware of the following potential impacts before, during, and after the upgrade:

Enabling Federated Single Sign-On (SSO) Before the Identity Upgrade

If your environments are scheduled for the identity upgrade and it's less than seven days before the scheduled downtime of the first environment, we recommend that you wait until after the identity upgrade has completed for each of the environments for which you want to enable federated SSO and then follow the instructions in the following section to proceed with enablement.

If you haven't received the identity upgrade schedule or there isn't sufficient time (we recommend at least two weeks) before the scheduled downtime of the first environment to receive the identity upgrade, follow the steps documented in Oracle Applications Cloud as the Single Sign-On (SSO) Service Provider to enable federated SSO. After federated SSO is enabled and the environment is scheduled for the identity upgrade, wait 24 to 48 hours for the Action required link to appear in the Pre-upgrade actions column in the identity upgrade schedule. When the Action required link is displayed, follow the instructions in Pre-upgrade tasks for federated SSO environments to complete the required actions at least 72 hours before the scheduled downtime of the first environment that will receive the identity upgrade.

Enabling Federated SSO After the Identity Upgrade

After your environments are upgraded, follow the steps documented in the IAM documentation, Federating with Identity Providers to federate a Fusion Applications environment identity domain. See also How do I find the identity domain for a Fusion Applications environment?

Plan Environment Lifecycle Activities to Avoid Conflicts with the Identity Upgrade

Certain lifecycle activities are impacted during the upgrade process:

Refresh

Refresh can only be performed if the source Fusion environment and the target Fusion environment have the same upgrade status. That is, either both haven't started identity upgrade, or both have completed identity upgrade.

Install Language

When the identity upgrade is in progress, you can't install and activate additional languages in a Fusion Applications environment. You can install languages when the identity upgrade completes and the environment Lifecycle state returns to Active.

FAQs

Get answers to common questions about the identity upgrade.

Why am I being upgraded?

As part of Oracle's efforts to modernize the technology stack for Fusion Applications, this exception maintenance is to upgrade the identity and access management for your Fusion environments to Oracle Cloud Infrastructure Identity and Access Management (OCI IAM). OCI IAM provides the latest features for managing authentication, sign-on policy, single sign-on (SSO), and multi-factor authentication (MFA). Oracle Cloud Infrastructure Identity and Access Management (IAM

What is the impact of the upgrade?

Downtime is required to perform the identity upgrade. Your environment will not be available or accessible during identity upgrade. You will be notified when the identity upgrade completes.

Self-service lifecycle activities cannot be performed starting from 72 hours before the identity upgrade until it completes. The affected activities include: scheduling environment refresh, starting refresh, installing a language pack, setting up customer-managed keys, and so on.

Additionally, refresh between an environment that has completed the identity upgrade and another that has not completed the identity upgrade (and vice versa), cannot be scheduled or performed. Refresh can only be scheduled and performed when both the source and target environments have the same identity upgrade status.

How do I find the identity domain for a Fusion Applications environment?

To find the identity domain for a Fusion Applications environment:

  1. On the Applications Home of the Console, under My applications, select Fusion Applications to list your environments.
  2. Select the name of the environment.
  3. On the environment details page, on the Environment information panel at the top, select the Associated identity domain. This opens the details page for the identity domain for the environment.

Identity Upgrade Schedule

How do I know if my environments are federated or not federated?
  • When you sign in to a Fusion Applications environment, if you see the Company Single Sign-On button or your company's sign-in page, then your environment has federated single sign-on (SSO).
  • If you have other Oracle Applications (such as Taleo, CPQ (Oracle Configure, Price, Quote), etc.) that use a Fusion Applications environment as the identity provider, then the Fusion Applications environment is federated.
  • If neither of the previous situations apply, your Fusion Applications environment isn't federated.
When is this change happening?

You will be notified about the downtime schedule in advance. If any of your environments are enabled with federated SSO, we will send a notification 90 days in advance. If none of your environments have federated SSO enabled, we will send a notification 30 days in advance.

How can I find the schedule?

Once you receive the notification about the identity upgrade, you can sign in to the Oracle Cloud Console and navigate to the Fusion Applications environment family page to view the schedule for your environments:

  1. Sign in to the Oracle Cloud Console.
  2. In Applications Home in the Console, under Subscriptions, select Go to service on the Fusion Applications tile.
  3. On the environment family details page, under Resources, select Maintenance, and then select the Identity Upgrade tab.
The Upgrade tab shown on the environment family details page
Will my environments be available while the upgrade is being performed?

While the upgrade is occurring, your environments will not available.

How long is the downtime?

The identity upgrade is expected to take from 1 to 2 hours up to a few hours, if your environments have many users.

Can I opt out of the upgrade?

All Fusion Applications environments must complete the identity upgrade. If the scheduled time window doesn't work for you, contact Oracle Support to reschedule the upgrade for a convenient time. Contact Oracle Support by submitting a Support Request (SR).

When will the upgrade be performed? Will it be performed with my quarterly update?
  • The identity upgrade will not occur in the same month as a quarterly update. To avoid multiple downtimes in a month, the identity upgrade will be scheduled in the months after your environments receive a quarterly update.
  • In general, we expect to schedule the identity upgrade of your environments in the same maintenance time window as when the environments receive a quarterly update. We may schedule the identity upgrade for a time window that is different from the maintenance time window.
  • At least one of your non-production environments must have completed the upgrade before we perform the identity upgrade of your production environment. You will see your environments in the non-production cadence scheduled for identity upgrade before the environments in the production cadence.
  • If the schedule doesn't work for you, contact Oracle Support to reschedule the upgrade for a convenient time. Contact Oracle Support by submitting a Support Request (SR).
How do I reschedule the upgrade?

The identity upgrade is expected to take from one to two hours up to a few hours, if your environments have many users.

  • If the schedule doesn't work for you, contact Oracle Support to reschedule the upgrade for a convenient time. Contact Oracle Support by submitting a Support Request (SR).
  • In the Oracle Cloud Console, use the following selections when submitting a Support Request (SR):
    • Technical Issues
    • Service Group: Oracle Cloud Applications
    • Service: Any Fusion product
    • Service Category: SaaS Console Services (Outage, Provision, P2T/T2T, Resize, Environment and User Management)
    • Subcategory: Fusion Identity Upgrade