Identity and Access Management
65 Release Notes
New Sign-On Policy "Security Policy for OCI Console" for Identity Domains
Applicable realms:This release note applies only to non-OC1 realms; it does not apply to GOV, ONSR, or EU ...
New App Gateway Docker and OVA Releases
App Gateway releases are done to provide feature enhancements and bug fixes. Releases are for both the Docker and ...
Oracle Cloud Infrastructure (OCI) SAML Updates
SAML JIT
- 
Deployment: Completed in all the OCI regions. 
- 
Feature Flag Enablement: Requires ... 
New Experience in Oracle Cloud Console
We've launched a major update to the Oracle Cloud Console for multiple services. The new experience includes intuitive designs ...
Administrators Can Disable and Enable Oracle Services Onboarding for an Identity Domain
Token Exchange Grant Type for JSON Web Token
IAM adds the JSON Web Token (JWT) Exchange grant type to the existing Kerberos grant type so that a ...
Enhanced Security: Identity Domains Now Enforce Configured CORS Settings
IAM identity domains now supports enforcing the Customer configured Cross-Origin Resource Sharing (CORS) settings in each identity domain. See ...
New Sign-On Policy: 'User Category-Based Sign-On Policy' (Reserved for OCI Internal Applications)
The Identity Service has seeded a new sign-on policy titled 'User Category-Based Sign-On Policy,' specifically aimed at strengthening the ...
New App Gateway Docker and OVA Releases
App Gateway releases are done to provide feature enhancements and bug fixes. Releases are for both the Docker and ...
Changes to the Default Sender's Email Address for Email Notifications
The default Sender's email address used to send password reset and other email notifications has changed from no-reply@oracle.com to ...
Digitalid application roles (Reserved for Oracle)
The DigitalidAdmin, DigitalidIssuer, DigitalidVerifier, and DigitalidWallet application roles are reserved by Oracle and can't be used to manage Identity ...
Changing or restoring Oracle security defaults now requires consent
Changing or restoring the Oracle security defaults for the "Security Policy for OCI Console" sign-on policy now requires explicit consent.
SMS Text Message Template Customization Deprecated
Customize SMS Text Message template has been deprecated. SMS text message for one-time passcode (OTP) will be in the ...
OCI Console Supports High Availability
OCI IAM supports replicating identity domains to several subscribed regions. New sign-in feature improves availability of OCI ...
Implicit JIT User Provisioning with Static Group Mapping
Use the API to enable first-time users to sign in to an OCI identity domain with their social identity ...
Identity Domains API Supports Custom Parameters for Social Identity Providers
The /SocialIdentityProviders endpoint now supports a multi-valued custom parameter for Social Identity Provider configurations.
Change Email From Field before Saving Notifications Template
Before you can save a Notifications template, you must change the Sender field.
For more information, see Modifying Notification ...
Change to IAM Identity Domains Password Policy Validation
User password changes for resetting a known password or resetting a forgotten password are now validated after the user enters ...
New Services available in US Government Cloud with FedRAMP Authorization
The following services are now available in the US Government Cloud with FedRAMP Authorization:
- Big Data Service ...
Reduce the number of sign-in prompts by using Keep me signed in
Administrators can now turn on Keep me signed in to reduce the number of sign-in prompts for users. After enabling ...
Oracle Enterprise Linux 8 is certified for the Linux Pluggable Authentication Module (PAM)
We now support Oracle Enterprise Linux 8 for the Linux Pluggable Authentication Module (PAM).
New tutorials illustrating SSO and identity lifecycle management
There are two new IAM tutorials which illustrate, using OCI IAM and Microsoft Azure AD, how to configure SSO and ...
Diagnostic data reports are now available
You can now use diagnostic data reports to capture logging data for an IAM identity domain. See Diagnostic Data Report ...
Upgrade Path for High Availability App Gateway Deployments
Cloud Gate has updated its Block Cipher mode of operation which changes how data is encrypted. If you are using ...
IAM Database Passwords Without Identity Domains
IAM database passwords and tokens centralize Autonomous Database user account management in IAM. They improve security and greatly minimize the ...
IAM now includes identity domains
The IAM service now supports identity domains for new tenancies. Identity domains are used to manage users and groups, integration ...
Network sources now support all services
All services now support using network sources in policy to restrict access to their resources. A network source lets you ...
Time-based access control for IAM policies
You can use time-based variables in your policies to restrict the access to resources granted in the policy to only ...
Per-image permissions for custom images
You can now write IAM policy that restricts the ability for users to create instances from custom images on an ...
Generate API signing keys in the Console
You can now generate the API signing keys in the Console, from your user profile. Also, after you add an ...
Compartment Explorer renamed to "Tenancy Explorer"
The compartment explorer is now called the "tenancy explorer." There are no changes to the functionality of this feature. To ...
Track a user's last sign in
The Users list page now includes a Last Sign In field that displays the last date and time a user ...
Network source restrictions for signing in to the Console
The IAM service now supports setting a network source restriction for signing in to the Console. A network source lets ...
Tag-based access control
Using conditions and a set of tag variables, you can write policy to scope access based on the tags that ...
Restrict access to Object Storage resources to requests from specific IP addresses
You can now use network sources (a new resource type in IAM) to restrict access to Object Storage to only ...
Enhancements to the compartment explorer
Previously, the compartment explorer allowed you to view all resources in a selected compartment. The enhancement added today allows you ...
Recover deleted compartments
You can now recover a deleted compartment. For more information, see Managing Compartments.
Required tag values for tag defaults
You can create tag defaults that require users creating resources to enter the values for tags. For more information, see ...
New tag value type for defined tags
You can create a list of values for defined tags. When the user applies the tag, they must select a ...
View all resources in a compartment with the compartment explorer
You can now get a cross-region view of all resources in a single compartment using the new compartment explorer. See ...
New procedures for managing service roles for Oracle Identity Cloud Service users and groups
You can now manage service roles for your Oracle Identity Cloud Service federated users directly in the Console. For the ...
Move a compartment to a different parent compartment
Use variables in tag values
You can now use variables in tag values. For more information, see Using Tag Variables.
Tag and tag namespace delete
You can now delete tags and tag namespaces. See Deleting Tag Key Definitions and Namespace for information and limitations.
Support for federation with Microsoft Azure Active Directory
The IAM service now supports Microsoft Azure AD as an identity provider. You can set up Oracle Cloud Infrastructure as ...
Support for assertion encryption by an identity provider
Oracle Cloud Infrastructure IAM service now supports encryption assertion by an identity provider. If your tenancy is federated with Microsoft ...
Customize password policy rules
You can now customize the password policy rules for Oracle Cloud Infrastructure local users. When a user is created or ...
Move tag namespaces to a different compartment
You can now move a tag namespace from the compartment it is in to a different compartment. The tag namespace ...
Self-service password recovery
Oracle Cloud Infrastructure local users can now add an email address to their user profile. This email address can be ...
Automatically apply tags at resource creation
Tag defaults let you specify tags to be applied automatically to all resources, at the time of creation, in a ...
Support for multi-factor authentication
Manage Oracle Identity Cloud Service Users and Groups in the Console
Oracle Cloud Infrastructure now provides an integration with Oracle Identity Cloud Service that lets you perform basic user and group ...
SDK and CLI support for Okta federated users
Users who are federated with Okta can now directly access the Oracle Cloud Infrastructure SDK and CLI, and other services ...
Support for compartment hierarchies
You can now create subcompartments inside of compartments to create hierarchies up to six levels deep. For more information, see ...
Compartment delete
You can now delete compartments. See Deleting Compartments for information and limitations.
Cost-tracking tags
Cost-tracking tags are displayed in your online billing statement and allow you to filter and subtotal your costs for resources ...
Compartment list in the Console shows only the compartments the user can access
The compartment list in the Console now displays only the compartments that a user is authorized to access. See Understanding ...
Use tags to define members of dynamic groups
You can now group instances in dynamic groups based on tags. For more information, see Managing Dynamic Groups.
...Swift passwords are now called "auth tokens"
Previously, the credential generated by Oracle for you to use to sign in to a Swift client was called a ...
Tags for the tenancy
You can now apply tags to your tenancy using the Console or the API. See Managing the Tenancy.
...Instance principals
Instances are a new principal type in IAM. You can now apply policy to groups of instances just as you ...
Federation with Oracle Identity Cloud Service Federated Users
All new tenancies are federated with Oracle Identity Cloud Service. For more information, see
Apply tags to your resources
Tagging allows you to organize, manage, and control your cloud resources with an organizational scheme you define. See Overview of ...
Rename compartments
You can now rename compartments that you create.
Federation with Microsoft Active Directory
You can federate with Microsoft Active Directory to enable your users to sign in to Oracle Cloud Infrastructure using their ...