Oracle® Cloud

What’s New for Oracle Identity Cloud Service

Release 18.4.2

E81008-32

December 2018

What’s New for Oracle Identity Cloud Service

When new and changed features become available, Oracle Identity Cloud Service instances are upgraded in the data centers where Oracle Cloud services are hosted. Here’s an overview of new features and enhancements added recently to improve your Oracle Identity Cloud Service experience.

To find out about the latest apps that have been added to the Oracle Identity Cloud Service Application Catalog, see the What's New section of the Oracle Identity Cloud Service - Application Catalog.

Topics:

• Release 18.4.2 — December 2018

• Release 18.3.4 — August 2018

• Release 18.2.6 — July 2018

• Release 18.2.4 — May 2018

• Release 18.1.6 — March 2018

• Release 18.1.2 — February 2018

• Release 17.4.6 — December 2017

• Release 17.4.2 — November 2017

• Release 17.3.6 — September 2017

• Release 17.3.4 — September 2017

• Release 17.3.2 — July 2017

Release 18.4.2 — December 2018

Category	Feature	Description
Adaptive Security	Activate and deactivate the default risk provider	In addition to third-party risk providers, you can now activate and deactivate the default risk provider. See Activating and Deactivating Risk Providers.
Adaptive Security	Use the slider to set the weighting for events	Set the weighting for the Access from an unknown device, Too many unsuccessful login attempts, and Too many unsuccessful MFA attempts events to Low, Moderate, Severe, or Critical. Oracle Identity Cloud Service evaluates these events to determine risk-based activity for Oracle Identity Cloud Service users. See Configuring the Default Risk Provider.
Applications	Enhancements to SAML Application Configuration	There are two enhancements to the SAML Application Configuration: You can now collectively configure User and Group attributes under the Attributes section in SAML Application Configuration. In addition to configuring an attribute to have one of the predefined user attribute values, you can also specify path expressions to define how the value of the assertion attribute should be calculated. See Adding a SAML Application.
Applications	Support to allow access to OPC resources	You can now allow clients to access OPC resources using hierarchical scope matching. If the requested scope has similar urn:opc:resource:consumer prefix in any of the clients' Allowed Scopes, then the client can access the OPC resource. However, if the requested scope has a different qualifier (with the exception of ::all) that doesn't match with the Allowed Scopes, then the client can't access the OPC resource. See Adding a Confidential Application and Configuring Authorized Resources.
Notifications	Oracle Identity Cloud Service now checks whether verification is done to the email address that will appear in the From Email field for all notifications.	A new feature of the Notifications page is the Check Status button. By clicking this button, Oracle Identity Cloud Service checks whether verification is done to this email address through the email sent to the postmaster (domain) or email account. If the email address isn't verified, then access the notification that's sent to the email address you provided, click the verification link in the notification, and click Check Status again. The status will change to Email Verified. If the domain isn't verified, then contact the postmaster of your company so that the postmaster can verify the domain associated with the email address. See Activating Notifications.
Scenarios	Migrate from traditional Cloud accounts to Cloud accounts with Identity Cloud Service	You use an Oracle Cloud account to access your cloud services and log into the My Services Dashboard, which is where you manage your account and your services. When you sign in to your Oracle Cloud account, you can choose to sign in to two different types of Cloud accounts: A traditional Cloud account (also known as a cloud service account) A cloud account with Identity Cloud Service Traditional Cloud accounts use one identity management system which is different from the identity management system associated with Cloud accounts with Identity Cloud Service. You can migrate users and role memberships from traditional Cloud accounts for the following Oracle Cloud services: Oracle Business Intelligence Cloud Service Oracle Integration Cloud Service Oracle Mobile Cloud Service Oracle Process Cloud Service Oracle Visual Builder Cloud Service Each service has a corresponding Cloud account with Identity Cloud Service to which you can import the users and the application role memberships. By migrating services from a traditional Cloud account to a Cloud account with Identity Cloud Service, the services can use Oracle Identity Cloud Service to manage users and to control access to the services. For this reason, you want to migrate your traditional Cloud accounts to Cloud accounts with Identity Cloud Service. See Migrating from Traditional Cloud Accounts to Cloud Accounts with Identity Cloud Service.
Terms of Use	Customize Terms of Use for Users	Configure customized disclaimers and acceptable use policies for users on an application basis. Also collect consent from users before allowing them access to their applications. See Managing Terms of Use
Social Login	Add multiple instances of the same social identity provider	Some cloud services have applications that may have to connect to multiple instances of the same social identity provider. For example, for application A and application B, the Facebook social identity provider can be configured as an identity provider along with distinct configuration settings, such as a Client ID and Secret, social registration settings, and so on. To support such scenarios, Oracle Identity Cloud Service now allows you to add multiple instances of the same social identity provider with different configuration settings for each instance. After adding multiple instances of a social identity provider, you can choose which instances can be used to sign in to Oracle Identity Cloud Service by using an identity provider policy. See Adding a Social Identity Provider.
REST APIs	New endpoints added to Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added: /mfa/v1/requests - Use this endpoint to initiate and complete verification of a default Multi-Factor Authentication factor or a backup factor. /FromEmailAddressValidator - Use this endpoint to validate the status of the From Email Address or Email Domain from the OPC Notification Service. REST API for Oracle Identity Cloud Service.

Other Noteworthy Changes

Category	Feature	Description
AD Bridge	Set Permissions for Microsoft Active Directory Bridge	Read about how to set permissions for a Microsoft Active Directory user account to perform actions such as delegate password reset and synchronization between Microsoft Active Directory Bridge and Oracle Identity Cloud Service. See Setting Permissions for the Microsoft Active Directory User Account.
Reports	Change in reports download behavior	Oracle Identity Cloud Service supports CSV, JSON, and PDF report generation. However, the result count for the PDF report is restricted to 1000 rows. For any report exceeding 1000 rows, only the CSV download is available. See Organize the Report Data.

Release 18.3.4 — August 2018

Category	Feature	Description
Reporting	Diagnostic Data Report	Diagnostic Data Reporting has been removed from the Oracle Identity Cloud Service user interface. Use the REST API for Oracle Identity Cloud Service to capture diagnostic data. See Diagnostic Records REST Endpoints

Release 18.2.6 — July 2018

Category	Feature	Description
Bridge	Enhancements to AD Bridge configuration	For version 18.2.6 of Oracle Identity Cloud Service, there are two enhancements to the bridge: The Include hierarchy check box. If you select this check box, and then select a parent OU, all children OUs will be selected. The OUs contain the users and groups that you want to import into Oracle Identity Cloud Service. The Filter text box. Use this text box to enter a custom filter to search for user or group OUs. For example, enter (&(objectClass=User)(sn=Smith)) to return all users with the last name of Smith. Or, enter (department=IT) to return the IT group. See Configuring a Bridge.
Notifications	Validate the entire email address instead of the email domain only	Now, you can verify either the domain of an email address or the entire email address. When you configure notifications, there are two options: Domain and Email. Use the Domain option to send a validation email to the postmaster account of the email’s domain or the Email option to send an email to an email address for verification purposes. See Activating Notifications.
Administration	Support for editing Oracle Cloud Applications	As Service Administrators, you can now edit certain UI elements of Oracle Cloud Applications in Oracle Identity Cloud Service. You can also assign Oracle Cloud Applications to Sign-On Policies. See Editing High-Level Information for Oracle Applications.
REST APIs	New endpoints added to Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added: /TermsOfUse - Use this endpoint to manage terms of use, which maintains the terms of use statements for applications. /TermsOfUseStatements - Use this endpoint to manage the terms of use statement, which maintains the terms of use statement that is associated with the terms of use. /SocialIdentityProviderMetadata - Use this endpoint to manage metadata for defining interaction with various social identity providers such as Facebook, LinkedIn, and Google. /UserAppsEnabledForAuthentication - Use this endpoint to return a list of all available target apps for a user on which delegated authentication can be performed. See REST API for Oracle Identity Cloud Service.
REST APIs	Deprecated REST API endpoint	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoint will be removed in the upcoming release 18.2.6: /ServiceProviders In previous releases, the /ServiceProviders endpoint was used to configure SAML service provider partners. The introduction of SAML Apps in release 16.4.6 rendered this endpoint obsolete and it was deprecated. In the upcoming 18.2.6 release, the /ServiceProviders endpoint will be removed. See REST API for Oracle Identity Cloud Service.
Security	Terms of Use	Terms of Use is a feature in Oracle Identity Cloud Service that help customers to set the conditions for the users to access the applications based on their consent. This feature allows the identity domain administrators to set relevant disclaimers for legal or compliance requirements.

Release 18.2.4 — May 2018

See how to configure MFA, the factors available for use with MFA, and how to create a sign-on policy for MFA by watching the Configuring Multi-Factor Authentication video.

Learn how to configure a web application to authenticate with Oracle Identity Cloud Service by viewing the Use Secure Form Fill to Authenticate an Application with Oracle Identity Cloud Service Use Secure Form Fill to Authenticate an Application with Oracle Identity Cloud Service tutorial.

Category	Feature	Description
Applications	Update your SAML applications	If there are updates to your SAML applications, you can now choose to upgrade them starting with this release. If your SAML application has an update, you will see the Upgrade button visible in the UI. Click the button to upgrade the application. See Upgrading a SAML Application.
Applications	Support for providing a Custom Error URL for applications.	You can now provide a Custom Error URL to redirect a user in case of a failure. If not provided, the tenant specific Error page URL will be used. See the following topics: Adding a Trusted Application Adding a Mobile Application Adding a SAML Application Adding an App Catalog Application
Applications	Support for configuring tenant specific Error page URL	You can now provide a tenant specific custom Error page Url to redirect a user in case of a failure. See Changing Session Settings
Applications	Support for providing Linking callback URL	You can now provide a Linking callback URL that Oracle Identity Cloud Service can redirect to after linking of a user between social providers and Oracle Identity Cloud Service is complete. See the following topics: Adding a Trusted Application Adding a Mobile Application Adding a SAML Application Adding an App Catalog Application
Applications	Use App Gate to access your on-premises applications securely and remotely	Use the App Gate together with Oracle Identity Cloud Service to give your employees the ability to access your on-premises applications securely and remotely. Because the App Gate integrates with Oracle Identity Cloud Service seamlessly, your employees can connect to these applications, using SSO, without the hassles of a VPN or SSL client certificates. This integration provides you with an additional layer of security, which is crucial to protecting your on-premises applications. In addition, the App Gate is an ideal solution for you if: You want to unify all of your Identity and Access Management products under one Identity as a Service (IDaaS) platform, but you have to integrate with applications that don’t support federation (such as SAML or WS-Fed). Your vendors, customers, or partners must access your internal business applications such as Oracle E-Business Suite from the Internet. You want to restrict unauthorized network access to your applications. You must comply with industry regulations, like Sarbanes-Oxley, HIPPA, and others. Your enterprise has Web applications that lack a native authentication mechanism. You’re looking for a cost-effective replacement for your on-premises Web-access management solution. You need a supported replacement of Shibboleth. From the App Gateway for Identity Cloud Service application, you can access the documentation for the App Gate. You can find this application on the Downloads page of the Identity Cloud Service console. To access this page, in the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Downloads.
Branding	Revert custom branding to default Oracle branding	If you have customized the Sign In page, the Admin Console, or the notifications for Oracle Identity Cloud Service, and want to revert to Oracle Branding (default), you can do so starting with this release. See Branding the Oracle Identity Cloud Service Interface.
REST APIs	Deprecated REST API endpoint	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoint will be removed in the upcoming release 18.2.6: /ServiceProviders In previous releases, the /ServiceProviders endpoint was used to configure SAML service provider partners. The introduction of SAML Apps in release 16.4.6 rendered this endpoint obsolete and it was deprecated. In the upcoming 18.2.6 release, the /ServiceProviders endpoint will be removed. See REST API for Oracle Identity Cloud Service.
REST APIs	New endpoints added to Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added: /AppEntitlementCollection - Use this endpoint to manage collections of entitlements from Apps. For example, an administrator can grant an AppEntitlementCollection as a single gesture that causes the grantee to receive every entitlement in that collection. /UserAuditEventsPurger - Use this endpoint to delete all of the audit events that are related to a deleted user. /DBGroups - Use this endpoint to manage all group administrative tasks. A group contains one or more users and works as a role for the enterprise to apply security features. See REST API for Oracle Identity Cloud Service.
Application Development SDKs	Updates to SDKs for web applications	There are updates to the software development kits (SDKs) that enable you to easily integrate and authenticate your .NET or PHP web applications with Oracle Identity Cloud Service. Sample applications and tutorials on using these SDKs are available at the web-based Cloud Developer Portal.

Other Noteworthy Changes

Category	Feature	Description
REST APIs	Read about OpenID Connect and see examples in the Oracle Identity Cloud Service REST API content.	Extensive OpenID Connect documentation and examples are now available in the Oracle Identity Cloud Service 18.2.4 REST API documentation. OpenID Connect extends the OAuth 2.0 protocol to add a simple authentication and identity layer that sits on top of OAuth 2.0. Using OpenID Connect completes the picture by providing applications with information about the user, the context of their authentication, and access to their profile information. OpenID Connect allows clients of all types, including web-based, mobile, and JavaScript clients to request and receive information about authenticated sessions and end users. See Using OpenID Connect to Extend OAuth 2.0.

Release 18.1.6 — March 2018

Category	Feature	Description
Delegated Authentication (On-demand)	Sign in with your Microsoft Active Directory password	With the Delegated Authentication feature in Oracle Identity Cloud Service, you no longer have to synchronize all your enterprise users' passwords between your on-premises Microsoft Active Directory and the cloud. Users can be configured to use their existing Microsoft Active Directory passwords to authenticate, and access resources and applications protected by Oracle Identity Cloud Service. See Managing Delegated Authentication in Oracle Identity Cloud Service.
Adaptive Security	Risk- and context-based analysis to detect and remediate anomalous activities	Oracle Identity Cloud Service is excited to announce brand new functionality called Adaptive Security that can provide customers with strong authentication capabilities based on user behavior in Oracle Identity Cloud Service, and across multiple heterogeneous on-premises and cloud systems. When enabled, the Adaptive Security feature can analyze a user's risk profile within Oracle Identity Cloud Service, based on their historical behavior, such as too many unsuccessful login attempts, too many unsuccessful MFA attempts, and real-time device context, such as logins from unknown devices. To evaluate a user's behavior across other systems with which Oracle Identity Cloud Service is not directly involved, the Adaptive Security feature enables you to configure your existing risk providers like Cloud Access Security Broker (CASB), Security Information and Event Management (SIEM), and so on, to obtain the user's risk score from these external providers. With this enriched context and risk information, Adaptive Security risk profiles each and every user and arrives at its own risk score and an overall consolidated risk level (High, Medium, Low) that can be used with Oracle Identity Cloud Service policies to take remediation action, such as allow or deny the user from accessing Oracle Identity Cloud Service, requiring the user to provide a second factor, and so on. Administrators can also view how the user's risk profile trended over a period of time and drill-down to see each detail of the event. See Managing Adaptive Security in Oracle Identity Cloud Service.
Schema Management	Extend the user schema by adding custom attributes to it	If you're creating your own user interface, and you don't find a user schema attribute that you need in the base Oracle Identity Cloud Service schema attributes, then add your own custom attribute to the schema from within the Oracle Identity Cloud Service console. See Adding Custom Schema Attributes.
Application Development SDKs	New SDKs for Web and Mobile applications	Oracle Identity Cloud Service provides you with software development kits (SDKs) that enable you to easily integrate and authenticate your .NET or PHP web applications and your Android or iOS mobile applications with Oracle Identity Cloud Service. Sample applications and tutorials on using these SDKs are available at the web-based Cloud Developer Portal.
Single Sign-On	Secure Form Fill Admin Client	You can use the Secure Form Fill feature if your web applications can't be modified to integrate with Oracle Identity Cloud Service for SSO. The new Secure Form Fill Admin Client helps you map the sign-in form for your web application so that Oracle Identity Cloud Service knows how to populate the user's user name and password automatically, and helps you to submit the user's credentials to the application's identity store. You can download this Secure Form Fill Admin Client from within the Oracle Identity Cloud Service console. See Downloading Oracle Identity Cloud Service SDKs and Applications.
Identity Administration	Auto provision birthright applications	You can now configure a set of applications to be automatically provisioned for every user on-boarded to Oracle Identity Cloud Service. See the following topics: Assigning Groups to Oracle Applications Removing Groups from Oracle Applications Assigning Groups to Custom Applications Removing Groups from Custom Applications
Identity Administration	Synchronize User Accounts from a Flat File Using REST APIs	For target applications that don’t support synchronization of user accounts with Oracle Identity Cloud Service, you can now import user accounts from a flat file using REST APIs, providing a quick and error-free synchronization. See Importing User Accounts from a Flat File Using REST APIs.
Identity Administration	Synchronize User Accounts from a Flat File using the Oracle Identity Cloud Service UI	For target applications that do not support synchronization of user accounts with Oracle Identity Cloud Service, you can now import and synchronize user accounts from a flat file using the Oracle Identity Cloud Service Administration console. You can also activate and deactivate these synchronized user accounts from the console. See Importing and Synchronizing User Accounts Using a Flat File in Oracle Identity Cloud Service UI.
Identity Administration	Manage Web Tier policies from the admin console	In the previous versions, there was no option in the admin console to create or edit Web Tier policies. You can now manage Web Tier policies from the admin console and specify a list of resource filters, such as, application URLs, the corresponding authentication method, and so on, to control and protect your corporate resources. See Creating and Managing Web Tier Policies. Note: Use the Web Tier Policy feature for Oracle Identity Cloud Service only. Customers should refer to the relevant documentation for their services to understand how to use this feature.
Identity Administration	Additional attributes to filter synchronization results	You can now use Situation and Synchronization Status as additional filter attributes to filter the user account import search results. Select values from the respective drop-down lists to view user accounts matching the search criteria. See Synchronizing User Accounts.
Identity Administration	Apply Default Trust Scope from OAuth settings for Client Application configuration	In the previous versions, for a Trusted Application you can select All Resources, Allowed Tags or Allowed Scopes to configure Trust Scopes for your Client Application. By selecting the Default option, you can now apply the Default Trust Scope configured in the OAuth settings to your client application. See Adding a Trusted Application.
Bridge Installer	Enhanced Microsoft Active Directory Bridge installation	The bridge installer is streamlined and simplified for a better user experience. See Creating a Bridge.
Administrative Settings	Set Norwegian as your preferred language	The Oracle Identity Cloud Service UI now supports the Norwegian language. Administrators can set Norwegian as the default language for an identity domain. See Changing Default Settings. Users can set Norwegian as the default language for their account. See Setting Up or Modifying Your Profile.
Security Settings	Support for Configuring OAuth Settings	You can now configure OAuth settings to either enable account-level trust for all token acquisition requests or configure one of the Default Trust Scopes. See Configuring OAuth Settings.
REST APIs	Enhancements to Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints were added: /IDBridgeConfig - Use this endpoint to replace or update an IDBridge configuration. For example, replacing or updating a new feature name and the release in which the feature was introduced. /TargetAuthenticationTester - Use this endpoint to test target authentication. /Schemas - The PATCH operation is now supported. Use this endpoint to maintain the schema definition of resource types that are supported by Oracle Identity Cloud Service . Schema definitions contain standard SCIM schema attributes and additional Oracle Identity Cloud Service -specific attributes such as searchable, min/max length for validation, target attrname, and so on. /RiskProviderProfile - Use this endpoint to manage risk provider configurations for Oracle Identity Cloud Service . The risk provider configuration manages all the fields that are required to connect with the provider and other relevant configurations. /RiskProviderProfileValdation - Use this endpoint to validate a risk provider profile. /ManagedObjectClassTemplates - Use this endpoint to work with managed object class template configurations for a connected managed app. /ManagedObjectClasses - Use this endpoint to work with managed object class configurations for a connected managed app. /Threats - Use this endpoint to manage adaptive access threats and violations. /AdaptiveAccessSettings - Use this endpoint to manage tenant-specific adaptive access settings. There is a single pre-seeded instance of AdaptiveAccessSettings in Oracle Identity Cloud Service. New instances can't be created and an existing instance can't be removed. But, you can update a single instance using PUT or PATCH. See REST API for Oracle Identity Cloud Service and Using the Oracle Identity Cloud Service REST APIs with Postman.

Other Noteworthy Changes

Category	Feature	Description
REST APIs	Enhancements to the Oracle Identity Cloud Service POSTMAN Collection	The Oracle Identity Cloud Service POSTMAN Collection has been updated. This release allows you to explore the relationships between Users, Groups, Clients, Apps, and AppRoles. Look for new Search requests added for Users, Groups, Clients, Apps, and AppRoles in the Search folders for each, as well as the Membership folders. See the Oracle Identity Cloud Service POSTMAN Collection.

Release 18.1.2 — February 2018

18.1.2 User Interface Changes

Watch the What’s New in 18.1.2 video to learn about the 18.1.2 user interface changes and other enhancements.

The Oracle Identity Cloud Service 18.1.2 release introduces several major interface changes to the Identity Cloud Service administrator console:

1. In 17.4.6, the user menu displayed the user name. In 18.1.2, the user name is replaced with the user’s initials. This change is part of an update across all Oracle cloud products. All PaaS products are moving to a new design. The new avatar displays the logged in user's initials. No options for the menu have changed.

2. In 17.4.6, the Dashboard, Users, and Notifications buttons appeared in the upper-right corner of the administrator console. These buttons are used to return to Oracle Public Cloud. In 18.1.2, those links are available on the new My Services page in the Navigation Drawer.

3. In 17.4.6, dashboard navigation consisted of a series of tabs across the dashboard. In 18.1.2, these tabs are replaced with the Navigation Drawer. The Navigation Drawer maximizes the real estate of the Identity Cloud Service console. To display the Navigation Drawer, click the Navigation Drawer icon in the upper-left corner of the console. You'll see a listing of all folders and pages that compose the console. Click a folder to see the pages associated with the folder. Then, click the menu item that represents the page that you want to display in the Identity Cloud Service console. Click the Navigation Drawer icon again to close the Navigation Drawer.

18.1.2 User Interface Changes
17.4.6 Navigation (Old)
17.4.6 Navigation (Old) Screenshot Description of the illustration old-navigation-release-17.4.6.png
18.1.2 Navigation (New)
18.1.2 Navigation (New) Screenshot Description of the illustration new-navigations-release-18.1.2.png See Accessing Service Consoles
Other UI Changes
There's a new page in the Settings folder: Downloads. Use this page to download Java, Node.js, or Python SDKs or the EBS Asserter to integrate your web applications or Oracle E-Business Suite with Oracle Identity Cloud Service. See Downloading Oracle Identity Cloud Service SDKs and Applications. In the Security folder: The Delegated Administration page has been renamed to Administrators. There are three new pages: Identity Provider Policies, Sign-On Policies, and Network Perimeters. Use these pages to define identity provider policies, sign-on policies, and network perimeters. See Managing Oracle Identity Cloud Service Identity Provider Policies, Managing Oracle Identity Cloud Service Sign-On Policies, and Managing Oracle Identity Cloud Service Network Perimeters.

18.1.2 New Features— February 2018

Feature	Description
Email as a Second Authentication Factor	Support for using email as a second authentication factor has been added to the Multi-Factor Authentication options. After email settings are configured, when the user selects Email as the authentication method, Oracle Identity Cloud Service sends a one-time passcode to the user’s primary email address for use as a second verification method. See Configuring Email Settings.
Setting a Default Verification Method	A user can now set their default second factor verification method using the 2-Step Verification page of the My Profile console. See Setting a Default Verification Method.
Enhancements to Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added: /LatestBinaryFileInfoVersionRetriever - Use this endpoint to retrieve the latest version of binary file information. /SFFCustomApps - Use this endpoint to manage tenant-specific Secure Form Fill custom apps. The X-ORACLE-DMS-ECID and X-ORACLE-DMS-RID HTTP headers are now included in each REST API response. These headers correspond to the ECID and RID for a REST API request. The caller can use this information to track and correlate requests that originate with events arising in the Oracle Identity Cloud Service server. The client may also include these values as part of an error message, as it is important to correlate events on the client side with errors on the server side. See REST API for Oracle Identity Cloud Service..
Manage Policies	Policy control, for securing and managing access to resources, is now available. Policy control makes access control flexible, enabling good policy management with flexible and extendable, contextual capabilities. In this release, the following policy control features are available: Define Identity Provider Policies. You can use identity provider policies to specify which identity providers are visible in the Sign In page when someone is trying to sign in to Oracle Identity Cloud Service, either when they're accessing a specific app or attempting to access resources that are protected by Oracle Identity Cloud Service, such as the My Profile console or the Identity Cloud Service console. You can also use identity provider policies to determine whether users authenticate into Oracle Identity Cloud Service with their local credentials or by using credentials associated with SAML or social identity providers. See Managing Oracle Identity Cloud Service Identity Provider Policies. Define Network Perimeters. You can define network perimeters in Oracle Identity Cloud Service. A network perimeter contains a list of IP addresses. After creating a network perimeter, you can prevent users from signing in to Oracle Identity Cloud Service if they use one of the IP addresses in the network perimeter. This is known as blacklisting. You can also configure Oracle Identity Cloud Service so that users can log in, using only IP addresses contained in the network perimeter. This is known as white listing. See Managing Oracle Identity Cloud Service Network Perimeters. Define Sign-On Policies. You can use sign-on policies in Oracle Identity Cloud Service to define criteria that Oracle Identity Cloud Service uses to determine whether to allow a user to sign in to Oracle Identity Cloud Service or prevent a user from accessing Oracle Identity Cloud Service. See Managing Oracle Identity Cloud Service Sign-On Policies.
App Development SDK	You can now enable your Java, Node.js, or Python web applications to authenticate with Oracle Identity Cloud Service by using software development kits (SDKs). Oracle Identity Cloud Service provides you with a centralized location in the Identity Cloud Service console where you can download SDKs or the EBS Asserter to integrate your web applications or Oracle E-Business Suite with Oracle Identity Cloud Service. See Downloading Oracle Identity Cloud Service SDKs and Applications.
EBS Asserter	Integrate your Oracle E-Business Suite environment with Oracle Identity Cloud Service for authentication and password management purposes by using a lightweight Java application known as the Oracle E-Business Suite (EBS) Asserter. Oracle Identity Cloud Service provides you with a centralized location in the Identity Cloud Service console where you can download SDKs or the EBS Asserter to integrate your web applications or Oracle E-Business Suite with Oracle Identity Cloud Service. See Downloading Oracle Identity Cloud Service SDKs and Applications.
Create custom secure form fill applications	If you don't find the secure form fill application that you need in the app catalog or you simply want to create your own, you can do so with Oracle Identity Cloud Service. Define your own secure form fill configuration using the ESSO Admin Console, export the configuration, and then import that configuration into your secure form fill app in Oracle Identity Cloud Service. See Creating a Custom Secure Form Fill App.
Select Display in My Apps check box to display the app in My Apps page	In previous releases, when you select Display in My Apps check box, you can also enable SSO to the app. In this release, when you select the Display in My Apps check box in applications, the app is then visible in the My Apps page, but selecting this check box no longer enables or disables SSO to the app. See Adding a Trusted Application Adding a SAML Application Adding an App Catalog Application The flag to enable or disable SSO comes from the app template. Use the Oracle Identity Cloud Service REST APIs to update this flag. You cannot set the SSO flag from the user interface. See REST API for Oracle Identity Cloud Service.
Updates to the Application Catalog	Over 100 Form Fill integrations, including banking, learning, and transportation apps. SAML SSO with Workday, Ariba, and other apps. See Oracle Identity Cloud Service - Application Catalog..
OpenID Connect support for Identity providers	Oracle Identity Cloud Service now supports integration with identity providers that are compliant with OpenID Connect. These identity providers support the OpenID Connect standard. You use this type of identity provider when you want to establish trust between an OpenID Connect-compatible identity provider, such as Google, Salesforce, and so on, with your Oracle Identity Cloud Service account. This is useful if you're creating a mobile or web application that requires access to Oracle Identity Cloud Service-protected resources, but you don't want to create custom sign-in code or manage your own user identities.

Release 17.4.6 — December 2017

Feature	Description
Activate and deactivate user accounts for apps	User accounts provisioned/assigned to apps from Oracle Identity Cloud Service can now be individually activated or deactivated. This allows administrators to manually activate or deactivate user accounts as and when needed without impacting other accounts provisioned to the user. See Assigning Applications to the User Account and Assigning Users to Custom Applications.
Add tags to applications	If you want to create custom attributes for applications that can be used to search for the applications more effectively, then add tags to applications. Tags are key-value pairs that are used to organize and identify applications. For example, suppose you're creating three versions of an application: one for development purposes, one for testing purposes, and one that will be used in production. You can create the following tags for these versions: Version: Development, Version: Testing; and Version: Production. You can create tags for your trusted, mobile, SAML, and App Catalog applications or add existing tags from other applications. See Adding Applications.
Enhancements to Oracle Identity Cloud ServiceREST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added: /AppUpgrader /CustomAllowedValues /MappedActions /MappedActionTemplates /MyAccesses /ResourceTypeSchemaAttributes /SocialAccounts /Tags The attributeSets query parameter was added. Use this query parameter to get a group of attributes back in the response rather than specifying each attribute individually. This query parameter accepts comma-separated values from the following parameters: all (returns all attributes) always (returns all attributes marked as always in the schema) default (returns all default attributes) request (returns all attributes marked as request in the schema) These values are not case-sensitive. If both "attributes" and "attributeSets" are specified in the request, then the values from both attribute sets are returned in the response. See REST API for Oracle Identity Cloud Service.
OpenID Connect Support for Social Identity Providers	If you need to add a social identity provider that is OpenID Connect compliant, you can now define OpenID Connect compliant social identity providers as identity providers in Oracle Identity Cloud Service. See Adding a Social Identity Provider and Deleting an Identity Provider.
Deleting Social Accounts Linked to an Identity Provider	When deleting an identity provider and there are social accounts referenced to that Identity Provider, you are prompted whether to delete the references as well. If you do delete the social account references, Oracle Identity Cloud Service asynchronously deletes the references and then deletes the identity provider. If you don't want to delete the social accounts references, you can deactivate the identity provider, which results in the identity provider not being used for social login. When the identity provider is deactivated, users can see their social accounts in their My Profile page but can't use the identity provider to login. See Deleting an Identity Provider.

Release 17.4.2 — November 2017

Feature	Description
User Interface Change: Delegated Administration	You can now access the Delegated Administration page from the Security tab of the Identity Cloud Service console. See Accessing Service Consoles.
User Interface Change: Identity Providers	You can now access the Identity Providers page from the Security tab of the Identity Cloud Service console. See Accessing Service Consoles.
User Import Enhancement	The Users.csv import file has been enhanced to include Locked, Locked Reason, and Locked Date fields. See Importing User Accounts.
${tenantName} replaced by ${companyName}	${tenantName} has been replaced by ${companyName} for all email templates and SMS templates. See Modifying Notification Templates.
Access Request Notifications Added	There are two new notifications added: New Access Request submitted: This notification is sent to a user after they submit an access request. Access Request fulfilled: This notification is sent to a user after their access request has been fulfilled. See Understanding the Types of Notifications..
Support for Login URL, Cross-Origin Resource Sharing (CORS), and Allowed CORS Domain Names	The following new fields have been implemented on the Session Settings page to support this enhancement: Login URL: You can specify the URL where you want the user redirected to log in. Allow Cross-Origin Resource Sharing (CORS): You can allow client applications that run on one domain to obtain data from another domain. Allowed CORS Domain Names: You can now list the external domain names that are allowed for CORS operations. See Changing Session Settings.
Trust Scopes	The new Trust Scopes feature allows a trusted application to access either any resource within a domain or only those services where an explicit association between the client and the service exists. The following new Trust Scopes options are available for only trusted applications: All Resources: Select to allow your application to request an access token for services using the scope urn:opc:resource:consumer::all. This option provides a wide scope. Allowed Scope: Leave selected (the default) to allow your application to acquire an access token with permissions based on an explicit association between the client and target services. See Adding a Trusted Application.
MFA Pull Notifications Support	Pull Notifications support has been added to the Multi-Factor Authentication options. Pull notifications are updates that are delivered to a mobile device or computer in response to a user who is checking for login request notifications. Pull notifications are useful in scenarios where the GCM service (Android), APNS Service (iPhone), or WMS service (Windows) does not work. See Configuring Mobile OTP and Notifications.
Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoint has been deprecated: /AppAllowedScopesChanger Previously administrators couldn't edit OPC Apps because they were protected and read-only. In order to update the "allowedScopes" attribute, administrators were required to use this special REST endpoint: /AppAllowedScopesChanger. This REST endpoint has been deprecated in this release because OPC Apps are now editable, which allows administrators to use PATCH with the /Apps endpoint to add, remove, or replace the values of the allowedScopes attribute. See REST API for Oracle Identity Cloud Service.
New App templates added to the App Catalog	For the latest additions to the supported list of applications in the App Catalog, take a look at Oracle Identity Cloud Service - Application Catalog.
Support for enhanced login experience	You can now experience the customized login by hosting a login application and redirecting Oracle Identity Cloud Service login to the new application. You can specify the custom login and logout URLs in the Login URL and Logout Page URL fields. These fields are available in the application, by default. See Adding a Trusted Application, Adding a SAML Application, and Adding a Mobile Application

17.4.2 REST API Changes

Feature	Description
Trust Scope Attribute	The Trust Scope Attribute has been added to the REST examples where applicable. See Account Trust Scope.

17.4.2 User Interface Changes

The Delegated Administration page and the Identity Providers page have been moved from the Settings tab (17.3.6) to the Security tab (17.4.2) of the Identity Cloud Service console. This following table illustrates those changes.

Screen shots of 17.4.2 User Interface Changes
17.3.6 Settings Tab (Old)
17.3.6 Settings Tab (Old) Screenshot Description of the illustration old-settings-tab-release-17.3.6.png
17.4.2 Security Tab (New)
17.4.2 Security Tab (New) Screenshot Description of the illustration new-security-tab-changes-release-17.4.2.png

Release 17.3.6 — September 2017

Feature	Description
Device Grant Flow	The new Device Code grant type provides a specific grant flow in which a device client executes on a device that doesn't have an easy data-entry method (for example, game consoles, streaming media players, and digital picture frames), and the device client is incapable of receiving incoming requests from the authorization server. See Adding a Trusted Application and Adding a Mobile Application.
Add/Remove Client Scopes for Oracle Applications	You can now add and remove client scopes for OPC apps using the Oracle Identity Cloud Service administration console. See Adding a Trusted Application.
Icons for OPC Apps	Different OPC icons are available for each OPC app in the Oracle Identity Cloud Service administration console. Also, available app icons are now stored on the UI server and accessed using a URL, which improves performance fetching and displays the icons more quickly.
Support for Universal Credits	Oracle Identity Cloud Service is now part of the new metered Universal Credit pricing models. These models include a Pay As You Go, Monthly, and Yearly.
Bridge Performance Improvement	Enhancements have been made to increase Bridge performance. To take advantage of these improvements, upgrade your Bridge client.
Use new Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints are new: /MappedAttributeTemplates /MappedAttributes /oauth2/v1/device See REST API for Oracle Identity Cloud Service.
New App templates added to the App Catalog	For the latest additions to the supported list of applications in the App Catalog, take a look at Oracle Identity Cloud Service - Application Catalog.
Bridge Upgrade Needed After Client Secret Regeneration	If you're using the 17.2.6 version of the client for the bridge, and you have regenerated the Client Secret, then you must upgrade your client to the latest version. See Creating a Bridge to install the updated client for the bridge.

Other Noteworthy Changes

Feature	Description
Maximum Character Limit Increase for specific Users and Groups Fields	The maximum character length has been increased for the following user fields: Display Name (201) First Name (100) Last Name (100) Formatted Name (354) In the Groups page, the maximum character length for the Description field has been increased to 4,000 characters. In the Branding page, the maximum character length for the Login Text field has been increased to 250 characters.
Bare Metal Cloud Services Renamed	Bare Metal Cloud Services has been renamed to Oracle Infrastructure Cloud Service.

Release 17.3.4 — September 2017

Feature	Description
Secure Form Fill plug-in: Support for Google Chrome and Mozilla Firefox	If you are using Google Chrome, you are prompted to go to the Extensions on Google Chrome and install the Oracle Secure Form Fill Plugin. Users will be prompted to download the plug-in from the My Apps page the first time that they launch a secure form fill app. If you are using Mozilla Firefox, instead of downloading the Secure Form Fill Mozilla Firefox plug-in from the Mozilla Store, install the Secure Form Fill Mozilla Firefox plug-in from the My Apps page. Users will be prompted to download the plug-in from the My Apps page the first time that they launch a secure form fill app. Secure Form Fill is included as part of the Oracle Identity Cloud Service Standard license.
Public Access Tenant Signing Certificate	Oracle Identity Cloud Service tenant administrators can allow clients to access the tenant signing certificate without logging in to Oracle Identity Cloud Service. See Changing Default Settings in Administering Oracle Identity Cloud Service.
Access Request	Administrators specify the groups and applications to which a user may request access. Users can now request group and application access from the Catalog. Users can also view the groups and applications to which they have access as well as view their access requests. See Managing Group and Application Access in Administering Oracle Identity Cloud Service.
Use new Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints are new: /AppAllowedScopesChanger /MyGroups /MyRequestableApps /MyRequestableGroups /MyRequests See REST API for Oracle Identity Cloud Service.
New App templates added to the App Catalog	For the latest additions to the App Catalog template list, take a look at Oracle Identity Cloud Service - Application Catalog

Release 17.3.2 — July 2017

This release contains mostly bug fixes and performance enhancements.

---

Oracle Cloud What’s New for Oracle Identity Cloud Service, Release 18.4.2

E81008-32

Copyright © 2016, 2018, Oracle and/or its affiliates. All rights reserved.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.