Oracle® Cloud

What’s New for Oracle Identity Cloud Service

Release 18.4.2

E81008-32

December 2018

What’s New for Oracle Identity Cloud Service

When new and changed features become available, Oracle Identity Cloud Service instances are upgraded in the data centers where Oracle Cloud services are hosted. Here’s an overview of new features and enhancements added recently to improve your Oracle Identity Cloud Service experience.

To find out about the latest apps that have been added to the Oracle Identity Cloud Service Application Catalog, see the What's New section of the Oracle Identity Cloud Service - Application Catalog.

Release 18.4.2 — December 2018

Category Feature Description

Adaptive Security

Activate and deactivate the default risk provider

In addition to third-party risk providers, you can now activate and deactivate the default risk provider.

See Activating and Deactivating Risk Providers.

Adaptive Security

Use the slider to set the weighting for events

Set the weighting for the Access from an unknown device, Too many unsuccessful login attempts, and Too many unsuccessful MFA attempts events to Low, Moderate, Severe, or Critical. Oracle Identity Cloud Service evaluates these events to determine risk-based activity for Oracle Identity Cloud Service users.

See Configuring the Default Risk Provider.

Applications

Enhancements to SAML Application Configuration

There are two enhancements to the SAML Application Configuration:

  • You can now collectively configure User and Group attributes under the Attributes section in SAML Application Configuration.

  • In addition to configuring an attribute to have one of the predefined user attribute values, you can also specify path expressions to define how the value of the assertion attribute should be calculated.

See Adding a SAML Application.

Applications

Support to allow access to OPC resources

You can now allow clients to access OPC resources using hierarchical scope matching. If the requested scope has similar urn:opc:resource:consumer prefix in any of the clients' Allowed Scopes, then the client can access the OPC resource. However, if the requested scope has a different qualifier (with the exception of ::all) that doesn't match with the Allowed Scopes, then the client can't access the OPC resource.

See Adding a Confidential Application and Configuring Authorized Resources.

Notifications

Oracle Identity Cloud Service now checks whether verification is done to the email address that will appear in the From Email field for all notifications.

A new feature of the Notifications page is the Check Status button. By clicking this button, Oracle Identity Cloud Service checks whether verification is done to this email address through the email sent to the postmaster (domain) or email account.

If the email address isn't verified, then access the notification that's sent to the email address you provided, click the verification link in the notification, and click Check Status again. The status will change to Email Verified.

If the domain isn't verified, then contact the postmaster of your company so that the postmaster can verify the domain associated with the email address.

See Activating Notifications.

Scenarios

Migrate from traditional Cloud accounts to Cloud accounts with Identity Cloud Service

You use an Oracle Cloud account to access your cloud services and log into the My Services Dashboard, which is where you manage your account and your services. When you sign in to your Oracle Cloud account, you can choose to sign in to two different types of Cloud accounts:

  • A traditional Cloud account (also known as a cloud service account)

  • A cloud account with Identity Cloud Service

Traditional Cloud accounts use one identity management system which is different from the identity management system associated with Cloud accounts with Identity Cloud Service.

You can migrate users and role memberships from traditional Cloud accounts for the following Oracle Cloud services:

  • Oracle Business Intelligence Cloud Service

  • Oracle Integration Cloud Service

  • Oracle Mobile Cloud Service

  • Oracle Process Cloud Service

  • Oracle Visual Builder Cloud Service

Each service has a corresponding Cloud account with Identity Cloud Service to which you can import the users and the application role memberships. By migrating services from a traditional Cloud account to a Cloud account with Identity Cloud Service, the services can use Oracle Identity Cloud Service to manage users and to control access to the services. For this reason, you want to migrate your traditional Cloud accounts to Cloud accounts with Identity Cloud Service.

See Migrating from Traditional Cloud Accounts to Cloud Accounts with Identity Cloud Service.

Terms of Use Customize Terms of Use for Users Configure customized disclaimers and acceptable use policies for users on an application basis. Also collect consent from users before allowing them access to their applications.

See Managing Terms of Use

Social Login

Add multiple instances of the same social identity provider

Some cloud services have applications that may have to connect to multiple instances of the same social identity provider. For example, for application A and application B, the Facebook social identity provider can be configured as an identity provider along with distinct configuration settings, such as a Client ID and Secret, social registration settings, and so on. To support such scenarios, Oracle Identity Cloud Service now allows you to add multiple instances of the same social identity provider with different configuration settings for each instance.

After adding multiple instances of a social identity provider, you can choose which instances can be used to sign in to Oracle Identity Cloud Service by using an identity provider policy.

See Adding a Social Identity Provider.

REST APIs New endpoints added to Oracle Identity Cloud Service REST APIs

The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added:

  • /mfa/v1/requests - Use this endpoint to initiate and complete verification of a default Multi-Factor Authentication factor or a backup factor.

  • /FromEmailAddressValidator - Use this endpoint to validate the status of the From Email Address or Email Domain from the OPC Notification Service.

REST API for Oracle Identity Cloud Service.

Other Noteworthy Changes

Category Feature Description

AD Bridge

Set Permissions for Microsoft Active Directory Bridge

Read about how to set permissions for a Microsoft Active Directory user account to perform actions such as delegate password reset and synchronization between Microsoft Active Directory Bridge and Oracle Identity Cloud Service.

See Setting Permissions for the Microsoft Active Directory User Account.

Reports Change in reports download behavior

Oracle Identity Cloud Service supports CSV, JSON, and PDF report generation. However, the result count for the PDF report is restricted to 1000 rows. For any report exceeding 1000 rows, only the CSV download is available.

See Organize the Report Data.

Release 18.3.4 — August 2018

Category Feature Description

Reporting

Diagnostic Data Report

Diagnostic Data Reporting has been removed from the Oracle Identity Cloud Service user interface. Use the REST API for Oracle Identity Cloud Service to capture diagnostic data.

See Diagnostic Records REST Endpoints

Release 18.2.6 — July 2018

Category Feature Description

Bridge

Enhancements to AD Bridge configuration

For version 18.2.6 of Oracle Identity Cloud Service, there are two enhancements to the bridge:
  • The Include hierarchy check box. If you select this check box, and then select a parent OU, all children OUs will be selected. The OUs contain the users and groups that you want to import into Oracle Identity Cloud Service.

  • The Filter text box. Use this text box to enter a custom filter to search for user or group OUs. For example, enter (&(objectClass=User)(sn=Smith)) to return all users with the last name of Smith. Or, enter (department=IT) to return the IT group.

See Configuring a Bridge.

Notifications

Validate the entire email address instead of the email domain only

Now, you can verify either the domain of an email address or the entire email address. When you configure notifications, there are two options: Domain and Email.

Use the Domain option to send a validation email to the postmaster account of the email’s domain or the Email option to send an email to an email address for verification purposes.

See Activating Notifications.

Administration

Support for editing Oracle Cloud Applications

As Service Administrators, you can now edit certain UI elements of Oracle Cloud Applications in Oracle Identity Cloud Service. You can also assign Oracle Cloud Applications to Sign-On Policies.

See Editing High-Level Information for Oracle Applications.

REST APIs

New endpoints added to Oracle Identity Cloud Service REST APIs

The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added:
  • /TermsOfUse - Use this endpoint to manage terms of use, which maintains the terms of use statements for applications.

  • /TermsOfUseStatements - Use this endpoint to manage the terms of use statement, which maintains the terms of use statement that is associated with the terms of use.

  • /SocialIdentityProviderMetadata - Use this endpoint to manage metadata for defining interaction with various social identity providers such as Facebook, LinkedIn, and Google.

  • /UserAppsEnabledForAuthentication - Use this endpoint to return a list of all available target apps for a user on which delegated authentication can be performed.

See REST API for Oracle Identity Cloud Service.

REST APIs

Deprecated REST API endpoint

The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoint will be removed in the upcoming release 18.2.6:
/ServiceProviders

In previous releases, the /ServiceProviders endpoint was used to configure SAML service provider partners. The introduction of SAML Apps in release 16.4.6 rendered this endpoint obsolete and it was deprecated. In the upcoming 18.2.6 release, the /ServiceProviders endpoint will be removed.

See REST API for Oracle Identity Cloud Service.

Security

Terms of Use

Terms of Use is a feature in Oracle Identity Cloud Service that help customers to set the conditions for the users to access the applications based on their consent.

This feature allows the identity domain administrators to set relevant disclaimers for legal or compliance requirements.

Release 18.2.4 — May 2018

See how to configure MFA, the factors available for use with MFA, and how to create a sign-on policy for MFA by watching the Configuring Multi-Factor Authentication video.

Learn how to configure a web application to authenticate with Oracle Identity Cloud Service by viewing the Use Secure Form Fill to Authenticate an Application with Oracle Identity Cloud Service Use Secure Form Fill to Authenticate an Application with Oracle Identity Cloud Service tutorial.

Category Feature Description

Applications

Update your SAML applications

If there are updates to your SAML applications, you can now choose to upgrade them starting with this release. If your SAML application has an update, you will see the Upgrade button visible in the UI. Click the button to upgrade the application.

See Upgrading a SAML Application.

Applications

Support for providing a Custom Error URL for applications.

You can now provide a Custom Error URL to redirect a user in case of a failure. If not provided, the tenant specific Error page URL will be used.

Applications

Support for configuring tenant specific Error page URL

You can now provide a tenant specific custom Error page Url to redirect a user in case of a failure. See Changing Session Settings

Applications

Support for providing Linking callback URL

You can now provide a Linking callback URL that Oracle Identity Cloud Service can redirect to after linking of a user between social providers and Oracle Identity Cloud Service is complete.

Applications

Use App Gate to access your on-premises applications securely and remotely

Use the App Gate together with Oracle Identity Cloud Service to give your employees the ability to access your on-premises applications securely and remotely.

Because the App Gate integrates with Oracle Identity Cloud Service seamlessly, your employees can connect to these applications, using SSO, without the hassles of a VPN or SSL client certificates. This integration provides you with an additional layer of security, which is crucial to protecting your on-premises applications.

In addition, the App Gate is an ideal solution for you if:
  • You want to unify all of your Identity and Access Management products under one Identity as a Service (IDaaS) platform, but you have to integrate with applications that don’t support federation (such as SAML or WS-Fed).

  • Your vendors, customers, or partners must access your internal business applications such as Oracle E-Business Suite from the Internet.

  • You want to restrict unauthorized network access to your applications.

  • You must comply with industry regulations, like Sarbanes-Oxley, HIPPA, and others.

  • Your enterprise has Web applications that lack a native authentication mechanism.

  • You’re looking for a cost-effective replacement for your on-premises Web-access management solution.

  • You need a supported replacement of Shibboleth.

From the App Gateway for Identity Cloud Service application, you can access the documentation for the App Gate. You can find this application on the Downloads page of the Identity Cloud Service console. To access this page, in the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Downloads.

Branding

Revert custom branding to default Oracle branding

If you have customized the Sign In page, the Admin Console, or the notifications for Oracle Identity Cloud Service, and want to revert to Oracle Branding (default), you can do so starting with this release.

See Branding the Oracle Identity Cloud Service Interface.

REST APIs

Deprecated REST API endpoint

The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoint will be removed in the upcoming release 18.2.6:
/ServiceProviders

In previous releases, the /ServiceProviders endpoint was used to configure SAML service provider partners. The introduction of SAML Apps in release 16.4.6 rendered this endpoint obsolete and it was deprecated. In the upcoming 18.2.6 release, the /ServiceProviders endpoint will be removed.

See REST API for Oracle Identity Cloud Service.

REST APIs

New endpoints added to Oracle Identity Cloud Service REST APIs

The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added:
  • /AppEntitlementCollection - Use this endpoint to manage collections of entitlements from Apps. For example, an administrator can grant an AppEntitlementCollection as a single gesture that causes the grantee to receive every entitlement in that collection.

  • /UserAuditEventsPurger - Use this endpoint to delete all of the audit events that are related to a deleted user.

  • /DBGroups - Use this endpoint to manage all group administrative tasks. A group contains one or more users and works as a role for the enterprise to apply security features.

See REST API for Oracle Identity Cloud Service.

Application Development SDKs

Updates to SDKs for web applications

There are updates to the software development kits (SDKs) that enable you to easily integrate and authenticate your .NET or PHP web applications with Oracle Identity Cloud Service.

Sample applications and tutorials on using these SDKs are available at the web-based Cloud Developer Portal.

Other Noteworthy Changes

Category Feature Description
REST APIs Read about OpenID Connect and see examples in the Oracle Identity Cloud Service REST API content.

Extensive OpenID Connect documentation and examples are now available in the Oracle Identity Cloud Service 18.2.4 REST API documentation.

OpenID Connect extends the OAuth 2.0 protocol to add a simple authentication and identity layer that sits on top of OAuth 2.0. Using OpenID Connect completes the picture by providing applications with information about the user, the context of their authentication, and access to their profile information. OpenID Connect allows clients of all types, including web-based, mobile, and JavaScript clients to request and receive information about authenticated sessions and end users.

See Using OpenID Connect to Extend OAuth 2.0.

Release 18.1.6 — March 2018

Category Feature Description

Delegated Authentication (On-demand)

Sign in with your Microsoft Active Directory password

With the Delegated Authentication feature in Oracle Identity Cloud Service, you no longer have to synchronize all your enterprise users' passwords between your on-premises Microsoft Active Directory and the cloud. Users can be configured to use their existing Microsoft Active Directory passwords to authenticate, and access resources and applications protected by Oracle Identity Cloud Service.

See Managing Delegated Authentication in Oracle Identity Cloud Service.

Adaptive Security

Risk- and context-based analysis to detect and remediate anomalous activities

Oracle Identity Cloud Service is excited to announce brand new functionality called Adaptive Security that can provide customers with strong authentication capabilities based on user behavior in Oracle Identity Cloud Service, and across multiple heterogeneous on-premises and cloud systems. When enabled, the Adaptive Security feature can analyze a user's risk profile within Oracle Identity Cloud Service, based on their historical behavior, such as too many unsuccessful login attempts, too many unsuccessful MFA attempts, and real-time device context, such as logins from unknown devices.

To evaluate a user's behavior across other systems with which Oracle Identity Cloud Service is not directly involved, the Adaptive Security feature enables you to configure your existing risk providers like Cloud Access Security Broker (CASB), Security Information and Event Management (SIEM), and so on, to obtain the user's risk score from these external providers.

With this enriched context and risk information, Adaptive Security risk profiles each and every user and arrives at its own risk score and an overall consolidated risk level (High, Medium, Low) that can be used with Oracle Identity Cloud Service policies to take remediation action, such as allow or deny the user from accessing Oracle Identity Cloud Service, requiring the user to provide a second factor, and so on. Administrators can also view how the user's risk profile trended over a period of time and drill-down to see each detail of the event.

See Managing Adaptive Security in Oracle Identity Cloud Service.

Schema Management

Extend the user schema by adding custom attributes to it

If you're creating your own user interface, and you don't find a user schema attribute that you need in the base Oracle Identity Cloud Service schema attributes, then add your own custom attribute to the schema from within the Oracle Identity Cloud Service console.

See Adding Custom Schema Attributes.

Application Development SDKs

New SDKs for Web and Mobile applications

Oracle Identity Cloud Service provides you with software development kits (SDKs) that enable you to easily integrate and authenticate your .NET or PHP web applications and your Android or iOS mobile applications with Oracle Identity Cloud Service.

Sample applications and tutorials on using these SDKs are available at the web-based Cloud Developer Portal.

Single Sign-On

Secure Form Fill Admin Client

You can use the Secure Form Fill feature if your web applications can't be modified to integrate with Oracle Identity Cloud Service for SSO. The new Secure Form Fill Admin Client helps you map the sign-in form for your web application so that Oracle Identity Cloud Service knows how to populate the user's user name and password automatically, and helps you to submit the user's credentials to the application's identity store. You can download this Secure Form Fill Admin Client from within the Oracle Identity Cloud Service console.

See Downloading Oracle Identity Cloud Service SDKs and Applications.

Identity Administration

Auto provision birthright applications

You can now configure a set of applications to be automatically provisioned for every user on-boarded to Oracle Identity Cloud Service.

Identity Administration

Synchronize User Accounts from a Flat File Using REST APIs

For target applications that don’t support synchronization of user accounts with Oracle Identity Cloud Service, you can now import user accounts from a flat file using REST APIs, providing a quick and error-free synchronization.

See Importing User Accounts from a Flat File Using REST APIs.

Identity Administration

Synchronize User Accounts from a Flat File using the Oracle Identity Cloud Service UI

For target applications that do not support synchronization of user accounts with Oracle Identity Cloud Service, you can now import and synchronize user accounts from a flat file using the Oracle Identity Cloud Service Administration console. You can also activate and deactivate these synchronized user accounts from the console. See Importing and Synchronizing User Accounts Using a Flat File in Oracle Identity Cloud Service UI.

Identity Administration

Manage Web Tier policies from the admin console

In the previous versions, there was no option in the admin console to create or edit Web Tier policies. You can now manage Web Tier policies from the admin console and specify a list of resource filters, such as, application URLs, the corresponding authentication method, and so on, to control and protect your corporate resources.

See Creating and Managing Web Tier Policies.

Note: Use the Web Tier Policy feature for Oracle Identity Cloud Service only. Customers should refer to the relevant documentation for their services to understand how to use this feature.

Identity Administration

Additional attributes to filter synchronization results

You can now use Situation and Synchronization Status as additional filter attributes to filter the user account import search results. Select values from the respective drop-down lists to view user accounts matching the search criteria.

See Synchronizing User Accounts.

Identity Administration

Apply Default Trust Scope from OAuth settings for Client Application configuration

In the previous versions, for a Trusted Application you can select All Resources, Allowed Tags or Allowed Scopes to configure Trust Scopes for your Client Application. By selecting the Default option, you can now apply the Default Trust Scope configured in the OAuth settings to your client application. See Adding a Trusted Application.

Bridge Installer

Enhanced Microsoft Active Directory Bridge installation

The bridge installer is streamlined and simplified for a better user experience.

See Creating a Bridge.

Administrative Settings

Set Norwegian as your preferred language

The Oracle Identity Cloud Service UI now supports the Norwegian language.

Administrators can set Norwegian as the default language for an identity domain. See Changing Default Settings.

Users can set Norwegian as the default language for their account. See Setting Up or Modifying Your Profile.

Security Settings

Support for Configuring OAuth Settings

You can now configure OAuth settings to either enable account-level trust for all token acquisition requests or configure one of the Default Trust Scopes.

See Configuring OAuth Settings.

REST APIs

Enhancements to Oracle Identity Cloud Service REST APIs

The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints were added:

  • /IDBridgeConfig - Use this endpoint to replace or update an IDBridge configuration. For example, replacing or updating a new feature name and the release in which the feature was introduced.

  • /TargetAuthenticationTester - Use this endpoint to test target authentication.

  • /Schemas - The PATCH operation is now supported. Use this endpoint to maintain the schema definition of resource types that are supported by Oracle Identity Cloud Service . Schema definitions contain standard SCIM schema attributes and additional Oracle Identity Cloud Service -specific attributes such as searchable, min/max length for validation, target attrname, and so on.

  • /RiskProviderProfile - Use this endpoint to manage risk provider configurations for Oracle Identity Cloud Service . The risk provider configuration manages all the fields that are required to connect with the provider and other relevant configurations.

  • /RiskProviderProfileValdation - Use this endpoint to validate a risk provider profile.

  • /ManagedObjectClassTemplates - Use this endpoint to work with managed object class template configurations for a connected managed app.

  • /ManagedObjectClasses - Use this endpoint to work with managed object class configurations for a connected managed app.

  • /Threats - Use this endpoint to manage adaptive access threats and violations.

  • /AdaptiveAccessSettings - Use this endpoint to manage tenant-specific adaptive access settings. There is a single pre-seeded instance of AdaptiveAccessSettings in Oracle Identity Cloud Service. New instances can't be created and an existing instance can't be removed. But, you can update a single instance using PUT or PATCH.

See REST API for Oracle Identity Cloud Service and Using the Oracle Identity Cloud Service REST APIs with Postman.

Other Noteworthy Changes

Category Feature Description

REST APIs

Enhancements to the Oracle Identity Cloud Service POSTMAN Collection

The Oracle Identity Cloud Service POSTMAN Collection has been updated. This release allows you to explore the relationships between Users, Groups, Clients, Apps, and AppRoles.

Look for new Search requests added for Users, Groups, Clients, Apps, and AppRoles in the Search folders for each, as well as the Membership folders.

See the Oracle Identity Cloud Service POSTMAN Collection.

Release 18.1.2 — February 2018

18.1.2 User Interface Changes

Watch the What’s New in 18.1.2 video to learn about the 18.1.2 user interface changes and other enhancements.

The Oracle Identity Cloud Service 18.1.2 release introduces several major interface changes to the Identity Cloud Service administrator console:
  1. In 17.4.6, the user menu displayed the user name. In 18.1.2, the user name is replaced with the user’s initials. This change is part of an update across all Oracle cloud products. All PaaS products are moving to a new design. The new avatar displays the logged in user's initials. No options for the menu have changed.

  2. In 17.4.6, the Dashboard, Users, and Notifications buttons appeared in the upper-right corner of the administrator console. These buttons are used to return to Oracle Public Cloud. In 18.1.2, those links are available on the new My Services page in the Navigation Drawer.

  3. In 17.4.6, dashboard navigation consisted of a series of tabs across the dashboard. In 18.1.2, these tabs are replaced with the Navigation Drawer. The Navigation Drawer maximizes the real estate of the Identity Cloud Service console. To display the Navigation Drawer, click the Navigation Drawer icon in the upper-left corner of the console. You'll see a listing of all folders and pages that compose the console. Click a folder to see the pages associated with the folder. Then, click the menu item that represents the page that you want to display in the Identity Cloud Service console. Click the Navigation Drawer icon again to close the Navigation Drawer.

18.1.2 User Interface Changes

17.4.6 Navigation (Old)

17.4.6 Navigation (Old) ScreenshotDescription of old-navigation-release-17.4.6.png follows
Description of the illustration old-navigation-release-17.4.6.png

18.1.2 Navigation (New)

18.1.2 Navigation (New) ScreenshotDescription of new-navigations-release-18.1.2.png follows
Description of the illustration new-navigations-release-18.1.2.png

See Accessing Service Consoles

Other UI Changes

  1. There's a new page in the Settings folder: Downloads. Use this page to download Java, Node.js, or Python SDKs or the EBS Asserter to integrate your web applications or Oracle E-Business Suite with Oracle Identity Cloud Service. See Downloading Oracle Identity Cloud Service SDKs and Applications.

  2. In the Security folder:

18.1.2 New Features— February 2018

Feature Description

Email as a Second Authentication Factor

Support for using email as a second authentication factor has been added to the Multi-Factor Authentication options. After email settings are configured, when the user selects Email as the authentication method, Oracle Identity Cloud Service sends a one-time passcode to the user’s primary email address for use as a second verification method.

See Configuring Email Settings.

Setting a Default Verification Method

A user can now set their default second factor verification method using the 2-Step Verification page of the My Profile console.

See Setting a Default Verification Method.

Enhancements to Oracle Identity Cloud Service REST APIs

The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added:
  • /LatestBinaryFileInfoVersionRetriever - Use this endpoint to retrieve the latest version of binary file information.

  • /SFFCustomApps - Use this endpoint to manage tenant-specific Secure Form Fill custom apps.

The X-ORACLE-DMS-ECID and X-ORACLE-DMS-RID HTTP headers are now included in each REST API response. These headers correspond to the ECID and RID for a REST API request. The caller can use this information to track and correlate requests that originate with events arising in the Oracle Identity Cloud Service server. The client may also include these values as part of an error message, as it is important to correlate events on the client side with errors on the server side.

See REST API for Oracle Identity Cloud Service..

Manage Policies

Policy control, for securing and managing access to resources, is now available. Policy control makes access control flexible, enabling good policy management with flexible and extendable, contextual capabilities.

In this release, the following policy control features are available:

Define Identity Provider Policies. You can use identity provider policies to specify which identity providers are visible in the Sign In page when someone is trying to sign in to Oracle Identity Cloud Service, either when they're accessing a specific app or attempting to access resources that are protected by Oracle Identity Cloud Service, such as the My Profile console or the Identity Cloud Service console. You can also use identity provider policies to determine whether users authenticate into Oracle Identity Cloud Service with their local credentials or by using credentials associated with SAML or social identity providers. See Managing Oracle Identity Cloud Service Identity Provider Policies.

Define Network Perimeters. You can define network perimeters in Oracle Identity Cloud Service. A network perimeter contains a list of IP addresses. After creating a network perimeter, you can prevent users from signing in to Oracle Identity Cloud Service if they use one of the IP addresses in the network perimeter. This is known as blacklisting. You can also configure Oracle Identity Cloud Service so that users can log in, using only IP addresses contained in the network perimeter. This is known as white listing. See Managing Oracle Identity Cloud Service Network Perimeters.

Define Sign-On Policies. You can use sign-on policies in Oracle Identity Cloud Service to define criteria that Oracle Identity Cloud Service uses to determine whether to allow a user to sign in to Oracle Identity Cloud Service or prevent a user from accessing Oracle Identity Cloud Service. See Managing Oracle Identity Cloud Service Sign-On Policies.

App Development SDK

You can now enable your Java, Node.js, or Python web applications to authenticate with Oracle Identity Cloud Service by using software development kits (SDKs).

Oracle Identity Cloud Service provides you with a centralized location in the Identity Cloud Service console where you can download SDKs or the EBS Asserter to integrate your web applications or Oracle E-Business Suite with Oracle Identity Cloud Service.

See Downloading Oracle Identity Cloud Service SDKs and Applications.

EBS Asserter

Integrate your Oracle E-Business Suite environment with Oracle Identity Cloud Service for authentication and password management purposes by using a lightweight Java application known as the Oracle E-Business Suite (EBS) Asserter.

Oracle Identity Cloud Service provides you with a centralized location in the Identity Cloud Service console where you can download SDKs or the EBS Asserter to integrate your web applications or Oracle E-Business Suite with Oracle Identity Cloud Service.

See Downloading Oracle Identity Cloud Service SDKs and Applications.

Create custom secure form fill applications

If you don't find the secure form fill application that you need in the app catalog or you simply want to create your own, you can do so with Oracle Identity Cloud Service. Define your own secure form fill configuration using the ESSO Admin Console, export the configuration, and then import that configuration into your secure form fill app in Oracle Identity Cloud Service.

See Creating a Custom Secure Form Fill App.

Select Display in My Apps check box to display the app in My Apps page

In previous releases, when you select Display in My Apps check box, you can also enable SSO to the app.

In this release, when you select the Display in My Apps check box in applications, the app is then visible in the My Apps page, but selecting this check box no longer enables or disables SSO to the app.

The flag to enable or disable SSO comes from the app template. Use the Oracle Identity Cloud Service REST APIs to update this flag. You cannot set the SSO flag from the user interface. See REST API for Oracle Identity Cloud Service.

Updates to the Application Catalog

  • Over 100 Form Fill integrations, including banking, learning, and transportation apps.

  • SAML SSO with Workday, Ariba, and other apps.

See Oracle Identity Cloud Service - Application Catalog..

OpenID Connect support for Identity providers

Oracle Identity Cloud Service now supports integration with identity providers that are compliant with OpenID Connect. These identity providers support the OpenID Connect standard. You use this type of identity provider when you want to establish trust between an OpenID Connect-compatible identity provider, such as Google, Salesforce, and so on, with your Oracle Identity Cloud Service account. This is useful if you're creating a mobile or web application that requires access to Oracle Identity Cloud Service-protected resources, but you don't want to create custom sign-in code or manage your own user identities.

Release 17.4.6 — December 2017

Feature Description

Activate and deactivate user accounts for apps

User accounts provisioned/assigned to apps from Oracle Identity Cloud Service can now be individually activated or deactivated. This allows administrators to manually activate or deactivate user accounts as and when needed without impacting other accounts provisioned to the user. See Assigning Applications to the User Account and Assigning Users to Custom Applications.

Add tags to applications

If you want to create custom attributes for applications that can be used to search for the applications more effectively, then add tags to applications. Tags are key-value pairs that are used to organize and identify applications.

For example, suppose you're creating three versions of an application: one for development purposes, one for testing purposes, and one that will be used in production. You can create the following tags for these versions: Version: Development, Version: Testing; and Version: Production.

You can create tags for your trusted, mobile, SAML, and App Catalog applications or add existing tags from other applications.

See Adding Applications.

Enhancements to Oracle Identity Cloud ServiceREST APIs

The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added:

  • /AppUpgrader

  • /CustomAllowedValues

  • /MappedActions

  • /MappedActionTemplates

  • /MyAccesses

  • /ResourceTypeSchemaAttributes

  • /SocialAccounts

  • /Tags

The attributeSets query parameter was added. Use this query parameter to get a group of attributes back in the response rather than specifying each attribute individually. This query parameter accepts comma-separated values from the following parameters:

  • all (returns all attributes)

  • always (returns all attributes marked as always in the schema)

  • default (returns all default attributes)

  • request (returns all attributes marked as request in the schema)

These values are not case-sensitive. If both "attributes" and "attributeSets" are specified in the request, then the values from both attribute sets are returned in the response.

See REST API for Oracle Identity Cloud Service.

OpenID Connect Support for Social Identity Providers

If you need to add a social identity provider that is OpenID Connect compliant, you can now define OpenID Connect compliant social identity providers as identity providers in Oracle Identity Cloud Service.

See Adding a Social Identity Provider and Deleting an Identity Provider.

Deleting Social Accounts Linked to an Identity Provider

When deleting an identity provider and there are social accounts referenced to that Identity Provider, you are prompted whether to delete the references as well.

If you do delete the social account references, Oracle Identity Cloud Service asynchronously deletes the references and then deletes the identity provider.

If you don't want to delete the social accounts references, you can deactivate the identity provider, which results in the identity provider not being used for social login. When the identity provider is deactivated, users can see their social accounts in their My Profile page but can't use the identity provider to login.

See Deleting an Identity Provider.

Release 17.4.2 — November 2017

Feature Description
User Interface Change: Delegated Administration You can now access the Delegated Administration page from the Security tab of the Identity Cloud Service console. See Accessing Service Consoles.
User Interface Change: Identity Providers You can now access the Identity Providers page from the Security tab of the Identity Cloud Service console. See Accessing Service Consoles.
User Import Enhancement

The Users.csv import file has been enhanced to include Locked, Locked Reason, and Locked Date fields. See Importing User Accounts.

${tenantName} replaced by ${companyName}

${tenantName} has been replaced by ${companyName} for all email templates and SMS templates. See Modifying Notification Templates.

Access Request Notifications Added

There are two new notifications added:

  • New Access Request submitted: This notification is sent to a user after they submit an access request.

  • Access Request fulfilled: This notification is sent to a user after their access request has been fulfilled.

See Understanding the Types of Notifications..

Support for Login URL, Cross-Origin Resource Sharing (CORS), and Allowed CORS Domain Names
The following new fields have been implemented on the Session Settings page to support this enhancement:
  • Login URL: You can specify the URL where you want the user redirected to log in.

  • Allow Cross-Origin Resource Sharing (CORS): You can allow client applications that run on one domain to obtain data from another domain.

  • Allowed CORS Domain Names: You can now list the external domain names that are allowed for CORS operations.

See Changing Session Settings.
Trust Scopes

The new Trust Scopes feature allows a trusted application to access either any resource within a domain or only those services where an explicit association between the client and the service exists.

The following new Trust Scopes options are available for only trusted applications:
  • All Resources: Select to allow your application to request an access token for services using the scope urn:opc:resource:consumer::all. This option provides a wide scope.

  • Allowed Scope: Leave selected (the default) to allow your application to acquire an access token with permissions based on an explicit association between the client and target services.

See Adding a Trusted Application.

MFA Pull Notifications Support

Pull Notifications support has been added to the Multi-Factor Authentication options. Pull notifications are updates that are delivered to a mobile device or computer in response to a user who is checking for login request notifications. Pull notifications are useful in scenarios where the GCM service (Android), APNS Service (iPhone), or WMS service (Windows) does not work. See Configuring Mobile OTP and Notifications.

Oracle Identity Cloud Service REST APIs

The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoint has been deprecated:

/AppAllowedScopesChanger

Previously administrators couldn't edit OPC Apps because they were protected and read-only. In order to update the "allowedScopes" attribute, administrators were required to use this special REST endpoint: /AppAllowedScopesChanger. This REST endpoint has been deprecated in this release because OPC Apps are now editable, which allows administrators to use PATCH with the /Apps endpoint to add, remove, or replace the values of the allowedScopes attribute.

See REST API for Oracle Identity Cloud Service.

New App templates added to the App Catalog

For the latest additions to the supported list of applications in the App Catalog, take a look at Oracle Identity Cloud Service - Application Catalog.

Support for enhanced login experience

You can now experience the customized login by hosting a login application and redirecting Oracle Identity Cloud Service login to the new application. You can specify the custom login and logout URLs in the Login URL and Logout Page URL fields. These fields are available in the application, by default. See Adding a Trusted Application, Adding a SAML Application, and Adding a Mobile Application

17.4.2 REST API Changes

Feature Description
Trust Scope Attribute

The Trust Scope Attribute has been added to the REST examples where applicable. See Account Trust Scope.

17.4.2 User Interface Changes

The Delegated Administration page and the Identity Providers page have been moved from the Settings tab (17.3.6) to the Security tab (17.4.2) of the Identity Cloud Service console. This following table illustrates those changes.

Screen shots of 17.4.2 User Interface Changes
17.3.6 Settings Tab (Old)
17.3.6 Settings Tab (Old) ScreenshotDescription of old-settings-tab-release-17.3.6.png follows
Description of the illustration old-settings-tab-release-17.3.6.png
17.4.2 Security Tab (New)
17.4.2 Security Tab (New) ScreenshotDescription of new-security-tab-changes-release-17.4.2.png follows
Description of the illustration new-security-tab-changes-release-17.4.2.png

Release 17.3.6 — September 2017

Feature Description
Device Grant Flow

The new Device Code grant type provides a specific grant flow in which a device client executes on a device that doesn't have an easy data-entry method (for example, game consoles, streaming media players, and digital picture frames), and the device client is incapable of receiving incoming requests from the authorization server. See Adding a Trusted Application and Adding a Mobile Application.

Add/Remove Client Scopes for Oracle Applications

You can now add and remove client scopes for OPC apps using the Oracle Identity Cloud Service administration console.

See Adding a Trusted Application.

Icons for OPC Apps

Different OPC icons are available for each OPC app in the Oracle Identity Cloud Service administration console. Also, available app icons are now stored on the UI server and accessed using a URL, which improves performance fetching and displays the icons more quickly.

Support for Universal Credits Oracle Identity Cloud Service is now part of the new metered Universal Credit pricing models. These models include a Pay As You Go, Monthly, and Yearly.
Bridge Performance Improvement

Enhancements have been made to increase Bridge performance. To take advantage of these improvements, upgrade your Bridge client.

Use new Oracle Identity Cloud Service REST APIs

The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints are new:
  • /MappedAttributeTemplates

  • /MappedAttributes

  • /oauth2/v1/device

See REST API for Oracle Identity Cloud Service.

New App templates added to the App Catalog

For the latest additions to the supported list of applications in the App Catalog, take a look at Oracle Identity Cloud Service - Application Catalog.

Bridge Upgrade Needed After Client Secret Regeneration If you're using the 17.2.6 version of the client for the bridge, and you have regenerated the Client Secret, then you must upgrade your client to the latest version. See Creating a Bridge to install the updated client for the bridge.

Other Noteworthy Changes

Feature Description
Maximum Character Limit Increase for specific Users and Groups Fields
The maximum character length has been increased for the following user fields:
  • Display Name (201)

  • First Name (100)

  • Last Name (100)

  • Formatted Name (354)

In the Groups page, the maximum character length for the Description field has been increased to 4,000 characters.

In the Branding page, the maximum character length for the Login Text field has been increased to 250 characters.

Bare Metal Cloud Services Renamed Bare Metal Cloud Services has been renamed to Oracle Infrastructure Cloud Service.

Release 17.3.4 — September 2017

Feature Description

Secure Form Fill plug-in: Support for Google Chrome and Mozilla Firefox

If you are using Google Chrome, you are prompted to go to the Extensions on Google Chrome and install the Oracle Secure Form Fill Plugin. Users will be prompted to download the plug-in from the My Apps page the first time that they launch a secure form fill app.

If you are using Mozilla Firefox, instead of downloading the Secure Form Fill Mozilla Firefox plug-in from the Mozilla Store, install the Secure Form Fill Mozilla Firefox plug-in from the My Apps page. Users will be prompted to download the plug-in from the My Apps page the first time that they launch a secure form fill app.

Secure Form Fill is included as part of the Oracle Identity Cloud Service Standard license.

Public Access Tenant Signing Certificate Oracle Identity Cloud Service tenant administrators can allow clients to access the tenant signing certificate without logging in to Oracle Identity Cloud Service. See Changing Default Settings in Administering Oracle Identity Cloud Service.
Access Request

Administrators specify the groups and applications to which a user may request access.

Users can now request group and application access from the Catalog. Users can also view the groups and applications to which they have access as well as view their access requests. See Managing Group and Application Access in Administering Oracle Identity Cloud Service.

Use new Oracle Identity Cloud Service REST APIs

The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints are new:
  • /AppAllowedScopesChanger

  • /MyGroups

  • /MyRequestableApps

  • /MyRequestableGroups

  • /MyRequests

See REST API for Oracle Identity Cloud Service.

New App templates added to the App Catalog

For the latest additions to the App Catalog template list, take a look at Oracle Identity Cloud Service - Application Catalog

Release 17.3.2 — July 2017

This release contains mostly bug fixes and performance enhancements.


Oracle Cloud What’s New for Oracle Identity Cloud Service, Release 18.4.2

E81008-32

Copyright © 2016, 2018, Oracle and/or its affiliates. All rights reserved.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.