Oracle® Cloud

What’s New for Oracle Identity Cloud Service

Release 19.3.3

E81008-40

January 2020

What’s New for Oracle Identity Cloud Service

When new and changed features become available, Oracle Identity Cloud Service instances are upgraded in the data centers where Oracle Cloud services are hosted. Here’s an overview of new features and enhancements added recently to improve your Oracle Identity Cloud Service experience.

This guide documents the complete set of new and changed features for Oracle Identity Cloud Service. Your localized version of Oracle Identity Cloud Service might contain a subset of these features. Therefore, you might find features in this documentation that are not available in your localized version of Oracle Identity Cloud Service.

Application Integration

To find out about the new applications and features that have been added to the Oracle Identity Cloud Service Application Catalog, see the What's New section of the Oracle Identity Cloud Service - Application Catalog.

Topics:

• Release 19.3.3 — January 2020

• Release 19.2.1 — August 2019

• Release 18.4.3 — July 2019

• Release 18.4.2 — December 2018

• Release 18.3.4 — August 2018

• Release 18.2.6 — July 2018

• Release 18.2.4 — May 2018

• Release 18.1.6 — March 2018

• Release 18.1.2 — February 2018

• Release 17.4.6 — December 2017

• Release 17.4.2 — November 2017

• Release 17.3.6 — September 2017

• Release 17.3.4 — September 2017

• Release 17.3.2 — July 2017

Release 19.3.3 — January 2020

Category	Feature	Description
Oracle Identity Cloud Service Foundation Stripes	Oracle Identity Cloud Service Foundation stripes in 19.3.3.	Oracle Identity Cloud Service Foundation stripes are not entitled to use multi-factor authentication (MFA). Additionally, Oracle Identity Cloud Service Foundation stripes are not entitled to use any factor other than Email for account recovery. If these features were enabled in Foundation stripes then, they will be disabled post 19.3.3.
Applications	Forms for managed applications can now contain multi-valued attributes.	If you're assigning a managed application to a user account or a group, then there's a form for the application. If the form contains multi-valued attributes, then an Add button appears to the right of each attribute. Click Add, and then in the Allowed Values window, select the values for the attribute, and click OK. For more information, see the following topics: Assign Applications to the User Account Assign Applications to the Group Assign Users to Custom Applications Assign Groups to Custom Applications
Applications	Skip OAuth Consent Page	Configure confidential and mobile applications to disable all resource's requirement for consent page. See Add a Confidential Application and Add a Mobile Application.
Applications	Authorization Policy for Enterprise Applications	Enterprise applications that are protected using App Gateway can now make use of authorization policies. Administrators can define, allow or deny authorization policies using authenticated IdP, group membership, network perimeter, day and time of day as authorization conditions See Configure an Authorization Policy.
Applications	OAuth support for Enterprise Applications	You can configure enterprise applications to work similarly to confidential applications by setting up the Client Configuration and Resource Server Configurations sections in the OAuth Configurations page for the enterprise application.
Applications	Enterprise Applications headers support extended and custom user attributes	Enterprise Application's authentication and authorization policies support sending extended and custom schema user attributes as header variables. See Supported Header Value Expressions for Authentication Policies.
Applications	List of default headers and cookies App Gateway adds to request	Documentation includes a list of default headers and cookies App Gateway adds to the request forwarded to the application during authentication and authorization validation. See Default Headers App Gateway Adds to Request.
Components	Upgrade App Gateway	Upgrade or patch your Oracle Identity Cloud Service App Gateway automatically by using the upgrade script. See Upgrade and Patch App Gateway.
Components	Identity Cloud E-Business Suite Asserter	Integrate Oracle E-Business Suite with Oracle Identity Cloud Service for authentication and password management purposes. See Use the E-Business Suite Asserter to Enable SSO for Oracle E-Business Suite with Oracle Identity Cloud Service.
Components	Identity Cloud E-Business Suite Asserter support for Oracle E-Business Suite mobile applications.	Added support to integrate Oracle Fusion Expenses mobile application in single sign-on with Oracle Identity Cloud Service. See Set up E-Business Suite Mobile Applications.
Multi-Factor Authentication	Factor Specific MFA	Administrators can now define sign-on policies to require end-users to verify specific MFA factors based on application, group membership and other conditions available in the sign-on policy. See Add a Sign-On Policy.
Security	New help desk administrator role.	A new administrator role is available for Oracle Identity Cloud Service: help desk administrator. A help desk administrator can manage all users or users of selected groups in Oracle Identity Cloud Service. Help desk administrators can view the details of a user and unlock a user account. Help desk administrators can also reset passwords, reset authentication factors, and generate bypass codes for user accounts. See Understand Administrator Roles.
Security	Customize social identity provider types and metadata.	You can create your own social identity provider type and customize an icon for it. Or, you can customize metadata for an existing social identity provider type. For example, you can define custom metadata for how to authenticate users against Oracle Identity Cloud Service using the predefined Google social identity provider. You can also customize social identity provider types for particular identity domains. Suppose you have users in the United States accessing Oracle Identity Cloud Service from one identity domain, and users from India signing in to Oracle Identity Cloud Service from another identity domain. You want only the India-based users to be able to access Oracle Identity Cloud Service with their GitHub social credentials. So, you can customize a GitHub social identity provider type for the India identity domain only. See Add a Social Identity Provider.
Security	Map a user's attribute value from an identity provider to an external ID.	When mapping the value of a user's attribute that Oracle Identity Cloud Service receives from a SAML identity provider to a corresponding attribute for the user in Oracle Identity Cloud Service, you can specify an external ID. You use this ID when you want to map the attribute received from the identity provider to a special ID that's associated with the provider. See Import Metadata for a SAML Identity Provider.
Security	Duo as an authentication factor.	Use Duo Security factors to securely authenticate and to sign into apps secured by Oracle Identity Cloud Service. See Configure Duo Security Settings.
Security	Select MFA factor for sign-on policies	Administrators can now define sign-on policies to require end-users to verify specific MFA factors based on application, group membership and other conditions available in the sign-on policy.
Settings	Integrate Oracle E-Business Suite and Oracle Identity Cloud Service	In addition to Oracle Internet Directory, you can now use the Provisioning Bridge to integrate Oracle E-Business Suite and Oracle Identity Cloud Service. This bridge provides a link between an on-premises business application (such as Oracle E-Business Suite) and Oracle Identity Cloud Service. Through synchronization, account data that’s created and updated directly on Oracle E-Business Suite is pulled into Oracle Identity Cloud Service and stored for the corresponding Oracle Identity Cloud Service users and groups. Any changes to these records will be transferred into Oracle Identity Cloud Service. Because of this, the state of each record is synchronized between Oracle E-Business Suite and Oracle Identity Cloud Service. After users are synchronized from Oracle E-Business Suite to Oracle Identity Cloud Service, you can also use the Provisioning Bridge to provision users to the application. Provisioning allows you to use Oracle Identity Cloud Service to manage the life cycle of users in the application. This includes creating, modifying, deactivating, activating, and removing users and their profiles across the application. Any changes that you make to users or their profiles in Oracle Identity Cloud Service are propagated to Oracle E-Business Suite through the Provisioning Bridge. See: Manage Provisioning Bridges in Oracle Identity Cloud Service Synchronize and Provision Users Between Oracle E-Business Suite and Oracle Identity Cloud Service
Settings	Improved field name for Session Expiry.	On the Session Settings tab, the field Session Expiry has been changed to Session Duration to better reflect the purpose of the setting. No functionality has changed. See Change Session Settings.
Users	Show custom attributes and some additional out-of-the-box attributes in the Oracle Identity Cloud Service console.	You can now check the custom attributes and some additional out-of-the-box attributes assigned to a user as other information in the user's Details page of the Oracle Identity Cloud Service console. See View Details About User Accounts.
REST APIs	Support for multi-value Expressions in custom claims.	Based on user expressions, a claim can now return either a single value attribute or all the attributes associated with the expression. See Manage Custom Claims.
REST APIs	Support Duo as a second authentication factor	The Authenticate APIs have added a new use case to support Duo Security as a second authentication factor. This use case explains using Oracle Identity Cloud Service Authentication API to authenticate user's credentials with Duo Security. If administrators choose to enable this feature, they must ensure that all custom code which uses these authenticate APIs have been updated to support the payloads for this feature. See Use Duo as a Multi-Factor Authentication Factor. In case users choose to skip Multi-Factor Authentication during single sign-on enrollment, they can enroll to Duo Security using the self service enrollment. The self service (MyProfile) endpoints such as Initiator, validation, and Enroller are enhanced to support Duo Security. See Using Self Service to Enroll in MFA with Duo Security.
REST APIs	Enterprise Application creation with authorization policy	A new use case for creating an enterprise application with authorization policies have been added in the REST APIs for Oracle Identity Cloud Service. See Creating an Enterprise Application with Authorization Policy.
REST APIs	Trigger an email verification flow if email address is already verified	A new use case for triggering an email verification flow if email address is already verified have been added in the REST APIs for Oracle Identity Cloud Service. See Triggering an Email Verification Flow if Email Address is Already Verified.
Runbooks	New runbooks for integrating Oracle Identity Cloud Service with Oracle E-Business Suite and Microsoft Azure.	There are two new runbooks available with version 19.3.3 of Oracle Identity Cloud Service: Oracle E-Business Suite: This runbook describes how to synchronize users, roles, and responsibilities between Oracle E-Business Suite and Oracle Identity Cloud Service. Microsoft Azure: This runbook describes how to configure Oracle Identity Cloud Service to synchronize users, groups, and user group memberships from Microsoft Azure to Oracle Identity Cloud Service.
Tutorial	Use the Cloud Account Migration tool on the Identity Cloud Service console to migrate users, groups, and app roles.	Use the Cloud Account Migration tool to migrate users, groups, and app roles from a Shared Identity Management (IDM) environment into an Identity Cloud Service environment or from one Identity Cloud Service environment to another. See Migrate Users, Groups, and App Roles into Identity Cloud Service.

Release 19.2.1 — August 2019

Category	Feature	Description
Applications	Customize OAuth Consent Page	Customize the information that appears in the OAuth consent page for custom applications that require consent to access application's resources. See Edit Consent Information for Custom Applications.
Applications	Enterprise Application	Learn what are enterprise applications and how to integrate them with Oracle Identity Cloud Service for authentication purposes using App Gateway. See Secure Enterprise Applications with App Gateway.
Applications	SAML assertion encryption support	Oracle Identity Cloud Service now supports assertion encryption for SAML applications. You can provide certificate and encryption algorithm. See Add a SAML Application.
Applications	Synchronization Failure Report	Learn about the reason behind the synchronization failures from a synchronization failure report of a provisioning application. See Work with the Synchronization Failure Report.
Applications	Personal Access Token	Generate and download your personal access tokens. A client application can use these tokens to access a specific resource application for a limited period. See Generate Personal Access Tokens.
Applications	Assign users and groups to custom applications	Use a form to enter values while assigning users and groups to provisioned applications. See Assign Users to Custom Applications and Assign Groups to Custom Applications.
Applications	Integrate your Linux environment with Oracle Identity Cloud Service.	A new Pluggable Authentication Module for Linux that allows you to integrate your Linux environment with Oracle Identity Cloud Service to perform end user authentication with first and second factor authentication. See Manage Linux Authentication using the Identity Cloud Service Linux Pluggable Authentication Module.
Groups	Populate form fields for managed applications that you assign to groups.	If you assign a managed application to a group, then a form appears for the application. You can populate the fields of this form to reflect the values of your application. Or, if you assigned the managed application to the group, then you can modify the values of the application form. See Assign Applications to the Group.
Settings	New notifications	Two new notifications have been added: Exceeded Maximum Number of Account Recovery Attempts: After a user exceeds the maximum number of attempts to reset their password to recover their account, this notification is sent to the user’s primary email address. New Device Login Detected with Your Account: If an attempt is made to log in to a user's account from a device, IP address, or web browser, and Oracle Identity Cloud Service doesn't recognize that the device, address, or browser is associated with the account, then this notification is sent to the user. The notification contains a link that the user can click to reset their SSO password in case the user doesn't recognize the login attempt. See About User Notifications.
Settings	New Provisioning Bridge feature	A new bridge is available for Oracle Identity Cloud Service: the Provisioning Bridge. This bridge provides a link between your on-premises apps and Oracle Identity Cloud Service. Through synchronization, account data that’s created and updated directly on the apps is pulled into Oracle Identity Cloud Service and stored for the corresponding Oracle Identity Cloud Service users and groups. Any changes to these records will be transferred into Oracle Identity Cloud Service. So, if a user is deleted in one of your apps, then this change will be propagated into Oracle Identity Cloud Service. Because of this, the state of each record is synchronized between your apps and Oracle Identity Cloud Service. See Understand the Provisioning Bridge.
Settings	Enhancements to the Microsoft Active Directory (AD) Bridge	There are now two types of imports that you can run by using the Microsoft Active Directory (AD) Bridge to import users and groups from AD into Oracle Identity Cloud Service: Full import: The AD Bridge polls AD and retrieves data associated with all user and groups that you selected in the Select organizational units (OUs) for users and Select organizational units (OUs) for groups panes of the Configuration tab for the bridge. This data represents users and groups that were created, modified, or removed in AD. Incremental import: Similar to a full import, but for this type of import, the AD Bridge polls AD and retrieves only user and group data that changed since you last used the AD Bridge to import users and groups into Oracle Identity Cloud Service. After users are imported into Oracle Identity Cloud Service through the AD Bridge, if you activate or deactivate a user, modify a user's attribute values, or change group memberships for a user in Oracle Identity Cloud Service, then these changes will be reflected in AD. See Manage Microsoft Active Directory (AD) Bridges for Oracle Identity Cloud Service.
Settings	Enable the Access for an unknown device event of Adaptive Security for your custom sign-in page.	Adaptive Security uses the concept of risk providers to allow administrators to configure various contextual and threat events to be analyzed within Oracle Identity Cloud Service. A default risk provider within Oracle Identity Cloud Service is seeded automatically with a list of supported contextual and threat events, such as Access from an unknown device. For this event, if a user accesses Oracle Identity Cloud Service from a device that hasn’t been previously used to access the service, then this event (commonly referred to as Device Fingerprinting) is triggered. Although Oracle Identity Cloud Service has a sign-in page, you may prefer to use your own page. If so, then you can use the Identity Cloud Service Device Fingerprint Utility to enable the Access for an unknown device event of Adaptive Security for your custom sign-in page. See Download Oracle Identity Cloud Service SDKs and Applications.
Settings	Handle on demand language support for email and SMS templates.	You can now select French (Canada) as the language for email and SMS notifications.
Security	New App Gateway Feature	App Gateway enables you to integrate web applications hosted on-premises or on a cloud infrastructure with Oracle Identity Cloud Service for authentication purposes. See Manage Oracle Identity Cloud Service App Gateways.
Security	New user manager administrator role	A new administrator role is available for Oracle Identity Cloud Service: user manager. A user manager can manage all users or users of selected groups in Oracle Identity Cloud Service. User managers can update, activate, deactivate, remove, and unlock user accounts. User managers can also reset passwords, reset authentication factors, and generate bypass codes for user accounts. See Understand Administrator Roles.
Security	New Account Recovery feature	A new feature is available for Oracle Identity Cloud Service: account recovery. Account recovery is an automated process designed to help users regain access to their accounts if they have trouble signing in, they’re locked out, or they forget their passwords. There are three account recovery factors that administrators can configure for users: Security questions: You can allow a user to select and answer security questions, and provide hints for answers to these questions, to verify their identity. If they have to recover their account, then they must answer these questions correctly to regain access. Email: By default, a user’s primary email address has been set as the email address that Oracle Identity Cloud Service will use to help the user recover their account. If the user has to regain access, then Oracle Identity Cloud Service will send a notification to this email address. The user follows the instructions in the notification to recover their account. Instead of their primary email address, you can allow the user to specify an alternate (recovery) email address to regain access to their account. Text message (SMS): You can allow a user to provide a mobile number that Oracle Identity Cloud Service will use to help them recover access to their account. This way, if they have to regain access, then Oracle Identity Cloud Service will send a passcode in a text message (SMS) to this mobile number. The user enters this passcode to recover their account. In addition to setting account recovery factors, administrators can specify: How many consecutive, unsuccessful account recovery attempts a user can make before the user’s account is locked. How long the user’s account will be locked before they can attempt to recover their account again. See Manage Account Recovery in Oracle Identity Cloud Service.
Security	New events added to the default risk provider	There are three new events added to the risk provider that's associated with Oracle Identity Cloud Service actions. This risk provider, known as the default risk provider, evaluates these events to determine risk-based activity for Oracle Identity Cloud Service users. Impossible travel between locations: Oracle Identity Cloud Service obtains the user’s current access location, using the IP address, and calculates the distance between this location and the user’s immediately preceding access location. If it determines that this distance can’t be covered at the speed specified in the threshold, then this event (commonly referred to as geo-velocity) is triggered. Access from an unfamiliar location: If a user accesses Oracle Identity Cloud Service from a location that hasn’t been used previously to access the service, then this event is triggered. Oracle Identity Cloud Service obtains the user’s current access location, using the IP address, and determines if this location has been used previously. If it's a new location, then the service determines the distance between the current access location and the user’s immediately preceding access location. If the distance between these two locations exceeds the value specified in the threshold, then this event is triggered. Access from suspicious IP addresses: If the IP address from where the user is accessing Oracle Identity Cloud Service is flagged as suspicious by the integrated IP reputation provider, then this event is triggered. See Configure Oracle Identity Cloud Service Risk Events.
Security	See the cloud account name and instance name from the Identity Cloud Service console.	The names of both the primary or secondary instance and the Oracle Cloud account that was used to create this instance appear in the Identity Cloud Service console. To access this information, click the user icon in the upper-right corner of the console, and then select About from the drop-down menu. The Cloud Account Name and Instance Name fields display the names of the Oracle Cloud account and the instance. See Identify and Switch Instances.
Security	Network Failure Handling in Delegated Authentication	Oracle Identity Cloud Service provides the local password caching functionality that helps delegated users to login into Oracle Identity Cloud Service even if Active Directory is not reachable. See Handle Network Failure in Delegated Authentication.
Sign-In	Enhanced sign-in user experience	Oracle Identity Cloud Service has updated the sign-in user experience for the standard Identity Cloud Service sign-in pages for a fresh and more intuitive sign-in process. Users see this new look throughout the sign-in and password reset flows. Although the look is different and usability improvements have been incorporated, the functionality remains the same. This change will be seen by all users of the standard Identity Cloud Service sign-in pages, including Oracle IaaS and PaaS users leveraging Oracle Identity Cloud Service. For customers who have branded the sign-in page by adding a custom logo and text, your logo and text will appear integrated into the new pages. For customers who have replaced Oracle Identity Cloud Service's default sign-in page with a custom one, your custom page won't be impacted as a result of the new sign-in experience. See Oracle is updating the Identity Cloud Service sign-in experience.
User Settings	Change settings associated with user accounts.	You can now change settings associated with user accounts. For example, you can make the primary email address for a user account a required or optional attribute. By making the primary email address optional, if Oracle Identity Cloud Service integrates with another cloud service or on-premises application, then a user’s email address can be propagated from that service or application back into Oracle Identity Cloud Service, and be designated as the user’s primary email address in Oracle Identity Cloud Service. See Change User Settings.
Users	Use the My Profile console to edit attribute values for your user account.	You can no longer edit attribute values for your user account from the Identity Cloud Service console. To do this, access the My Profile Details tab of the My Profile console. See Edit Attribute Values for the User Account.
Users	Oracle Identity Cloud Service unlocks all user accounts after 24 hours automatically.	If a user's account is locked, and the user or an administrator doesn't unlock the account within 24 hours, then Oracle Identity Cloud Service will unlock it automatically. See Unlock User Accounts.
Users	See the Multi-Factor Authentication (MFA) status for users.	By accessing the Security tab for any user account, you can see whether the user is enrolled in Multi-Factor Authentication (MFA). See View Details About User Accounts.
Users	See the statement of the terms of use associated with user's consents.	From the My Consents tab of the My Profile console, users can now see the terms of use they agreed upon accessing applications . See Access Your Consents.
REST APIs	New endpoints added to Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added: UserAttributesSettings - Use this endpoint to set the User schema attribute. AccountRecoverySettings - Use this endpoint to manage tenant-specific account recovery settings. MePasswordRecoveryFactorValidator - Use this endpoint to validate the password recovery factors of a user. MeRemovePendingEmailVerification - Use this endpoint to remove pending verification email(s) and to delete an associated user token. See REST API for Oracle Identity Cloud Service..
REST APIs	Deprecated REST API endpoint	The following endpoints are deprecated in the 19.2.1 release: /ManagedObjectSyncDetailedJobReport /sso/v1/sdk/idp (Alternate endpoint /sso/v1/sdk/secure/idp) /sso/v1/sdk/session (Alternate endpoint /sso/v1/sdk/session/secure/idp) See REST API for Oracle Identity Cloud Service..
REST APIs	New Use cases	The Authenticate APIs have added support for new features such as Account Recovery (SMS and Security Questions) and Terms of Use. If an administrator chooses to enable these new features, he must ensure that all custom code which uses these authenticate APIs have been updated to support the payloads for these new features. The following use cases have been added: Authenticating User Name and Password with TOU Consent - This use case explains using IDCS authenticate API to authenticate user's credentials with TOU consent Generate Access Token Using Authentication API - This use case explains how to generate access token using authentication API Authenticating User Name and Password and Enrolling in Account Recovery - This use case explains using IDCS authenticate API to authenticate with user's credentials and enroll in Account Recovery Authenticating User Name and Password and Enrolling in Account Recovery and MFA - This use case explains using IDCS authenticate API to authenticate with user's credentials and enroll in Account Recovery and Multi-Factor Authentication (MFA). Factor Enrollment with Verification - This use case explains using IDCS Authenticate API that allow a user to enroll for various MFA factors. See REST API for Oracle Identity Cloud Service..
REST APIs	OAuth Access Token Size	The OAuth access token size is set to 16000 characters by default.
Infrastructure	Use Oracle Cloud Infrastructure service gateway to communicate with other Oracle Cloud services.	Oracle Identity Cloud Service instances can use Oracle Cloud Infrastructure service gateway to communicate with other Oracle Cloud services within the same region, without the need of this communication to go over the internet. See Supported Cloud Services in Oracle Services Network. See Access to Oracle Services: Service Gateway to learn more about Oracle Cloud Infrastructure service gateway.

Other Noteworthy Changes

Category	Feature	Description
Reports	PDF Deprecation	From release 19.2.1 onward, PDF report generation is deprecated. Oracle Identity Cloud Service supports only CSV, JSON format for report generation.

Release 18.4.3 — July 2019

Category	Feature	Description
Infrastructure	Oracle Identity Cloud Service on Oracle Cloud Infrastructure	As a part of our efforts to improve service reliability and performance, the latest release of Oracle Identity Cloud Service now runs on Oracle Cloud Infrastructure (OCI), our next-gen infrastructure. Learn more about Oracle Cloud Infrastructure. You can find more information about Oracle Identity Cloud Service in the Oracle Help Center. Technical assistance for Oracle Identity Cloud Service is available through Oracle Support.
Customer Migration to OCI	Oracle Identity Cloud Service on Oracle Cloud Infrastructure	For existing customers, Oracle Identity Cloud Service will be undergoing planned maintenance to migrate network infrastructure in multiple regions. Learn more about the benefits of Oracle Cloud Infrastructure. No action is required by customers to initiate the planned maintenance. Customers will receive an email notification in advance that indicates when the maintenance will occur, and another when the maintenance has completed. Once maintenance has completed, connectivity to Oracle Identity Cloud Service will continue automatically if you have configured your IP ranges in accordance with the instructions below. If you have whitelisted the IP ranges of Oracle Identity Cloud Service, you are required to update your access rules with the IP ranges for each Oracle Cloud Infrastructure region. See Review the IP ranges for different Oracle Cloud Infrastructure regions. Once the maintenance window has been completed, Oracle recommends you remove the old IP ranges from your access rules. If this IP range update is not completed prior to the start of the maintenance window you may be unable to connect to Oracle Identity Cloud Service.
Self-Service Diagnostics	Set the diagnostics type to capture operational logs.	Diagnostic Data reporting has been added to the Oracle Identity Cloud Service user interface. See Run the Diagnostic Data Report.

Release 18.4.2 — December 2018

Category	Feature	Description
Adaptive Security	Activate and deactivate the default risk provider	In addition to third-party risk providers, you can now activate and deactivate the default risk provider. See Activating and Deactivating Risk Providers.
Adaptive Security	Use the slider to set the weighting for events	Set the weighting for the Access from an unknown device, Too many unsuccessful login attempts, and Too many unsuccessful MFA attempts events to Low, Moderate, Severe, or Critical. Oracle Identity Cloud Service evaluates these events to determine risk-based activity for Oracle Identity Cloud Service users. See Configuring the Default Risk Provider.
Applications	Enhancements to SAML Application Configuration	There are two enhancements to the SAML Application Configuration: You can now collectively configure User and Group attributes under the Attributes section in SAML Application Configuration. In addition to configuring an attribute to have one of the predefined user attribute values, you can also specify path expressions to define how the value of the assertion attribute should be calculated. See Adding a SAML Application.
Applications	Support to allow access to OPC resources	You can now allow clients to access OPC resources using hierarchical scope matching. If the requested scope has similar urn:opc:resource:consumer prefix in any of the clients' Allowed Scopes, then the client can access the OPC resource. However, if the requested scope has a different qualifier (with the exception of ::all) that doesn't match with the Allowed Scopes, then the client can't access the OPC resource. See Adding a Confidential Application and Configuring Authorized Resources.
Notifications	Oracle Identity Cloud Service now checks whether verification is done to the email address that will appear in the From Email field for all notifications.	A new feature of the Notifications page is the Check Status button. By clicking this button, Oracle Identity Cloud Service checks whether verification is done to this email address through the email sent to the postmaster (domain) or email account. If the email address isn't verified, then access the notification that's sent to the email address you provided, click the verification link in the notification, and click Check Status again. The status will change to Email Verified. If the domain isn't verified, then contact the postmaster of your company so that the postmaster can verify the domain associated with the email address. See Activating Notifications.
Scenarios	Migrate from traditional Cloud accounts to Cloud accounts with Identity Cloud Service	You use an Oracle Cloud account to access your cloud services and log into the My Services Dashboard, which is where you manage your account and your services. When you sign in to your Oracle Cloud account, you can choose to sign in to two different types of Cloud accounts: A traditional Cloud account (also known as a cloud service account) A cloud account with Identity Cloud Service Traditional Cloud accounts use one identity management system which is different from the identity management system associated with Cloud accounts with Identity Cloud Service. You can migrate users and role memberships from traditional Cloud accounts for the following Oracle Cloud services: Oracle Business Intelligence Cloud Service Oracle Integration Cloud Service Oracle Mobile Cloud Service Oracle Process Cloud Service Oracle Visual Builder Cloud Service Each service has a corresponding Cloud account with Identity Cloud Service to which you can import the users and the application role memberships. By migrating services from a traditional Cloud account to a Cloud account with Identity Cloud Service, the services can use Oracle Identity Cloud Service to manage users and to control access to the services. For this reason, you want to migrate your traditional Cloud accounts to Cloud accounts with Identity Cloud Service. See Migrating from Traditional Cloud Accounts to Cloud Accounts with Identity Cloud Service.
Terms of Use	Customize Terms of Use for Users	Configure customized disclaimers and acceptable use policies for users on an application basis. Also collect consent from users before allowing them access to their applications. See Managing Terms of Use
Social Login	Add multiple instances of the same social identity provider	Some cloud services have applications that may have to connect to multiple instances of the same social identity provider. For example, for application A and application B, the Facebook social identity provider can be configured as an identity provider along with distinct configuration settings, such as a Client ID and Secret, social registration settings, and so on. To support such scenarios, Oracle Identity Cloud Service now allows you to add multiple instances of the same social identity provider with different configuration settings for each instance. After adding multiple instances of a social identity provider, you can choose which instances can be used to sign in to Oracle Identity Cloud Service by using an identity provider policy. See Adding a Social Identity Provider.
REST APIs	New endpoints added to Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added: /mfa/v1/requests - Use this endpoint to initiate and complete verification of a default Multi-Factor Authentication factor or a backup factor. /FromEmailAddressValidator - Use this endpoint to validate the status of the From Email Address or Email Domain from the OPC Notification Service. REST API for Oracle Identity Cloud Service.

Other Noteworthy Changes

Category	Feature	Description
AD Bridge	Set Permissions for Microsoft Active Directory Bridge	Read about how to set permissions for a Microsoft Active Directory user account to perform actions such as delegate password reset and synchronization between Microsoft Active Directory Bridge and Oracle Identity Cloud Service. See Setting Permissions for the Microsoft Active Directory User Account.
Reports	Change in reports download behavior	Oracle Identity Cloud Service supports CSV, JSON, and PDF report generation. However, the result count for the PDF report is restricted to 1000 rows. For any report exceeding 1000 rows, only the CSV download is available. See Organize the Report Data.

Release 18.3.4 — August 2018

Category	Feature	Description
Reporting	Diagnostic Data Report	Diagnostic Data reporting has been removed from the Oracle Identity Cloud Service user interface. Use the REST API for Oracle Identity Cloud Service to capture diagnostic data. See Diagnostic Records REST Endpoints

Release 18.2.6 — July 2018

Category	Feature	Description
Bridge	Enhancements to AD Bridge configuration	For version 18.2.6 of Oracle Identity Cloud Service, there are two enhancements to the bridge: The Include hierarchy check box. If you select this check box, and then select a parent OU, all children OUs will be selected. The OUs contain the users and groups that you want to import into Oracle Identity Cloud Service. The Filter text box. Use this text box to enter a custom filter to search for user or group OUs. For example, enter (&(objectClass=User)(sn=Smith)) to return all users with the last name of Smith. Or, enter (department=IT) to return the IT group. See Configuring a Bridge.
Notifications	Validate the entire email address instead of the email domain only	Now, you can verify either the domain of an email address or the entire email address. When you configure notifications, there are two options: Domain and Email. Use the Domain option to send a validation email to the postmaster account of the email’s domain or the Email option to send an email to an email address for verification purposes. See Activating Notifications.
Administration	Support for editing Oracle Cloud Applications	As Service Administrators, you can now edit certain UI elements of Oracle Cloud Applications in Oracle Identity Cloud Service. You can also assign Oracle Cloud Applications to Sign-On Policies. See Editing High-Level Information for Oracle Applications.
REST APIs	New endpoints added to Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added: /TermsOfUse - Use this endpoint to manage terms of use, which maintains the terms of use statements for applications. /TermsOfUseStatements - Use this endpoint to manage the terms of use statement, which maintains the terms of use statement that is associated with the terms of use. /SocialIdentityProviderMetadata - Use this endpoint to manage metadata for defining interaction with various social identity providers such as Facebook, LinkedIn, and Google. /UserAppsEnabledForAuthentication - Use this endpoint to return a list of all available target apps for a user on which delegated authentication can be performed. See REST API for Oracle Identity Cloud Service.
REST APIs	Deprecated REST API endpoint	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoint will be removed in the upcoming release 18.2.6: /ServiceProviders In previous releases, the /ServiceProviders endpoint was used to configure SAML service provider partners. The introduction of SAML Apps in release 16.4.6 rendered this endpoint obsolete and it was deprecated. In the upcoming 18.2.6 release, the /ServiceProviders endpoint will be removed. See REST API for Oracle Identity Cloud Service.
Security	Terms of Use	Terms of Use is a feature in Oracle Identity Cloud Service that help customers to set the conditions for the users to access the applications based on their consent. This feature allows the identity domain administrators to set relevant disclaimers for legal or compliance requirements.

Release 18.2.4 — May 2018

See how to configure MFA, the factors available for use with MFA, and how to create a sign-on policy for MFA by watching the Configuring Multi-Factor Authentication video.

Learn how to configure a web application to authenticate with Oracle Identity Cloud Service by viewing the Use Secure Form Fill to Authenticate an Application with Oracle Identity Cloud Service Use Secure Form Fill to Authenticate an Application with Oracle Identity Cloud Service tutorial.

Category	Feature	Description
Applications	Update your SAML applications	If there are updates to your SAML applications, you can now choose to upgrade them starting with this release. If your SAML application has an update, you will see the Upgrade button visible in the UI. Click the button to upgrade the application. See Upgrading a SAML Application.
Applications	Support for providing a Custom Error URL for applications.	You can now provide a Custom Error URL to redirect a user in case of a failure. If not provided, the tenant specific Error page URL will be used. See the following topics: Adding a Trusted Application Adding a Mobile Application Adding a SAML Application Adding an App Catalog Application
Applications	Support for configuring tenant specific Error page URL	You can now provide a tenant specific custom Error page Url to redirect a user in case of a failure. See Changing Session Settings
Applications	Support for providing Linking callback URL	You can now provide a Linking callback URL that Oracle Identity Cloud Service can redirect to after linking of a user between social providers and Oracle Identity Cloud Service is complete. See the following topics: Adding a Trusted Application Adding a Mobile Application Adding a SAML Application Adding an App Catalog Application
Applications	Use App Gate to access your on-premises applications securely and remotely	Use the App Gate together with Oracle Identity Cloud Service to give your employees the ability to access your on-premises applications securely and remotely. Because the App Gate integrates with Oracle Identity Cloud Service seamlessly, your employees can connect to these applications, using SSO, without the hassles of a VPN or SSL client certificates. This integration provides you with an additional layer of security, which is crucial to protecting your on-premises applications. In addition, the App Gate is an ideal solution for you if: You want to unify all of your Identity and Access Management products under one Identity as a Service (IDaaS) platform, but you have to integrate with applications that don’t support federation (such as SAML or WS-Fed). Your vendors, customers, or partners must access your internal business applications such as Oracle E-Business Suite from the Internet. You want to restrict unauthorized network access to your applications. You must comply with industry regulations, like Sarbanes-Oxley, HIPPA, and others. Your enterprise has Web applications that lack a native authentication mechanism. You’re looking for a cost-effective replacement for your on-premises Web-access management solution. You need a supported replacement of Shibboleth. From the App Gateway for Identity Cloud Service application, you can access the documentation for the App Gate. You can find this application on the Downloads page of the Identity Cloud Service console. To access this page, in the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Downloads.
Branding	Revert custom branding to default Oracle branding	If you have customized the Sign In page, the Admin Console, or the notifications for Oracle Identity Cloud Service, and want to revert to Oracle Branding (default), you can do so starting with this release. See Branding the Oracle Identity Cloud Service Interface.
REST APIs	Deprecated REST API endpoint	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoint will be removed in the upcoming release 18.2.6: /ServiceProviders In previous releases, the /ServiceProviders endpoint was used to configure SAML service provider partners. The introduction of SAML Apps in release 16.4.6 rendered this endpoint obsolete and it was deprecated. In the upcoming 18.2.6 release, the /ServiceProviders endpoint will be removed. See REST API for Oracle Identity Cloud Service.
REST APIs	New endpoints added to Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added: /AppEntitlementCollection - Use this endpoint to manage collections of entitlements from Apps. For example, an administrator can grant an AppEntitlementCollection as a single gesture that causes the grantee to receive every entitlement in that collection. /UserAuditEventsPurger - Use this endpoint to delete all of the audit events that are related to a deleted user. /DBGroups - Use this endpoint to manage all group administrative tasks. A group contains one or more users and works as a role for the enterprise to apply security features. See REST API for Oracle Identity Cloud Service.
Application Development SDKs	Updates to SDKs for web applications	There are updates to the software development kits (SDKs) that enable you to easily integrate and authenticate your .NET or PHP web applications with Oracle Identity Cloud Service. Sample applications and tutorials on using these SDKs are available at the web-based Cloud Developer Portal.

Other Noteworthy Changes

Category	Feature	Description
REST APIs	Read about OpenID Connect and see examples in the Oracle Identity Cloud Service REST API content.	Extensive OpenID Connect documentation and examples are now available in the Oracle Identity Cloud Service 18.2.4 REST API documentation. OpenID Connect extends the OAuth 2.0 protocol to add a simple authentication and identity layer that sits on top of OAuth 2.0. Using OpenID Connect completes the picture by providing applications with information about the user, the context of their authentication, and access to their profile information. OpenID Connect allows clients of all types, including web-based, mobile, and JavaScript clients to request and receive information about authenticated sessions and end users. See Using OpenID Connect to Extend OAuth 2.0.

Release 18.1.6 — March 2018

Category	Feature	Description
Delegated Authentication (On-demand)	Sign in with your Microsoft Active Directory password	With the Delegated Authentication feature in Oracle Identity Cloud Service, you no longer have to synchronize all your enterprise users' passwords between your on-premises Microsoft Active Directory and the cloud. Users can be configured to use their existing Microsoft Active Directory passwords to authenticate, and access resources and applications protected by Oracle Identity Cloud Service. See Managing Delegated Authentication in Oracle Identity Cloud Service.
Adaptive Security	Risk- and context-based analysis to detect and remediate anomalous activities	Oracle Identity Cloud Service is excited to announce brand new functionality called Adaptive Security that can provide customers with strong authentication capabilities based on user behavior in Oracle Identity Cloud Service, and across multiple heterogeneous on-premises and cloud systems. When enabled, the Adaptive Security feature can analyze a user's risk profile within Oracle Identity Cloud Service, based on their historical behavior, such as too many unsuccessful login attempts, too many unsuccessful MFA attempts, and real-time device context, such as logins from unknown devices. To evaluate a user's behavior across other systems with which Oracle Identity Cloud Service is not directly involved, the Adaptive Security feature enables you to configure your existing risk providers like Cloud Access Security Broker (CASB), Security Information and Event Management (SIEM), and so on, to obtain the user's risk score from these external providers. With this enriched context and risk information, Adaptive Security risk profiles each and every user and arrives at its own risk score and an overall consolidated risk level (High, Medium, Low) that can be used with Oracle Identity Cloud Service policies to take remediation action, such as allow or deny the user from accessing Oracle Identity Cloud Service, requiring the user to provide a second factor, and so on. Administrators can also view how the user's risk profile trended over a period of time and drill-down to see each detail of the event. See Managing Adaptive Security in Oracle Identity Cloud Service.
Schema Management	Extend the user schema by adding custom attributes to it	If you're creating your own user interface, and you don't find a user schema attribute that you need in the base Oracle Identity Cloud Service schema attributes, then add your own custom attribute to the schema from within the Oracle Identity Cloud Service console. See Adding Custom Schema Attributes.
Application Development SDKs	New SDKs for Web and Mobile applications	Oracle Identity Cloud Service provides you with software development kits (SDKs) that enable you to easily integrate and authenticate your .NET or PHP web applications and your Android or iOS mobile applications with Oracle Identity Cloud Service. Sample applications and tutorials on using these SDKs are available at the web-based Cloud Developer Portal.
Single Sign-On	Secure Form Fill Admin Client	You can use the Secure Form Fill feature if your web applications can't be modified to integrate with Oracle Identity Cloud Service for SSO. The new Secure Form Fill Admin Client helps you map the sign-in form for your web application so that Oracle Identity Cloud Service knows how to populate the user's user name and password automatically, and helps you to submit the user's credentials to the application's identity store. You can download this Secure Form Fill Admin Client from within the Oracle Identity Cloud Service console. See Downloading Oracle Identity Cloud Service SDKs and Applications.
Identity Administration	Auto provision birthright applications	You can now configure a set of applications to be automatically provisioned for every user on-boarded to Oracle Identity Cloud Service. See the following topics: Assigning Groups to Oracle Applications Removing Groups from Oracle Applications Assigning Groups to Custom Applications Removing Groups from Custom Applications
Identity Administration	Synchronize User Accounts from a Flat File Using REST APIs	For target applications that don’t support synchronization of user accounts with Oracle Identity Cloud Service, you can now import user accounts from a flat file using REST APIs, providing a quick and error-free synchronization. See Importing User Accounts from a Flat File Using REST APIs.
Identity Administration	Synchronize User Accounts from a Flat File using the Oracle Identity Cloud Service UI	For target applications that do not support synchronization of user accounts with Oracle Identity Cloud Service, you can now import and synchronize user accounts from a flat file using the Oracle Identity Cloud Service Administration console. You can also activate and deactivate these synchronized user accounts from the console. See Importing and Synchronizing User Accounts Using a Flat File in Oracle Identity Cloud Service UI.
Identity Administration	Manage Web Tier policies from the admin console	In the previous versions, there was no option in the admin console to create or edit Web Tier policies. You can now manage Web Tier policies from the admin console and specify a list of resource filters, such as, application URLs, the corresponding authentication method, and so on, to control and protect your corporate resources. See Creating and Managing Web Tier Policies. Note: Use the Web Tier Policy feature for Oracle Identity Cloud Service only. Customers should refer to the relevant documentation for their services to understand how to use this feature.
Identity Administration	Additional attributes to filter synchronization results	You can now use Situation and Synchronization Status as additional filter attributes to filter the user account import search results. Select values from the respective drop-down lists to view user accounts matching the search criteria. See Synchronizing User Accounts.
Identity Administration	Apply Default Trust Scope from OAuth settings for Client Application configuration	In the previous versions, for a Trusted Application you can select All Resources, Allowed Tags or Allowed Scopes to configure Trust Scopes for your Client Application. By selecting the Default option, you can now apply the Default Trust Scope configured in the OAuth settings to your client application. See Adding a Trusted Application.
Bridge Installer	Enhanced Microsoft Active Directory Bridge installation	The bridge installer is streamlined and simplified for a better user experience. See Creating a Bridge.
Administrative Settings	Set Norwegian as your preferred language	The Oracle Identity Cloud Service UI now supports the Norwegian language. Administrators can set Norwegian as the default language for an identity domain. See Changing Default Settings. Users can set Norwegian as the default language for their account. See Setting Up or Modifying Your Profile.
Security Settings	Support for Configuring OAuth Settings	You can now configure OAuth settings to either enable account-level trust for all token acquisition requests or configure one of the Default Trust Scopes. See Configuring OAuth Settings.
REST APIs	Enhancements to Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints were added: /IDBridgeConfig - Use this endpoint to replace or update an IDBridge configuration. For example, replacing or updating a new feature name and the release in which the feature was introduced. /TargetAuthenticationTester - Use this endpoint to test target authentication. /Schemas - The PATCH operation is now supported. Use this endpoint to maintain the schema definition of resource types that are supported by Oracle Identity Cloud Service . Schema definitions contain standard SCIM schema attributes and additional Oracle Identity Cloud Service -specific attributes such as searchable, min/max length for validation, target attrname, and so on. /RiskProviderProfile - Use this endpoint to manage risk provider configurations for Oracle Identity Cloud Service . The risk provider configuration manages all the fields that are required to connect with the provider and other relevant configurations. /RiskProviderProfileValdation - Use this endpoint to validate a risk provider profile. /ManagedObjectClassTemplates - Use this endpoint to work with managed object class template configurations for a connected managed app. /ManagedObjectClasses - Use this endpoint to work with managed object class configurations for a connected managed app. /Threats - Use this endpoint to manage adaptive access threats and violations. /AdaptiveAccessSettings - Use this endpoint to manage tenant-specific adaptive access settings. There is a single pre-seeded instance of AdaptiveAccessSettings in Oracle Identity Cloud Service. New instances can't be created and an existing instance can't be removed. But, you can update a single instance using PUT or PATCH. See REST API for Oracle Identity Cloud Service and Using the Oracle Identity Cloud Service REST APIs with Postman.

Other Noteworthy Changes

Category	Feature	Description
REST APIs	Enhancements to the Oracle Identity Cloud Service POSTMAN Collection	The Oracle Identity Cloud Service POSTMAN Collection has been updated. This release allows you to explore the relationships between Users, Groups, Clients, Apps, and AppRoles. Look for new Search requests added for Users, Groups, Clients, Apps, and AppRoles in the Search folders for each, as well as the Membership folders. See the Oracle Identity Cloud Service POSTMAN Collection.

Release 18.1.2 — February 2018

18.1.2 User Interface Changes

Watch the What’s New in 18.1.2 video to learn about the 18.1.2 user interface changes and other enhancements.

The Oracle Identity Cloud Service 18.1.2 release introduces several major interface changes to the Identity Cloud Service administrator console:

1. In 17.4.6, the user menu displayed the user name. In 18.1.2, the user name is replaced with the user’s initials. This change is part of an update across all Oracle cloud products. All PaaS products are moving to a new design. The new avatar displays the logged in user's initials. No options for the menu have changed.

2. In 17.4.6, the Dashboard, Users, and Notifications buttons appeared in the upper-right corner of the administrator console. These buttons are used to return to Oracle Public Cloud. In 18.1.2, those links are available on the new My Services page in the Navigation Drawer.

3. In 17.4.6, dashboard navigation consisted of a series of tabs across the dashboard. In 18.1.2, these tabs are replaced with the Navigation Drawer. The Navigation Drawer maximizes the real estate of the Identity Cloud Service console. To display the Navigation Drawer, click the Navigation Drawer icon in the upper-left corner of the console. You'll see a listing of all folders and pages that compose the console. Click a folder to see the pages associated with the folder. Then, click the menu item that represents the page that you want to display in the Identity Cloud Service console. Click the Navigation Drawer icon again to close the Navigation Drawer.

18.1.2 User Interface Changes
17.4.6 Navigation (Old)
17.4.6 Navigation (Old) Screenshot Description of the illustration old-navigation-release-17.4.6.png
18.1.2 Navigation (New)
18.1.2 Navigation (New) Screenshot Description of the illustration new-navigations-release-18.1.2.png See Accessing Service Consoles
Other UI Changes
There's a new page in the Settings folder: Downloads. Use this page to download Java, Node.js, or Python SDKs or the EBS Asserter to integrate your web applications or Oracle E-Business Suite with Oracle Identity Cloud Service. See Downloading Oracle Identity Cloud Service SDKs and Applications. In the Security folder: The Delegated Administration page has been renamed to Administrators. There are three new pages: Identity Provider Policies, Sign-On Policies, and Network Perimeters. Use these pages to define identity provider policies, sign-on policies, and network perimeters. See Managing Oracle Identity Cloud Service Identity Provider Policies, Managing Oracle Identity Cloud Service Sign-On Policies, and Managing Oracle Identity Cloud Service Network Perimeters.

18.1.2 New Features— February 2018

Feature	Description
Email as a Second Authentication Factor	Support for using email as a second authentication factor has been added to the Multi-Factor Authentication options. After email settings are configured, when the user selects Email as the authentication method, Oracle Identity Cloud Service sends a one-time passcode to the user’s primary email address for use as a second verification method. See Configuring Email Settings.
Setting a Default Verification Method	A user can now set their default second factor verification method using the 2-Step Verification page of the My Profile console. See Setting a Default Verification Method.
Enhancements to Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added: /LatestBinaryFileInfoVersionRetriever - Use this endpoint to retrieve the latest version of binary file information. /SFFCustomApps - Use this endpoint to manage tenant-specific Secure Form Fill custom apps. The X-ORACLE-DMS-ECID and X-ORACLE-DMS-RID HTTP headers are now included in each REST API response. These headers correspond to the ECID and RID for a REST API request. The caller can use this information to track and correlate requests that originate with events arising in the Oracle Identity Cloud Service server. The client may also include these values as part of an error message, as it is important to correlate events on the client side with errors on the server side. See REST API for Oracle Identity Cloud Service..
Manage Policies	Policy control, for securing and managing access to resources, is now available. Policy control makes access control flexible, enabling good policy management with flexible and extendable, contextual capabilities. In this release, the following policy control features are available: Define Identity Provider Policies. You can use identity provider policies to specify which identity providers are visible in the Sign In page when someone is trying to sign in to Oracle Identity Cloud Service, either when they're accessing a specific app or attempting to access resources that are protected by Oracle Identity Cloud Service, such as the My Profile console or the Identity Cloud Service console. You can also use identity provider policies to determine whether users authenticate into Oracle Identity Cloud Service with their local credentials or by using credentials associated with SAML or social identity providers. See Managing Oracle Identity Cloud Service Identity Provider Policies. Define Network Perimeters. You can define network perimeters in Oracle Identity Cloud Service. A network perimeter contains a list of IP addresses. After creating a network perimeter, you can prevent users from signing in to Oracle Identity Cloud Service if they use one of the IP addresses in the network perimeter. This is known as blacklisting. You can also configure Oracle Identity Cloud Service so that users can log in, using only IP addresses contained in the network perimeter. This is known as white listing. See Managing Oracle Identity Cloud Service Network Perimeters. Define Sign-On Policies. You can use sign-on policies in Oracle Identity Cloud Service to define criteria that Oracle Identity Cloud Service uses to determine whether to allow a user to sign in to Oracle Identity Cloud Service or prevent a user from accessing Oracle Identity Cloud Service. See Managing Oracle Identity Cloud Service Sign-On Policies.
App Development SDK	You can now enable your Java, Node.js, or Python web applications to authenticate with Oracle Identity Cloud Service by using software development kits (SDKs). Oracle Identity Cloud Service provides you with a centralized location in the Identity Cloud Service console where you can download SDKs or the EBS Asserter to integrate your web applications or Oracle E-Business Suite with Oracle Identity Cloud Service. See Downloading Oracle Identity Cloud Service SDKs and Applications.
EBS Asserter	Integrate your Oracle E-Business Suite environment with Oracle Identity Cloud Service for authentication and password management purposes by using a lightweight Java application known as the Oracle E-Business Suite (EBS) Asserter. Oracle Identity Cloud Service provides you with a centralized location in the Identity Cloud Service console where you can download SDKs or the EBS Asserter to integrate your web applications or Oracle E-Business Suite with Oracle Identity Cloud Service. See Downloading Oracle Identity Cloud Service SDKs and Applications.
Create custom secure form fill applications	If you don't find the secure form fill application that you need in the app catalog or you simply want to create your own, you can do so with Oracle Identity Cloud Service. Define your own secure form fill configuration using the ESSO Admin Console, export the configuration, and then import that configuration into your secure form fill app in Oracle Identity Cloud Service. See Creating a Custom Secure Form Fill App.
Select Display in My Apps check box to display the app in My Apps page	In previous releases, when you select Display in My Apps check box, you can also enable SSO to the app. In this release, when you select the Display in My Apps check box in applications, the app is then visible in the My Apps page, but selecting this check box no longer enables or disables SSO to the app. See Adding a Trusted Application Adding a SAML Application Adding an App Catalog Application The flag to enable or disable SSO comes from the app template. Use the Oracle Identity Cloud Service REST APIs to update this flag. You cannot set the SSO flag from the user interface. See REST API for Oracle Identity Cloud Service.
Updates to the Application Catalog	Over 100 Form Fill integrations, including banking, learning, and transportation apps. SAML SSO with Workday, Ariba, and other apps. See Oracle Identity Cloud Service - Application Catalog..
OpenID Connect support for Identity providers	Oracle Identity Cloud Service now supports integration with identity providers that are compliant with OpenID Connect. These identity providers support the OpenID Connect standard. You use this type of identity provider when you want to establish trust between an OpenID Connect-compatible identity provider, such as Google, Salesforce, and so on, with your Oracle Identity Cloud Service account. This is useful if you're creating a mobile or web application that requires access to Oracle Identity Cloud Service-protected resources, but you don't want to create custom sign-in code or manage your own user identities.

Release 17.4.6 — December 2017

Feature	Description
Activate and deactivate user accounts for apps	User accounts provisioned/assigned to apps from Oracle Identity Cloud Service can now be individually activated or deactivated. This allows administrators to manually activate or deactivate user accounts as and when needed without impacting other accounts provisioned to the user. See Assigning Applications to the User Account and Assigning Users to Custom Applications.
Add tags to applications	If you want to create custom attributes for applications that can be used to search for the applications more effectively, then add tags to applications. Tags are key-value pairs that are used to organize and identify applications. For example, suppose you're creating three versions of an application: one for development purposes, one for testing purposes, and one that will be used in production. You can create the following tags for these versions: Version: Development, Version: Testing; and Version: Production. You can create tags for your trusted, mobile, SAML, and App Catalog applications or add existing tags from other applications. See Adding Applications.
Enhancements to Oracle Identity Cloud ServiceREST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added: /AppUpgrader /CustomAllowedValues /MappedActions /MappedActionTemplates /MyAccesses /ResourceTypeSchemaAttributes /SocialAccounts /Tags The attributeSets query parameter was added. Use this query parameter to get a group of attributes back in the response rather than specifying each attribute individually. This query parameter accepts comma-separated values from the following parameters: all (returns all attributes) always (returns all attributes marked as always in the schema) default (returns all default attributes) request (returns all attributes marked as request in the schema) These values are not case-sensitive. If both "attributes" and "attributeSets" are specified in the request, then the values from both attribute sets are returned in the response. See REST API for Oracle Identity Cloud Service.
OpenID Connect Support for Social Identity Providers	If you need to add a social identity provider that is OpenID Connect compliant, you can now define OpenID Connect compliant social identity providers as identity providers in Oracle Identity Cloud Service. See Adding a Social Identity Provider and Deleting an Identity Provider.
Deleting Social Accounts Linked to an Identity Provider	When deleting an identity provider and there are social accounts referenced to that Identity Provider, you are prompted whether to delete the references as well. If you do delete the social account references, Oracle Identity Cloud Service asynchronously deletes the references and then deletes the identity provider. If you don't want to delete the social accounts references, you can deactivate the identity provider, which results in the identity provider not being used for social login. When the identity provider is deactivated, users can see their social accounts in their My Profile page but can't use the identity provider to login. See Deleting an Identity Provider.

Release 17.4.2 — November 2017

Feature	Description
User Interface Change: Delegated Administration	You can now access the Delegated Administration page from the Security tab of the Identity Cloud Service console. See Accessing Service Consoles.
User Interface Change: Identity Providers	You can now access the Identity Providers page from the Security tab of the Identity Cloud Service console. See Accessing Service Consoles.
User Import Enhancement	The Users.csv import file has been enhanced to include Locked, Locked Reason, and Locked Date fields. See Importing User Accounts.
${tenantName} replaced by ${companyName}	${tenantName} has been replaced by ${companyName} for all email templates and SMS templates. See Modifying Notification Templates.
Access Request Notifications Added	There are two new notifications added: New Access Request submitted: This notification is sent to a user after they submit an access request. Access Request fulfilled: This notification is sent to a user after their access request has been fulfilled. See Understanding the Types of Notifications..
Support for Login URL, Cross-Origin Resource Sharing (CORS), and Allowed CORS Domain Names	The following new fields have been implemented on the Session Settings page to support this enhancement: Login URL: You can specify the URL where you want the user redirected to log in. Allow Cross-Origin Resource Sharing (CORS): You can allow client applications that run on one domain to obtain data from another domain. Allowed CORS Domain Names: You can now list the external domain names that are allowed for CORS operations. See Changing Session Settings.
Trust Scopes	The new Trust Scopes feature allows a trusted application to access either any resource within a domain or only those services where an explicit association between the client and the service exists. The following new Trust Scopes options are available for only trusted applications: All Resources: Select to allow your application to request an access token for services using the scope urn:opc:resource:consumer::all. This option provides a wide scope. Allowed Scope: Leave selected (the default) to allow your application to acquire an access token with permissions based on an explicit association between the client and target services. See Adding a Trusted Application.
MFA Pull Notifications Support	Pull Notifications support has been added to the Multi-Factor Authentication options. Pull notifications are updates that are delivered to a mobile device or computer in response to a user who is checking for login request notifications. Pull notifications are useful in scenarios where the GCM service (Android), APNS Service (iPhone), or WMS service (Windows) does not work. See Configuring Mobile OTP and Notifications.
Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoint has been deprecated: /AppAllowedScopesChanger Previously administrators couldn't edit OPC Apps because they were protected and read-only. In order to update the "allowedScopes" attribute, administrators were required to use this special REST endpoint: /AppAllowedScopesChanger. This REST endpoint has been deprecated in this release because OPC Apps are now editable, which allows administrators to use PATCH with the /Apps endpoint to add, remove, or replace the values of the allowedScopes attribute. See REST API for Oracle Identity Cloud Service.
New App templates added to the App Catalog	For the latest additions to the supported list of applications in the App Catalog, take a look at Oracle Identity Cloud Service - Application Catalog.
Support for enhanced login experience	You can now experience the customized login by hosting a login application and redirecting Oracle Identity Cloud Service login to the new application. You can specify the custom login and logout URLs in the Login URL and Logout Page URL fields. These fields are available in the application, by default. See Adding a Trusted Application, Adding a SAML Application, and Adding a Mobile Application

17.4.2 REST API Changes

Feature	Description
Trust Scope Attribute	The Trust Scope Attribute has been added to the REST examples where applicable. See Account Trust Scope.

17.4.2 User Interface Changes

The Delegated Administration page and the Identity Providers page have been moved from the Settings tab (17.3.6) to the Security tab (17.4.2) of the Identity Cloud Service console. This following table illustrates those changes.

Screen shots of 17.4.2 User Interface Changes
17.3.6 Settings Tab (Old)
17.3.6 Settings Tab (Old) Screenshot Description of the illustration old-settings-tab-release-17.3.6.png
17.4.2 Security Tab (New)
17.4.2 Security Tab (New) Screenshot Description of the illustration new-security-tab-changes-release-17.4.2.png

Release 17.3.6 — September 2017

Feature	Description
Device Grant Flow	The new Device Code grant type provides a specific grant flow in which a device client executes on a device that doesn't have an easy data-entry method (for example, game consoles, streaming media players, and digital picture frames), and the device client is incapable of receiving incoming requests from the authorization server. See Adding a Trusted Application and Adding a Mobile Application.
Add/Remove Client Scopes for Oracle Applications	You can now add and remove client scopes for OPC apps using the Oracle Identity Cloud Service administration console. See Adding a Trusted Application.
Icons for OPC Apps	Different OPC icons are available for each OPC app in the Oracle Identity Cloud Service administration console. Also, available app icons are now stored on the UI server and accessed using a URL, which improves performance fetching and displays the icons more quickly.
Support for Universal Credits	Oracle Identity Cloud Service is now part of the new metered Universal Credit pricing models. These models include a Pay As You Go, Monthly, and Yearly.
Bridge Performance Improvement	Enhancements have been made to increase Bridge performance. To take advantage of these improvements, upgrade your Bridge client.
Use new Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints are new: /MappedAttributeTemplates /MappedAttributes /oauth2/v1/device See REST API for Oracle Identity Cloud Service.
New App templates added to the App Catalog	For the latest additions to the supported list of applications in the App Catalog, take a look at Oracle Identity Cloud Service - Application Catalog.
Bridge Upgrade Needed After Client Secret Regeneration	If you're using the 17.2.6 version of the client for the bridge, and you have regenerated the Client Secret, then you must upgrade your client to the latest version. See Creating a Bridge to install the updated client for the bridge.

Other Noteworthy Changes

Feature	Description
Maximum Character Limit Increase for specific Users and Groups Fields	The maximum character length has been increased for the following user fields: Display Name (201) First Name (100) Last Name (100) Formatted Name (354) In the Groups page, the maximum character length for the Description field has been increased to 4,000 characters. In the Branding page, the maximum character length for the Login Text field has been increased to 250 characters.
Bare Metal Cloud Services Renamed	Bare Metal Cloud Services has been renamed to Oracle Infrastructure Cloud Service.

Release 17.3.4 — September 2017

Feature	Description
Secure Form Fill plug-in: Support for Google Chrome and Mozilla Firefox	If you are using Google Chrome, you are prompted to go to the Extensions on Google Chrome and install the Oracle Secure Form Fill Plugin. Users will be prompted to download the plug-in from the My Apps page the first time that they launch a secure form fill app. If you are using Mozilla Firefox, instead of downloading the Secure Form Fill Mozilla Firefox plug-in from the Mozilla Store, install the Secure Form Fill Mozilla Firefox plug-in from the My Apps page. Users will be prompted to download the plug-in from the My Apps page the first time that they launch a secure form fill app. Secure Form Fill is included as part of the Oracle Identity Cloud Service Standard license.
Public Access Tenant Signing Certificate	Oracle Identity Cloud Service tenant administrators can allow clients to access the tenant signing certificate without logging in to Oracle Identity Cloud Service. See Changing Default Settings in Administering Oracle Identity Cloud Service.
Access Request	Administrators specify the groups and applications to which a user may request access. Users can now request group and application access from the Catalog. Users can also view the groups and applications to which they have access as well as view their access requests. See Managing Group and Application Access in Administering Oracle Identity Cloud Service.
Use new Oracle Identity Cloud Service REST APIs	The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints are new: /AppAllowedScopesChanger /MyGroups /MyRequestableApps /MyRequestableGroups /MyRequests See REST API for Oracle Identity Cloud Service.
New App templates added to the App Catalog	For the latest additions to the App Catalog template list, take a look at Oracle Identity Cloud Service - Application Catalog

Release 17.3.2 — July 2017

This release contains mostly bug fixes and performance enhancements.

---

Oracle Cloud What’s New for Oracle Identity Cloud Service, Release 19.3.3

E81008-40

Copyright © 2016, 2020, Oracle and/or its affiliates. All rights reserved.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.