What’s New for Oracle Identity Cloud Service

When new and changed features become available, Oracle Identity Cloud Service instances are upgraded in the data centers where Oracle Cloud services are hosted. Here’s an overview of new features and enhancements added recently to improve your Oracle Identity Cloud Service experience.

This guide documents the complete set of new and changed features for Oracle Identity Cloud Service. Your localized version of Oracle Identity Cloud Service might contain a subset of these features. Therefore, you might find features in this documentation that are not available in your localized version of Oracle Identity Cloud Service.

Service Change Announcement

App Gateway Replaces App Gate

The software appliance App Gate has been replaced with App Gateway. As of August 2019, App Gate has been replaced with App Gateway. Both the App Gate and the App Gateway solutions are software appliances that you can use to provide Single Sign-On (SSO) and authorization for your on-premises applications. This enables you to use one appliance to provide SSO for multiple applications by allowing external users to access internal applications securely without needing a VPN client. There’s no change in functionality between the old App Gate and the new App Gateway solution. However, as a customer you will need to replace App Gate with App Gateway and reconfigure your supported applications. Technical support for App Gate will end after August 15, 2021.

See Deprecated Oracle Identity Cloud Service Software Appliances for information on how to to download the App Gateway and how to ensure that you are using the latest version of App Gateway.

Application Integration

To find out about the new applications and features that have been added to the Oracle Identity Cloud Service Application Catalog, see the What's New section of the Oracle Identity Cloud Service - Application Catalog.

Topics:

Release 20.4.2 — December 2020

Generally Available Features

Category Feature Description

Multi-Factor Authentication

FIDO Authentication

Configure FIDO authentication so that users can use their FIDO authentication device, for example an external authentication device such as a YubiKey, or an internal device such as Windows Hello or Mac Touch ID, to authenticate to Oracle Identity Cloud Service

See Configure FIDO Security.

Other Documentation Changes

Feature Link

App Gateway

New App Gateway OVA instructions for OVA version 20.1.3-4.0.0 and onward.

Register an App Gateway

Configure the App Gateway Server

Use Services to Start and Stop App Gateway

PAM

The post installation files have changed. The new list of files has been documented. See Install the PAM.

Oracle Identity Cloud Service features.

Some Oracle Identity Cloud Service features must be enabled by Oracle Support before you can use them. Learn about the features that Oracle must enable for you and how to enable them.

See Enable Features for Oracle Identity Cloud Service.

Release 20.4.1 — November 2020

Generally Available Features

Category Feature Description

OAuth

Configurable Subject Mapping

Administrators can now customize a subject claim. A new attribute subMappingAttr has been added to the settings REST endpoints. If subMappingAttr is null or blank at the tenant level settings, then the global config userName attribute setting is used.

See Settings REST Endpoints.

User Interface

License Type Information

You can now view your Oracle Identity Cloud Service license type in the top right of the Identity Cloud Service console.

Password Iteration Support

Password Hash Iteration

Password hash iteration has been increased to 10,000.

EBS Asserter

EBS Asserter Documentation Enhancements

Instructions have been rewritten for clarity. Additional information about validating the configuration, and how to log in with a non-US English language was also added.

See Use the E-Business Suite Asserter to Enable SSO for Oracle E-Business Suite with Oracle Identity Cloud Service and Configure Oracle E-Business Suite (EBS) to use Oracle Identity Cloud Service for Single Sign-On.

Notifications

New notification option when sending primary email change notifications.

Administrators now have a new setting when sending primary email change notifications. With the new setting enabled, when an administrator changes a user’s primary email, change notifications are sent to the user’s old primary email address as well as the new primary email address. When the setting is disabled (default), a change notification is sent only to user’s old primary email.

See Notification Settings REST Endpoints.

App Gateway Documentation Updates

Learn how to deploy the Oracle App Gateway Docker container.

See Deploy the Oracle App Gateway Docker Container.

Application Catalog Documentation Updates

New connector instructions available in the Application Catalog.

See ICF Custom Connector.

All Documentation Changes

Feature Link
Configure OAuth. New instructions regarding Issuer value behavior. See Configure OAuth Settings.
App Gateway. New instructions on how to deploy an App Gateway Docker container. See Deploy the Oracle App Gateway Docker Container.
SAML Identity Provider. The SAML Identity Provider documentation incorrectly called for an IDP encryption certificate when creating a SAML Identity Provider. That requirement has been removed from the documentation. See Enter Metadata Manually for a SAML Identity Provider and Update the E-Business Suite Asserter Configuration File (see idcs.iss.url).
Enforce Network Perimeter. Enforce network perimeter for OAuth Clients functionality was removed from the product. Same content has been removed from the documentation. Not applicable.
Duo Security Settings. The Prerequisites section stated that a “custom login user interface” must be implemented. This was incorrect. The prerequisite was removed. See Configure Duo Security Settings.
AD Bridge High Availability. Documented new behavior for syncing new organizational units. See Understand Full and Incremental Sync.
RADIUS Proxy. Changes to the setup tasks as well as updated examples. See Set Up and Validate RADIUS Proxy.
Identity Cloud Service Pricing Models. The pricing model documents did not list Group Based Password Policies. Group Based Password Policies was added to the topics as a "Standard" feature. See Understand the User Per Month Pricing Model and Understand the Active User Per Hour Pricing Model.
Creating Groups. The documentation stated that both user memberships and nested groups can be created along with a group. This was incorrect. Nested groups are not allowed and has been removed from the instructions. See Groups REST Endpoints.
Configurable Subject Mapping. Administrators can now customize a subject claim. New instructions for new attribute subMappingAttr. See Settings REST Endpoints.
License Type Information. Content added to inform users that they can now view the Oracle Identity Cloud Service license type in the top right of the Identity Cloud Service console. See Understand the User Per Month Pricing Model and Understand the Active User Per Hour Pricing Model.
Notifications. Documentation added for a new notification option when sending primary email change notifications - sendNotificationToOldAndNewPrimaryEmailsWhenAdminChangesPrimaryEmail. Request and Response examples updated as well. See: Notification Settings REST Endpoints.
Application Catalog. New connector instructions available in the Application Catalog. See ICF Custom Connector.
Application Catalog. Salesforce Runbook updated. See Salesforce in the Application Catalog.
Default Settings. Documented new functionality where making the tenant signing certificate public also makes the SAML metadata public. See Change Default Settings.
Troubleshooting User Issues. Added troubleshooting tip to explain why users may not be able to close or cancel a forgotten password request. See Troubleshoot Oracle Identity Cloud Service – Users.
Configuring the PAM using SSSD. Sample code now includes a regular expression to configure email addresses as the SSO user names. See Configure the PAM using SSSD.
Oracle Applications. Oracle applications now appear in the new Oracle Cloud Services page, and your custom applications appear on the Applications page of the Admin Console. See Identity Cloud Service Console and About the Relationship Between Oracle Identity Cloud Service and Applications.
Known Issues. Resolved known issues removed. See Known Issues for Oracle Identity Cloud Service.
REST API. Updates to the Token Expiry Table. Specifically, the OAuth Access Token Expiry setting. See Token Expiry Table.
App Gate has been replaced with replaced with App Gateway. Service change notices added to the Admin Guide and What's New. See Deprecated Oracle Identity Cloud Service Software Appliances, Manage Oracle Identity Cloud Service App Gateways, and Download and Extract the App Gateway Binary File.

Release 20.1.3 — May 2020

Early Access Features

Early access features must be enabled by Oracle. To enable early access features, file a Service Request with My Oracle Support.

Category Feature Description

SAML

Just-In-Time (JIT) Provisioning

Using SAML, JIT provisioning automates user account creation for target service providers when the user first tries to perform SSO and the user does not exist.

In addition to automatic user creation, JIT implementation allows granting and revoking group memberships as part of provisioning. JIT implementation also updates provisioned users so the users’ attributes in the Service Provider store can be kept in sync with the Identity Store user store attributes.

See Understand SAML Just-In-Time Provisioning.

SAML JIT Provisioning uses Oracle Identity Cloud Service REST APIs. See Create an Identity Provider.

For more information about how to use SCIM APIs, see REST API for Oracle Identity Cloud Service.

Security

Secure Oracle Database with RADIUS Proxy

Enterprises can now secure their Oracle Database instances with two-factor authentication using RADIUS Proxy.

Using RADIUS Proxy, Oracle Identity Cloud Service can:
  • Manage all database Administrators and all database Users.
  • Define access controls using Database Roles to be managed by using Identity Cloud Service Groups.
See

Active Directory (AD) Bridge

High Availability and Load Balancing for AD Bridge

AD bridge support for the high availability (HA) has been added to deepen the integration from a business continuity perspective. With an AD Bridge high availability deployment of at least two AD Bridges per domain, delegated authentication and data synchronization loads can be shared among all the AD Bridges. Set up high availability and load balancing for multiple AD Bridges so that you don’t have a single point of failure for your AD Bridge architecture.

See About Multiple AD Bridges for High Availability and Load Balancing.

User Experience

Customize the sign in page by creating your own HTML code and translations.

Instead of using the default sign in page, administrators can create a Hosted Sign In page to change the look and feel of the sign-in experience. You create a Hosted Sign In page by adding a background image as well as designing custom HTML code and specifying translations (specifying translations is optional.).

See Create Hosted Sign In Pages.

Beta Features

Category Feature Description

LDAP

LDAP2SCIM Proxy

The LDAP2SCIM proxy will allow application clients to integrate with Oracle Identity Cloud Service using LDAP protocol. This is a beta only feature currently available on invitation basis.

Generally Available Features

Category Feature Description

Multi-Factor Authentication

Enhanced task flow to set up and use 2-Step Verification

It's now easier for users to enroll in 2-Step Verification when they first log in to Oracle Identity Cloud Service, and it's easier to change default authentication method any time they log in.

See Enroll in 2-Step Verification for Your Account.

Users also have more options for managing 2-Step Verification from the My Profile console.

See Manage 2-Step Verification from the My Profile Console.

Passwordless Login

Tired of resetting passwords? Passwordless authentication is available.

Instead of passwords, proof of identity can be verified based on possession of something that uniquely identifies the user (for example, a one-time password (OTP), a registered mobile device, or a hardware token).

Once enabled, users can access protected resources either by using a user name and password or passwordless authentication. Users use self-service to set up passwordless authentication.

See Manage Passwordless Authentication.

Application Gateway

Application Gateway Support for Multi-Origin Server

Customers can now define 1-1 or 1-n mapping between Application gateway and backed origin servers. This will provide end to end high availability architecture between Load Balancers, Applications Gateway and Origin servers.

Application Gateway

New Header Support

Ability to pass Application Gateway header in upper case.

Users

Custom Attribute Supports User Details Pages

Provides custom attribute support for end user flows. End users will be able to see the custom attributes on the My Console User Details page and edit them as well.

See:

Active Directory (AD) Bridge

Active Directory (AD) bridge support for Group Membership as Filters

You can now bring users into Oracle Identity Cloud Service based on their group membership in Active Directory. Any changes to group membership in AD will get reflected in Oracle Identity Cloud Service User after AD Sync.

Identity Provisioning

Retrofit RBAC Policy - Convert individual assignment to Group Based Assignment

You can now convert direct user assignment to apps into group based assignments. Converting assignments will ensure that User’s account and associated attribute values will be managed by their group membership. Changes at the group level are applied to all users managed by the group.

See Convert User Grants to Group Grants.

Identity Provisioning

Lifecycle Rules

Manage the complete user life cycle and automate the process of the joiner, mover and leaver. If there is any change in a User attribute, you can propagate that to the downstream application (for example, if a user gets disabled, then all accounts owned by this user would be disabled automatically).

Application Catalog

Updates to the Identity Cloud Service Application Catalog.
New provisioning application templates are available in Oracle Identity Cloud Service Application Catalog for the following:
  • Aquera Basic Authentication
  • Aquera Bearer
  • BambooHR
  • Database User Management
  • Domo
  • Egnyte
  • Evernote
  • Generic LDAPv3 Provisioning
  • ICF Custom Connector
  • Kapstone Client Credential
  • Kapstone Password Based
  • Oracle Directory Server for Enterprise Edition
  • Oracle Unified Directory
  • PeopleSoft User Management
  • Workplace by Facebook
  • Zoom
  • Amazon Web Services
  • Bonusly
  • Box
  • ServiceNow
Support for Interactive account provisioning and entitlement grant in existing provisioning applications:
  • BlueJeans
  • Salesforce
  • NetSuite
  • Zendesk

For the latest additions to the supported list of applications in the App Catalog, take a look at Oracle Identity Cloud Service - Application Catalog.
Application Gateway Application Gateway Support for Multi-Origin Server

Customers can now define 1-1 or 1-n mapping between Application gateway and backed origin servers. This will provide end to end high availability architecture between Load Balancers, Applications Gateway and Origin servers.

Security

New network perimeter rules for Sign-On policies for OAuth Token Issuance

Identity Administrators can now define a sign-on policy with the network perimeters rule applied to OAuth Clients. The OAuth Token issuance with Client Credential grant type can also be bound to the network perimeter checking.

See

Security

IDP Discovery Rules

Identity Provider (IDP) Discovery enables you to organize the login page based on the username, for example, if you want corporate SSO login for some users and you want them to be logged in using social Identity Providers. Depending on the application being accessed and who is accessing it you can completely customize the way user can login.

See:

Security

Apply Password Policies to Groups

You can have multiple password policies in Oracle Identity Cloud Service and associate them with different groups and set the priorities. Group password policies allow you to define password policies and associated rules to enforce password settings on the group level. You can create multiple policies with more- or less-restrictive rules.

See

Security

New instructions for what to do if an Identity Provider's certificate expires.

Learn what to do if an Identity Provider certificate expires.

See What is a Digital Certificate? and What if an Identity Provider's Certificate Expires? in About Digital Certificates.

Security

Support Social Login without Email

 Social Login now allows setup of external Identity Providers for tenants configured with user email optional. This is a requirement for support of providers such as Line.Me, requested by customers.

OAuth

Refresh Token grant type is available for mobile applications.

Oracle Identity Cloud Service OAuth now allows Mobile/Public Clients to get a Refresh Token (RT) if RT is configured as one of the allowed grant types.

See:

Extensibility and Integrations

Custom Connector for User Management

You can now provision Enterprise Applications with the Custom ICF connector. By using the Custom ICF connector, you can use OIM Custom connector with Oracle Identity Cloud Service.

See About Identity Cloud Service Connector.

Notifications

New sync summary administrator notifications

New sync summary notifications are sent to the Application Admin after synchronizing the identities, groups and application accounts. The details are sent in an email and include information such as users/groups created, updated and deleted.

See

OAuth and Custom Claims

Custom Issuer Claim in OAuth Tokens

Oracle Identity Cloud Service now provides a way for tenant admins to configure the issuer value to be populated in the OAuth tokens (IT & AT) instead of using the default (https://identity.oraclecloud.com).

See Configure OAuth Settings.

Language

New Supported Language

The Finnish language is now supported in the Oracle Identity Cloud Service user interface.

Import User Accounts

New Mandatory Column

Primary Email Type is now a mandatory column when importing users into Oracle Identity Cloud Service.

See Import User Accounts.

REST APIs

Policy Expression Syntax Support for Defining User Correlation Mapping

Oracle Identity Cloud SAML Service now supports policy expression syntax for defining the user correlation mapping between an external Identity Provider's SAML assertion and any Oracle Identity Cloud Service user attribute. See the following example. 

"active": true,
    "name": "Correlation Rule for b7fcc6a4fdc94c7abc073a3c59e05219",
    "return": [
        {
            "name": "filter",
            "value": "emails.value eq \"$(assertion.fed.nameidvalue)\""
        }
    ],

See REST API for Oracle Identity Cloud Service.
REST APIs

New Administrator Notifications

Specify whether users receive an email notification when an administrator changes their primary, secondary, or recovery email changes.

The following settings were added to: /admin/v1/NotificationSettings/NotificationSettings
  • "eventId": "admin.user.email.verify.primary.success"
  • "eventId": "admin.user.email.verify.secondary.success"
  • "eventId": "admin.user.email.verify.recovery.success"

See REST API for Oracle Identity Cloud Service..

REST APIs

The following new endpoints were added.
The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added:
  • /admin/v1/GrantConverter
  • /admin/v1/RadiusProxies
  • /admin/v1/RadiusProxyListeners
  • /admin/v1/RadiusProxyMappings
  • /admin/v1/CustomConnectorInfos
  • /admin/v1/LocalConnectorBundles
  • /admin/v1/CloudGateUpstreamServerGroups
  • /admin/v1/CloudGateUpstreamServers
  • /admin/v1/ExternalNotificationProviders

See REST API for Oracle Identity Cloud Service..

Application Gateway

New Header Support

Ability to pass Application Gateway header in upper case.

Applications

Performance Enhancement

Performance improvement when rendering the Application user interface.

Applications

Template

An additional attribute mapping of $(account.mail) has been added to the Microsoft Azure App template.

Applications

Template

A new version of the FA template is available so that you can edit Application URLs from user interface.

Applications

Manage Users in PeopleSoft from Oracle Identity Cloud Service

This guide contains instructions to manage users in PeopleSoft from Oracle Identity Cloud Service.

See Manage PeopleSoft Tools-Based User Profile Records.

Applications

 Manage Users in Database from Oracle Identity Cloud Service

This guide contains instructions on how to manage users in Database from Oracle Identity Cloud Service

Connectivity

AD Bridge

You can now test connectivity between AD Bridge client and AD Domain and also between AD bridge Client and Oracle Identity Cloud Service.

See Test Active Directory Connectivity.

Connectors

Generic SCIM

Added configuration to send the Oracle Identity Cloud Service user id as external_id attribute.

EBS Asserter

New Attribute Mapping

Ability to map a customer user attribute in Oracle Identity Cloud Service with EBS FND_USER.

EBS Asserter

Validation

Self-service validation utility for EBS Asserter.

Error Messaging

Show the Specific Error Message for a Login Policy Violation

This option is switched on by default and allows the system to display the specific policy-violation error-message if the login policy is violated. If the switch is turned off, the system displays the standard error message.

Export User Accounts

Passwords

Using the Oracle Identity Cloud Service Admin console, you can export the password attribute.

See Export User Accounts.

Identity and Provisioning

Oracle Directory Server Enterprise Edition (ODSEE)

This guide contains instructions to configure bi-directional synchronization between Oracle Identity Cloud Service and Oracle Directory Server Enterprise Edition (ODSEE).

See Perform Authoritative Sync and Provisioning for ODSEE.

Identity and Provisioning

LDAP V3

This guide contains instructions to configure bi-directional synchronization between Oracle Identity Cloud Service and any LDAP V3 directory.

See Perform Authoritative Sync and Provisioning for Generic LDAP V3 Directory.

Identity and Provisioning

Oracle Internet Directory

This guide contains instructions to configure bi-directional synchronization between Oracle Identity Cloud Service and Oracle Internet Directory.

See Perform Authoritative Sync and Provisioning for Oracle Internet Directory.

Identity and Provisioning

Oracle Unified Directory

This guide contains instructions to configure bi-directional synchronization between Oracle Identity Cloud Service and Oracle Unified Directory.

See Perform Authoritative Sync and Provisioning for Oracle Unified Directory.

Import User Accounts

New Mandatory Column

A new column "Primary Email Type" is a mandatory new column added to User CSV for import.

See Import User Accounts.

Import User Accounts

Replacing Existing Values to CMVA Attributes

When administrators update users by using Import, by default new values will be added to existing multi-valued attributes.

See Import User Accounts.

Integration

 Application Gateway

Certified Application Gateway with PeopleSoft, JDEdwards, and OBIEE.

Notifications

 New AD Bridge Connectivity Notifications

Tenant Administrators will get a notification whenever connectivity between AD Bridge and the Oracle Identity Cloud Service server is broken and also when it is restored.

See AD Bridge Connectivity Notifications.

Security

MFA

While using Duo as MFA Factor in 19.3.3, the administrator was not able to use any backup factor. That restriction has been removed in 20.1.3. Also, the administrator could not specify Duo factor as App Specific MFA Factor in Sign-on policy in 19.3.3 release. Starting from 20.1.3, admin can specify Duo as app specific MFA factor in Sign-on policy.

Security

PAM

Added support for OEL7 in Oracle Identity Cloud Service Linux PAM.

User Interface

Streamlined Navigation for Applications

You can now access Oracle Cloud Services from a separate Oracle Cloud Services menu on the Navigation Drawer. Custom Applications can be accessed by using the existing Applications menu on the Navigation Drawer.

Release 19.3.3 — January 2020

Category Feature Description
Oracle Identity Cloud Service Foundation Stripes Oracle Identity Cloud Service Foundation stripes in 19.3.3.

Oracle Identity Cloud Service Foundation stripes are not entitled to use multi-factor authentication (MFA). Additionally, Oracle Identity Cloud Service Foundation stripes are not entitled to use any factor other than Email for account recovery. If these features were enabled in Foundation stripes then, they will be disabled post 19.3.3.

Applications

Forms for managed applications can now contain multi-valued attributes.

If you're assigning a managed application to a user account or a group, then there's a form for the application. If the form contains multi-valued attributes, then an Add button appears to the right of each attribute. Click Add, and then in the Allowed Values window, select the values for the attribute, and click OK.

For more information, see the following topics:

Applications

Skip OAuth Consent Page

Configure confidential and mobile applications to disable all resource's requirement for consent page. See Add a Confidential Application and Add a Mobile Application.

Applications

Authorization Policy for Enterprise Applications

Enterprise applications that are protected using App Gateway can now make use of authorization policies. Administrators can define, allow or deny authorization policies using authenticated IdP, group membership, network perimeter, day and time of day as authorization conditions See Configure an Authorization Policy.

Applications

OAuth support for Enterprise Applications

You can configure enterprise applications to work similarly to confidential applications by setting up the Client Configuration and Resource Server Configurations sections in the OAuth Configurations page for the enterprise application.

Applications

Enterprise Applications headers support extended and custom user attributes

Enterprise Application's authentication and authorization policies support sending extended and custom schema user attributes as header variables. See Supported Header Value Expressions for Authentication Policies.

Applications

List of default headers and cookies App Gateway adds to request

Documentation includes a list of default headers and cookies App Gateway adds to the request forwarded to the application during authentication and authorization validation. See Default Headers App Gateway Adds to Request.

Components

Upgrade App Gateway

Upgrade or patch your Oracle Identity Cloud Service App Gateway automatically by using the upgrade script. See Upgrade and Patch App Gateway.

Components

Identity Cloud E-Business Suite Asserter

Integrate Oracle E-Business Suite with Oracle Identity Cloud Service for authentication and password management purposes. See Use the E-Business Suite Asserter to Enable SSO for Oracle E-Business Suite with Oracle Identity Cloud Service.

Components

Identity Cloud E-Business Suite Asserter support for Oracle E-Business Suite mobile applications.

Added support to integrate Oracle Fusion Expenses mobile application in single sign-on with Oracle Identity Cloud Service. See Set up E-Business Suite Mobile Applications.

Multi-Factor Authentication Factor Specific MFA

Administrators can now define sign-on policies to require end-users to verify specific MFA factors based on application, group membership and other conditions available in the sign-on policy.

See Add a Sign-On Policy.

Security New help desk administrator role.

A new administrator role is available for Oracle Identity Cloud Service: help desk administrator. A help desk administrator can manage all users or users of selected groups in Oracle Identity Cloud Service. Help desk administrators can view the details of a user and unlock a user account. Help desk administrators can also reset passwords, reset authentication factors, and generate bypass codes for user accounts.

See Understand Administrator Roles.

Security

Customize social identity provider types and metadata.

You can create your own social identity provider type and customize an icon for it. Or, you can customize metadata for an existing social identity provider type. For example, you can define custom metadata for how to authenticate users against Oracle Identity Cloud Service using the predefined Google social identity provider.

You can also customize social identity provider types for particular identity domains. Suppose you have users in the United States accessing Oracle Identity Cloud Service from one identity domain, and users from India signing in to Oracle Identity Cloud Service from another identity domain. You want only the India-based users to be able to access Oracle Identity Cloud Service with their GitHub social credentials. So, you can customize a GitHub social identity provider type for the India identity domain only.

See Add a Social Identity Provider.

Security

Map a user's attribute value from an identity provider to an external ID.

When mapping the value of a user's attribute that Oracle Identity Cloud Service receives from a SAML identity provider to a corresponding attribute for the user in Oracle Identity Cloud Service, you can specify an external ID. You use this ID when you want to map the attribute received from the identity provider to a special ID that's associated with the provider.

See Import Metadata for a SAML Identity Provider.

Security Duo as an authentication factor.

Use Duo Security factors to securely authenticate and to sign into apps secured by Oracle Identity Cloud Service.

See Configure Duo Security Settings.

Security

Select MFA factor for sign-on policies

Administrators can now define sign-on policies to require end-users to verify specific MFA factors based on application, group membership and other conditions available in the sign-on policy.

Settings

Integrate Oracle E-Business Suite and Oracle Identity Cloud Service

In addition to Oracle Internet Directory, you can now use the Provisioning Bridge to integrate Oracle E-Business Suite and Oracle Identity Cloud Service. This bridge provides a link between an on-premises business application (such as Oracle E-Business Suite) and Oracle Identity Cloud Service. Through synchronization, account data that’s created and updated directly on Oracle E-Business Suite is pulled into Oracle Identity Cloud Service and stored for the corresponding Oracle Identity Cloud Service users and groups. Any changes to these records will be transferred into Oracle Identity Cloud Service. Because of this, the state of each record is synchronized between Oracle E-Business Suite and Oracle Identity Cloud Service.

After users are synchronized from Oracle E-Business Suite to Oracle Identity Cloud Service, you can also use the Provisioning Bridge to provision users to the application. Provisioning allows you to use Oracle Identity Cloud Service to manage the life cycle of users in the application. This includes creating, modifying, deactivating, activating, and removing users and their profiles across the application. Any changes that you make to users or their profiles in Oracle Identity Cloud Service are propagated to Oracle E-Business Suite through the Provisioning Bridge.

See:
Settings Improved field name for Session Expiry.

On the Session Settings tab, the field Session Expiry has been changed to Session Duration to better reflect the purpose of the setting. No functionality has changed.

See Change Session Settings.

Users Show custom attributes and some additional out-of-the-box attributes in the Oracle Identity Cloud Service console.

You can now check the custom attributes and some additional out-of-the-box attributes assigned to a user as other information in the user's Details page of the Oracle Identity Cloud Service console.

See View Details About User Accounts.

REST APIs Support for multi-value Expressions in custom claims.

Based on user expressions, a claim can now return either a single value attribute or all the attributes associated with the expression.

See Manage Custom Claims.

REST APIs Support Duo as a second authentication factor

The Authenticate APIs have added a new use case to support Duo Security as a second authentication factor. This use case explains using Oracle Identity Cloud Service Authentication API to authenticate user's credentials with Duo Security. If administrators choose to enable this feature, they must ensure that all custom code which uses these authenticate APIs have been updated to support the payloads for this feature.

See Use Duo as a Multi-Factor Authentication Factor.

In case users choose to skip Multi-Factor Authentication during single sign-on enrollment, they can enroll to Duo Security using the self service enrollment. The self service (MyProfile) endpoints such as Initiator, validation, and Enroller are enhanced to support Duo Security.

See Using Self Service to Enroll in MFA with Duo Security.

REST APIs Enterprise Application creation with authorization policy

A new use case for creating an enterprise application with authorization policies have been added in the REST APIs for Oracle Identity Cloud Service.

See Creating an Enterprise Application with Authorization Policy.

REST APIs Trigger an email verification flow if email address is already verified

A new use case for triggering an email verification flow if email address is already verified have been added in the REST APIs for Oracle Identity Cloud Service.

See Triggering an Email Verification Flow if Email Address is Already Verified.

Runbooks

New runbooks for integrating Oracle Identity Cloud Service with Oracle E-Business Suite and Microsoft Azure.

There are two new runbooks available with version 19.3.3 of Oracle Identity Cloud Service:

  • Oracle E-Business Suite: This runbook describes how to synchronize users, roles, and responsibilities between Oracle E-Business Suite and Oracle Identity Cloud Service.
  • Microsoft Azure: This runbook describes how to configure Oracle Identity Cloud Service to synchronize users, groups, and user group memberships from Microsoft Azure to Oracle Identity Cloud Service.

Release 19.2.1 — August 2019

Category Feature Description

Applications

Customize OAuth Consent Page

Customize the information that appears in the OAuth consent page for custom applications that require consent to access application's resources. See Edit Consent Information for Custom Applications.

Applications

Enterprise Application

Learn what are enterprise applications and how to integrate them with Oracle Identity Cloud Service for authentication purposes using App Gateway. See Secure Enterprise Applications with App Gateway.

Applications

SAML assertion encryption support

Oracle Identity Cloud Service now supports assertion encryption for SAML applications. You can provide certificate and encryption algorithm. See Add a SAML Application.

Applications

Synchronization Failure Report

Learn about the reason behind the synchronization failures from a synchronization failure report of a provisioning application. See Work with the Synchronization Failure Report.

Applications

Personal Access Token

Generate and download your personal access tokens. A client application can use these tokens to access a specific resource application for a limited period. See Generate Personal Access Tokens.

Applications

Assign users and groups to custom applications

Use a form to enter values while assigning users and groups to provisioned applications. See Assign Users to Custom Applications and Assign Groups to Custom Applications.

Applications

Integrate your Linux environment with Oracle Identity Cloud Service.

A new Pluggable Authentication Module for Linux that allows you to integrate your Linux environment with Oracle Identity Cloud Service to perform end user authentication with first and second factor authentication.

See Manage Linux Authentication using the Identity Cloud Service Linux Pluggable Authentication Module.

Groups

Populate form fields for managed applications that you assign to groups.

If you assign a managed application to a group, then a form appears for the application. You can populate the fields of this form to reflect the values of your application. Or, if you assigned the managed application to the group, then you can modify the values of the application form.

See Assign Applications to the Group.

Settings

New notifications
Two new notifications have been added:
  • Exceeded Maximum Number of Account Recovery Attempts: After a user exceeds the maximum number of attempts to reset their password to recover their account, this notification is sent to the user’s primary email address.
  • New Device Login Detected with Your Account: If an attempt is made to log in to a user's account from a device, IP address, or web browser, and Oracle Identity Cloud Service doesn't recognize that the device, address, or browser is associated with the account, then this notification is sent to the user. The notification contains a link that the user can click to reset their SSO password in case the user doesn't recognize the login attempt.

See About User Notifications.

Settings

New Provisioning Bridge feature

A new bridge is available for Oracle Identity Cloud Service: the Provisioning Bridge. This bridge provides a link between your on-premises apps and Oracle Identity Cloud Service. Through synchronization, account data that’s created and updated directly on the apps is pulled into Oracle Identity Cloud Service and stored for the corresponding Oracle Identity Cloud Service users and groups. Any changes to these records will be transferred into Oracle Identity Cloud Service. So, if a user is deleted in one of your apps, then this change will be propagated into Oracle Identity Cloud Service. Because of this, the state of each record is synchronized between your apps and Oracle Identity Cloud Service.

See Understand the Provisioning Bridge.

Settings

Enhancements to the Microsoft Active Directory (AD) Bridge

There are now two types of imports that you can run by using the Microsoft Active Directory (AD) Bridge to import users and groups from AD into Oracle Identity Cloud Service:

  • Full import: The AD Bridge polls AD and retrieves data associated with all user and groups that you selected in the Select organizational units (OUs) for users and Select organizational units (OUs) for groups panes of the Configuration tab for the bridge. This data represents users and groups that were created, modified, or removed in AD.
  • Incremental import: Similar to a full import, but for this type of import, the AD Bridge polls AD and retrieves only user and group data that changed since you last used the AD Bridge to import users and groups into Oracle Identity Cloud Service.

After users are imported into Oracle Identity Cloud Service through the AD Bridge, if you activate or deactivate a user, modify a user's attribute values, or change group memberships for a user in Oracle Identity Cloud Service, then these changes will be reflected in AD.

See Manage Microsoft Active Directory (AD) Bridges for Oracle Identity Cloud Service.

Settings

Enable the Access for an unknown device event of Adaptive Security for your custom sign-in page.

Adaptive Security uses the concept of risk providers to allow administrators to configure various contextual and threat events to be analyzed within Oracle Identity Cloud Service. A default risk provider within Oracle Identity Cloud Service is seeded automatically with a list of supported contextual and threat events, such as Access from an unknown device. For this event, if a user accesses Oracle Identity Cloud Service from a device that hasn’t been previously used to access the service, then this event (commonly referred to as Device Fingerprinting) is triggered.

Although Oracle Identity Cloud Service has a sign-in page, you may prefer to use your own page. If so, then you can use the Identity Cloud Service Device Fingerprint Utility to enable the Access for an unknown device event of Adaptive Security for your custom sign-in page.

See Download Oracle Identity Cloud Service SDKs and Applications.

Settings

Handle on demand language support for email and SMS templates.

You can now select French (Canada) as the language for email and SMS notifications.

Security

New App Gateway Feature

App Gateway enables you to integrate web applications hosted on-premises or on a cloud infrastructure with Oracle Identity Cloud Service for authentication purposes. See Manage Oracle Identity Cloud Service App Gateways.

Security

New user manager administrator role

A new administrator role is available for Oracle Identity Cloud Service: user manager. A user manager can manage all users or users of selected groups in Oracle Identity Cloud Service. User managers can update, activate, deactivate, remove, and unlock user accounts. User managers can also reset passwords, reset authentication factors, and generate bypass codes for user accounts.

See Understand Administrator Roles.

Security

New Account Recovery feature

A new feature is available for Oracle Identity Cloud Service: account recovery. Account recovery is an automated process designed to help users regain access to their accounts if they have trouble signing in, they’re locked out, or they forget their passwords.

There are three account recovery factors that administrators can configure for users:

  • Security questions: You can allow a user to select and answer security questions, and provide hints for answers to these questions, to verify their identity. If they have to recover their account, then they must answer these questions correctly to regain access.

  • Email: By default, a user’s primary email address has been set as the email address that Oracle Identity Cloud Service will use to help the user recover their account. If the user has to regain access, then Oracle Identity Cloud Service will send a notification to this email address. The user follows the instructions in the notification to recover their account. Instead of their primary email address, you can allow the user to specify an alternate (recovery) email address to regain access to their account.

  • Text message (SMS): You can allow a user to provide a mobile number that Oracle Identity Cloud Service will use to help them recover access to their account. This way, if they have to regain access, then Oracle Identity Cloud Service will send a passcode in a text message (SMS) to this mobile number. The user enters this passcode to recover their account.

In addition to setting account recovery factors, administrators can specify:

  • How many consecutive, unsuccessful account recovery attempts a user can make before the user’s account is locked.

  • How long the user’s account will be locked before they can attempt to recover their account again.

See Manage Account Recovery in Oracle Identity Cloud Service.

Security

New events added to the default risk provider

There are three new events added to the risk provider that's associated with Oracle Identity Cloud Service actions. This risk provider, known as the default risk provider, evaluates these events to determine risk-based activity for Oracle Identity Cloud Service users.

  • Impossible travel between locations: Oracle Identity Cloud Service obtains the user’s current access location, using the IP address, and calculates the distance between this location and the user’s immediately preceding access location. If it determines that this distance can’t be covered at the speed specified in the threshold, then this event (commonly referred to as geo-velocity) is triggered.
  • Access from an unfamiliar location: If a user accesses Oracle Identity Cloud Service from a location that hasn’t been used previously to access the service, then this event is triggered. Oracle Identity Cloud Service obtains the user’s current access location, using the IP address, and determines if this location has been used previously. If it's a new location, then the service determines the distance between the current access location and the user’s immediately preceding access location. If the distance between these two locations exceeds the value specified in the threshold, then this event is triggered.
  • Access from suspicious IP addresses: If the IP address from where the user is accessing Oracle Identity Cloud Service is flagged as suspicious by the integrated IP reputation provider, then this event is triggered.

See Configure Oracle Identity Cloud Service Risk Events.

Security

See the cloud account name and instance name from the Identity Cloud Service console.

The names of both the primary or secondary instance and the Oracle Cloud account that was used to create this instance appear in the Identity Cloud Service console. To access this information, click the user icon in the upper-right corner of the console, and then select About from the drop-down menu. The Cloud Account Name and Instance Name fields display the names of the Oracle Cloud account and the instance.

See Identify and Switch Instances.

Security

Network Failure Handling in Delegated Authentication

Oracle Identity Cloud Service provides the local password caching functionality that helps delegated users to login into Oracle Identity Cloud Service even if Active Directory is not reachable.

See Handle Network Failure in Delegated Authentication.

Sign-In

Enhanced sign-in user experience

Oracle Identity Cloud Service has updated the sign-in user experience for the standard Identity Cloud Service sign-in pages for a fresh and more intuitive sign-in process. Users see this new look throughout the sign-in and password reset flows. Although the look is different and usability improvements have been incorporated, the functionality remains the same. This change will be seen by all users of the standard Identity Cloud Service sign-in pages, including Oracle IaaS and PaaS users leveraging Oracle Identity Cloud Service.

For customers who have branded the sign-in page by adding a custom logo and text, your logo and text will appear integrated into the new pages. For customers who have replaced Oracle Identity Cloud Service's default sign-in page with a custom one, your custom page won't be impacted as a result of the new sign-in experience.

See Oracle is updating the Identity Cloud Service sign-in experience.

User Settings

Change settings associated with user accounts.

You can now change settings associated with user accounts. For example, you can make the primary email address for a user account a required or optional attribute.

By making the primary email address optional, if Oracle Identity Cloud Service integrates with another cloud service or on-premises application, then a user’s email address can be propagated from that service or application back into Oracle Identity Cloud Service, and be designated as the user’s primary email address in Oracle Identity Cloud Service.

See Change User Settings.

Users

Use the My Profile console to edit attribute values for your user account.

You can no longer edit attribute values for your user account from the Identity Cloud Service console. To do this, access the My Profile Details tab of the My Profile console.

See Edit Attribute Values for the User Account.

Users

Oracle Identity Cloud Service unlocks all user accounts after 24 hours automatically.

If a user's account is locked, and the user or an administrator doesn't unlock the account within 24 hours, then Oracle Identity Cloud Service will unlock it automatically.

See Unlock User Accounts.

Users

See the Multi-Factor Authentication (MFA) status for users.

By accessing the Security tab for any user account, you can see whether the user is enrolled in Multi-Factor Authentication (MFA).

See View Details About User Accounts.

Users

 See the statement of the terms of use associated with user's consents.

From the My Consents tab of the My Profile console, users can now see the terms of use they agreed upon accessing applications . See Access Your Consents.

REST APIs

New endpoints added to Oracle Identity Cloud Service REST APIs
The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added:
  • UserAttributesSettings - Use this endpoint to set the User schema attribute.
  • AccountRecoverySettings - Use this endpoint to manage tenant-specific account recovery settings.
  • MePasswordRecoveryFactorValidator - Use this endpoint to validate the password recovery factors of a user.
  • MeRemovePendingEmailVerification - Use this endpoint to remove pending verification email(s) and to delete an associated user token.

See REST API for Oracle Identity Cloud Service..

REST APIs

Deprecated REST API endpoint
The following endpoints are deprecated in the 19.2.1 release:
  • /ManagedObjectSyncDetailedJobReport
  • /sso/v1/sdk/idp (Alternate endpoint /sso/v1/sdk/secure/idp)
  • /sso/v1/sdk/session (Alternate endpoint /sso/v1/sdk/session/secure/idp)

See REST API for Oracle Identity Cloud Service..

REST APIs

New Use cases

The Authenticate APIs have added support for new features such as Account Recovery (SMS and Security Questions) and Terms of Use. If an administrator chooses to enable these new features, he must ensure that all custom code which uses these authenticate APIs have been updated to support the payloads for these new features.

The following use cases have been added:
  • Authenticating User Name and Password with TOU Consent - This use case explains using IDCS authenticate API to authenticate user's credentials with TOU consent
  • Generate Access Token Using Authentication API - This use case explains how to generate access token using authentication API

  • Authenticating User Name and Password and Enrolling in Account Recovery - This use case explains using IDCS authenticate API to authenticate with user's credentials and enroll in Account Recovery

  • Authenticating User Name and Password and Enrolling in Account Recovery and MFA - This use case explains using IDCS authenticate API to authenticate with user's credentials and enroll in Account Recovery and Multi-Factor Authentication (MFA).

  • Factor Enrollment with Verification - This use case explains using IDCS Authenticate API that allow a user to enroll for various MFA factors.

See REST API for Oracle Identity Cloud Service..

REST APIs

OAuth Access Token Size

The OAuth access token size is set to 16000 characters by default.

Infrastructure

Use Oracle Cloud Infrastructure service gateway to communicate with other Oracle Cloud services.

Oracle Identity Cloud Service instances can use Oracle Cloud Infrastructure service gateway to communicate with other Oracle Cloud services within the same region, without the need of this communication to go over the internet.

See Supported Cloud Services in Oracle Services Network.

See Access to Oracle Services: Service Gateway to learn more about Oracle Cloud Infrastructure service gateway.

Other Noteworthy Changes

Category Feature Description
Reports PDF Deprecation From release 19.2.1 onward, PDF report generation is deprecated. Oracle Identity Cloud Service supports only CSV, JSON format for report generation.

Release 18.4.3 — July 2019

Category Feature Description

Infrastructure

Oracle Identity Cloud Service on Oracle Cloud Infrastructure

As a part of our efforts to improve service reliability and performance, the latest release of Oracle Identity Cloud Service now runs on Oracle Cloud Infrastructure (OCI), our next-gen infrastructure. Learn more about Oracle Cloud Infrastructure.

You can find more information about Oracle Identity Cloud Service in the Oracle Help Center. Technical assistance for Oracle Identity Cloud Service is available through Oracle Support.

Customer Migration to OCI

Oracle Identity Cloud Service on Oracle Cloud Infrastructure

For existing customers, Oracle Identity Cloud Service will be undergoing planned maintenance to migrate network infrastructure in multiple regions. Learn more about the benefits of Oracle Cloud Infrastructure. No action is required by customers to initiate the planned maintenance. Customers will receive an email notification in advance that indicates when the maintenance will occur, and another when the maintenance has completed. Once maintenance has completed, connectivity to Oracle Identity Cloud Service will continue automatically if you have configured your IP ranges in accordance with the instructions below.

  • If you have whitelisted the IP ranges of Oracle Identity Cloud Service, you are required to update your access rules with the IP ranges for each Oracle Cloud Infrastructure region. See Review the IP ranges for different Oracle Cloud Infrastructure regions.
  • Once the maintenance window has been completed, Oracle recommends you remove the old IP ranges from your access rules.

If this IP range update is not completed prior to the start of the maintenance window you may be unable to connect to Oracle Identity Cloud Service.

Self-Service Diagnostics

Set the diagnostics type to capture operational logs.

Diagnostic Data reporting has been added to the Oracle Identity Cloud Service user interface. See Run the Diagnostic Data Report.

Release 18.4.2 — December 2018

Category Feature Description

Adaptive Security

Activate and deactivate the default risk provider

In addition to third-party risk providers, you can now activate and deactivate the default risk provider.

See Activating and Deactivating Risk Providers.

Adaptive Security

Use the slider to set the weighting for events

Set the weighting for the Access from an unknown device, Too many unsuccessful login attempts, and Too many unsuccessful MFA attempts events to Low, Moderate, Severe, or Critical. Oracle Identity Cloud Service evaluates these events to determine risk-based activity for Oracle Identity Cloud Service users.

See Configuring the Default Risk Provider.

Applications

Enhancements to SAML Application Configuration

There are two enhancements to the SAML Application Configuration:

  • You can now collectively configure User and Group attributes under the Attributes section in SAML Application Configuration.

  • In addition to configuring an attribute to have one of the predefined user attribute values, you can also specify path expressions to define how the value of the assertion attribute should be calculated.

See Adding a SAML Application.

Applications

Support to allow access to OPC resources

You can now allow clients to access OPC resources using hierarchical scope matching. If the requested scope has similar urn:opc:resource:consumer prefix in any of the clients' Allowed Scopes, then the client can access the OPC resource. However, if the requested scope has a different qualifier (with the exception of ::all) that doesn't match with the Allowed Scopes, then the client can't access the OPC resource.

See Adding a Confidential Application and Configuring Authorized Resources.

Notifications

Oracle Identity Cloud Service now checks whether verification is done to the email address that will appear in the From Email field for all notifications.

A new feature of the Notifications page is the Check Status button. By clicking this button, Oracle Identity Cloud Service checks whether verification is done to this email address through the email sent to the postmaster (domain) or email account.

If the email address isn't verified, then access the notification that's sent to the email address you provided, click the verification link in the notification, and click Check Status again. The status will change to Email Verified.

If the domain isn't verified, then contact the postmaster of your company so that the postmaster can verify the domain associated with the email address.

See Activating Notifications.

Scenarios

Migrate from traditional Cloud accounts to Cloud accounts with Identity Cloud Service

You use an Oracle Cloud account to access your cloud services and log into the My Services Dashboard, which is where you manage your account and your services. When you sign in to your Oracle Cloud account, you can choose to sign in to two different types of Cloud accounts:

  • A traditional Cloud account (also known as a cloud service account)

  • A cloud account with Identity Cloud Service

Traditional Cloud accounts use one identity management system which is different from the identity management system associated with Cloud accounts with Identity Cloud Service.

You can migrate users and role memberships from traditional Cloud accounts for the following Oracle Cloud services:

  • Oracle Business Intelligence Cloud Service

  • Oracle Integration Cloud Service

  • Oracle Mobile Cloud Service

  • Oracle Process Cloud Service

  • Oracle Visual Builder Cloud Service

Each service has a corresponding Cloud account with Identity Cloud Service to which you can import the users and the application role memberships. By migrating services from a traditional Cloud account to a Cloud account with Identity Cloud Service, the services can use Oracle Identity Cloud Service to manage users and to control access to the services. For this reason, you want to migrate your traditional Cloud accounts to Cloud accounts with Identity Cloud Service.

See Migrating from Traditional Cloud Accounts to Cloud Accounts with Identity Cloud Service.

Terms of Use Customize Terms of Use for Users Configure customized disclaimers and acceptable use policies for users on an application basis. Also collect consent from users before allowing them access to their applications.

See Managing Terms of Use

Social Login

Add multiple instances of the same social identity provider

Some cloud services have applications that may have to connect to multiple instances of the same social identity provider. For example, for application A and application B, the Facebook social identity provider can be configured as an identity provider along with distinct configuration settings, such as a Client ID and Secret, social registration settings, and so on. To support such scenarios, Oracle Identity Cloud Service now allows you to add multiple instances of the same social identity provider with different configuration settings for each instance.

After adding multiple instances of a social identity provider, you can choose which instances can be used to sign in to Oracle Identity Cloud Service by using an identity provider policy.

See Adding a Social Identity Provider.

REST APIs New endpoints added to Oracle Identity Cloud Service REST APIs

The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added:

  • /mfa/v1/requests - Use this endpoint to initiate and complete verification of a default Multi-Factor Authentication factor or a backup factor.

  • /FromEmailAddressValidator - Use this endpoint to validate the status of the From Email Address or Email Domain from the OPC Notification Service.

REST API for Oracle Identity Cloud Service.

Other Noteworthy Changes

Category Feature Description

AD Bridge

Set Permissions for Microsoft Active Directory Bridge

Read about how to set permissions for a Microsoft Active Directory user account to perform actions such as delegate password reset and synchronization between Microsoft Active Directory Bridge and Oracle Identity Cloud Service.

See Setting Permissions for the Microsoft Active Directory User Account.

Reports Change in reports download behavior

Oracle Identity Cloud Service supports CSV, JSON, and PDF report generation. However, the result count for the PDF report is restricted to 1000 rows. For any report exceeding 1000 rows, only the CSV download is available.

See Organize the Report Data.

Release 18.3.4 — August 2018

Category Feature Description

Reporting

Diagnostic Data Report

 Diagnostic Data reporting has been removed from the Oracle Identity Cloud Service user interface. Use the REST API for Oracle Identity Cloud Service to capture diagnostic data.

See Diagnostic Records REST Endpoints

Release 18.2.6 — July 2018

Category Feature Description

Bridge

Enhancements to AD Bridge configuration
For version 18.2.6 of Oracle Identity Cloud Service, there are two enhancements to the bridge:

  • The Include hierarchy check box. If you select this check box, and then select a parent OU, all children OUs will be selected. The OUs contain the users and groups that you want to import into Oracle Identity Cloud Service.

  • The Filter text box. Use this text box to enter a custom filter to search for user or group OUs. For example, enter (&(objectClass=User)(sn=Smith)) to return all users with the last name of Smith. Or, enter (department=IT) to return the IT group.

See Configuring a Bridge.

Notifications

Validate the entire email address instead of the email domain only

Now, you can verify either the domain of an email address or the entire email address. When you configure notifications, there are two options: Domain and Email.

Use the Domain option to send a validation email to the postmaster account of the email’s domain or the Email option to send an email to an email address for verification purposes.

See Activating Notifications.

Administration

Support for editing Oracle Cloud Applications

As Service Administrators, you can now edit certain UI elements of Oracle Cloud Applications in Oracle Identity Cloud Service. You can also assign Oracle Cloud Applications to Sign-On Policies.

See Editing High-Level Information for Oracle Applications.

REST APIs

New endpoints added to Oracle Identity Cloud Service REST APIs

The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added:

  • /TermsOfUse - Use this endpoint to manage terms of use, which maintains the terms of use statements for applications.

  • /TermsOfUseStatements - Use this endpoint to manage the terms of use statement, which maintains the terms of use statement that is associated with the terms of use.

  • /SocialIdentityProviderMetadata - Use this endpoint to manage metadata for defining interaction with various social identity providers such as Facebook, LinkedIn, and Google.

  • /UserAppsEnabledForAuthentication - Use this endpoint to return a list of all available target apps for a user on which delegated authentication can be performed.

See REST API for Oracle Identity Cloud Service.

REST APIs

Deprecated REST API endpoint
The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoint will be removed in the upcoming release 18.2.6:
/ServiceProviders

In previous releases, the /ServiceProviders endpoint was used to configure SAML service provider partners. The introduction of SAML Apps in release 16.4.6 rendered this endpoint obsolete and it was deprecated. In the upcoming 18.2.6 release, the /ServiceProviders endpoint will be removed.

See REST API for Oracle Identity Cloud Service.

Security

Terms of Use

Terms of Use is a feature in Oracle Identity Cloud Service that help customers to set the conditions for the users to access the applications based on their consent.

This feature allows the identity domain administrators to set relevant disclaimers for legal or compliance requirements.

Release 18.2.4 — May 2018

See how to configure MFA, the factors available for use with MFA, and how to create a sign-on policy for MFA by watching the Configuring Multi-Factor Authentication video.

Learn how to configure a web application to authenticate with Oracle Identity Cloud Service by viewing the Use Secure Form Fill to Authenticate an Application with Oracle Identity Cloud Service Use Secure Form Fill to Authenticate an Application with Oracle Identity Cloud Service tutorial.

Category Feature Description

Applications

Update your SAML applications

If there are updates to your SAML applications, you can now choose to upgrade them starting with this release. If your SAML application has an update, you will see the Upgrade button visible in the UI. Click the button to upgrade the application.

See Upgrading a SAML Application.

Applications

Support for providing a Custom Error URL for applications.

You can now provide a Custom Error URL to redirect a user in case of a failure. If not provided, the tenant specific Error page URL will be used.

See the following topics:

Applications

Support for configuring tenant specific Error page URL

You can now provide a tenant specific custom Error page Url to redirect a user in case of a failure. See Changing Session Settings

Applications

Support for providing Linking callback URL

You can now provide a Linking callback URL that Oracle Identity Cloud Service can redirect to after linking of a user between social providers and Oracle Identity Cloud Service is complete.

See the following topics:

Applications

Use App Gate to access your on-premises applications securely and remotely

Use the App Gate together with Oracle Identity Cloud Service to give your employees the ability to access your on-premises applications securely and remotely.

Because the App Gate integrates with Oracle Identity Cloud Service seamlessly, your employees can connect to these applications, using SSO, without the hassles of a VPN or SSL client certificates. This integration provides you with an additional layer of security, which is crucial to protecting your on-premises applications.

In addition, the App Gate is an ideal solution for you if:

  • You want to unify all of your Identity and Access Management products under one Identity as a Service (IDaaS) platform, but you have to integrate with applications that don’t support federation (such as SAML or WS-Fed).

  • Your vendors, customers, or partners must access your internal business applications such as Oracle E-Business Suite from the Internet.

  • You want to restrict unauthorized network access to your applications.

  • You must comply with industry regulations, like Sarbanes-Oxley, HIPPA, and others.

  • Your enterprise has Web applications that lack a native authentication mechanism.

  • You’re looking for a cost-effective replacement for your on-premises Web-access management solution.

  • You need a supported replacement of Shibboleth.

From the App Gateway for Identity Cloud Service application, you can access the documentation for the App Gate. You can find this application on the Downloads page of the Identity Cloud Service console. To access this page, in the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Downloads.

Branding

Revert custom branding to default Oracle branding

If you have customized the Sign In page, the Admin Console, or the notifications for Oracle Identity Cloud Service, and want to revert to Oracle Branding (default), you can do so starting with this release.

See Branding the Oracle Identity Cloud Service Interface.

REST APIs

Deprecated REST API endpoint
The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoint will be removed in the upcoming release 18.2.6:
/ServiceProviders

In previous releases, the /ServiceProviders endpoint was used to configure SAML service provider partners. The introduction of SAML Apps in release 16.4.6 rendered this endpoint obsolete and it was deprecated. In the upcoming 18.2.6 release, the /ServiceProviders endpoint will be removed.

See REST API for Oracle Identity Cloud Service.

REST APIs

New endpoints added to Oracle Identity Cloud Service REST APIs

The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added:

  • /AppEntitlementCollection - Use this endpoint to manage collections of entitlements from Apps. For example, an administrator can grant an AppEntitlementCollection as a single gesture that causes the grantee to receive every entitlement in that collection.

  • /UserAuditEventsPurger - Use this endpoint to delete all of the audit events that are related to a deleted user.

  • /DBGroups - Use this endpoint to manage all group administrative tasks. A group contains one or more users and works as a role for the enterprise to apply security features.

See REST API for Oracle Identity Cloud Service.

Application Development SDKs

Updates to SDKs for web applications

There are updates to the software development kits (SDKs) that enable you to easily integrate and authenticate your .NET or PHP web applications with Oracle Identity Cloud Service.

Sample applications and tutorials on using these SDKs are available at the web-based Cloud Developer Portal.

Other Noteworthy Changes

Category Feature Description
REST APIs Read about OpenID Connect and see examples in the Oracle Identity Cloud Service REST API content.

Extensive OpenID Connect documentation and examples are now available in the Oracle Identity Cloud Service 18.2.4 REST API documentation.

OpenID Connect extends the OAuth 2.0 protocol to add a simple authentication and identity layer that sits on top of OAuth 2.0. Using OpenID Connect completes the picture by providing applications with information about the user, the context of their authentication, and access to their profile information. OpenID Connect allows clients of all types, including web-based, mobile, and JavaScript clients to request and receive information about authenticated sessions and end users.

See Using OpenID Connect to Extend OAuth 2.0.