What’s New for Oracle Identity Cloud Service
When new and changed features become available, Oracle Identity Cloud Service instances are upgraded in the data centers where Oracle Cloud services are hosted. Here’s an overview of new features and enhancements added recently to improve your Oracle Identity Cloud Service experience.
This guide documents the complete set of new and changed features for Oracle Identity Cloud Service. Your localized version of Oracle Identity Cloud Service might contain a subset of these features. Therefore, you might find features in this documentation that are not available in your localized version of Oracle Identity Cloud Service.
Service Change Announcement
App Gateway Replaces App Gate
The software appliance App Gate has been replaced with App Gateway. As of August 2019, App Gate has been replaced with App Gateway. Both the App Gate and the App Gateway solutions are software appliances that you can use to provide Single Sign-On (SSO) and authorization for your on-premises applications. This enables you to use one appliance to provide SSO for multiple applications by allowing external users to access internal applications securely without needing a VPN client. There’s no change in functionality between the old App Gate and the new App Gateway solution. However, as a customer you will need to replace App Gate with App Gateway and reconfigure your supported applications. Technical support for App Gate will end after August 15, 2021.
See Deprecated Oracle Identity Cloud Service Software Appliances for information on how to to download the App Gateway and how to ensure that you are using the latest version of App Gateway.
Application Integration
To find out about the new applications and features that have been added to the Oracle Identity Cloud Service Application Catalog, see the What's New section of the Oracle Identity Cloud Service - Application Catalog.
Topics:
Release 20.4.2 — December 2020
Generally Available Features
Category | Feature | Description |
---|---|---|
Multi-Factor Authentication |
FIDO Authentication |
Configure FIDO authentication so that users can use their FIDO authentication device, for example an external authentication device such as a YubiKey, or an internal device such as Windows Hello or Mac Touch ID, to authenticate to Oracle Identity Cloud Service |
Other Documentation Changes
Feature | Link |
---|---|
App Gateway |
New App Gateway OVA instructions for OVA version 20.1.3-4.0.0 and onward. |
PAM |
The post installation files have changed. The new list of files has been documented. See Install the PAM. |
Oracle Identity Cloud Service features. |
Some Oracle Identity Cloud Service features must be enabled by Oracle Support before you can use them. Learn about the features that Oracle must enable for you and how to enable them. |
Release 20.4.1 — November 2020
Generally Available Features
Category | Feature | Description |
---|---|---|
OAuth |
Configurable Subject Mapping |
Administrators can now customize a subject claim. A new attribute |
User Interface |
License Type Information |
You can now view your Oracle Identity Cloud Service license type in the top right of the Identity Cloud Service console. |
Password Iteration Support |
Password Hash Iteration |
Password hash iteration has been increased to 10,000. |
EBS Asserter |
EBS Asserter Documentation Enhancements |
Instructions have been rewritten for clarity. Additional information about validating the configuration, and how to log in with a non-US English language was also added. See Use the E-Business Suite Asserter to Enable SSO for Oracle E-Business Suite with Oracle Identity Cloud Service and Configure Oracle E-Business Suite (EBS) to use Oracle Identity Cloud Service for Single Sign-On. |
Notifications |
New notification option when sending primary email change notifications. |
Administrators now have a new setting when sending primary email change notifications. With the new setting enabled, when an administrator changes a user’s primary email, change notifications are sent to the user’s old primary email address as well as the new primary email address. When the setting is disabled (default), a change notification is sent only to user’s old primary email. |
App Gateway Documentation Updates |
Learn how to deploy the Oracle App Gateway Docker container. |
|
Application Catalog Documentation Updates |
New connector instructions available in the Application Catalog. |
See ICF Custom Connector. |
All Documentation Changes
Feature | Link |
---|---|
Configure OAuth. New instructions regarding Issuer value behavior. | See Configure OAuth Settings. |
App Gateway. New instructions on how to deploy an App Gateway Docker container. | See Deploy the Oracle App Gateway Docker Container. |
SAML Identity Provider. The SAML Identity Provider documentation incorrectly called for an IDP encryption certificate when creating a SAML Identity Provider. That requirement has been removed from the documentation. | See Enter Metadata Manually for a SAML Identity Provider and Update the E-Business Suite Asserter Configuration File (see idcs.iss.url ).
|
Enforce Network Perimeter. Enforce network perimeter for OAuth Clients functionality was removed from the product. Same content has been removed from the documentation. | Not applicable. |
Duo Security Settings. The Prerequisites section stated that a “custom login user interface” must be implemented. This was incorrect. The prerequisite was removed. | See Configure Duo Security Settings. |
AD Bridge High Availability. Documented new behavior for syncing new organizational units. | See Understand Full and Incremental Sync. |
RADIUS Proxy. Changes to the setup tasks as well as updated examples. | See Set Up and Validate RADIUS Proxy. |
Identity Cloud Service Pricing Models. The pricing model documents did not list Group Based Password Policies. Group Based Password Policies was added to the topics as a "Standard" feature. | See Understand the User Per Month Pricing Model and Understand the Active User Per Hour Pricing Model. |
Creating Groups. The documentation stated that both user memberships and nested groups can be created along with a group. This was incorrect. Nested groups are not allowed and has been removed from the instructions. | See Groups REST Endpoints. |
Configurable Subject Mapping. Administrators can now customize a subject claim. New instructions for new attribute subMappingAttr .
|
See Settings REST Endpoints. |
License Type Information. Content added to inform users that they can now view the Oracle Identity Cloud Service license type in the top right of the Identity Cloud Service console. | See Understand the User Per Month Pricing Model and Understand the Active User Per Hour Pricing Model. |
Notifications. Documentation added for a new notification option when sending primary email change notifications - sendNotificationToOldAndNewPrimaryEmailsWhenAdminChangesPrimaryEmail . Request and Response examples updated as well.
|
See: Notification Settings REST Endpoints. |
Application Catalog. New connector instructions available in the Application Catalog. | See ICF Custom Connector. |
Application Catalog. Salesforce Runbook updated. | See Salesforce in the Application Catalog. |
Default Settings. Documented new functionality where making the tenant signing certificate public also makes the SAML metadata public. | See Change Default Settings. |
Troubleshooting User Issues. Added troubleshooting tip to explain why users may not be able to close or cancel a forgotten password request. | See Troubleshoot Oracle Identity Cloud Service – Users. |
Configuring the PAM using SSSD. Sample code now includes a regular expression to configure email addresses as the SSO user names. | See Configure the PAM using SSSD. |
Oracle Applications. Oracle applications now appear in the new Oracle Cloud Services page, and your custom applications appear on the Applications page of the Admin Console. | See Identity Cloud Service Console and About the Relationship Between Oracle Identity Cloud Service and Applications. |
Known Issues. Resolved known issues removed. | See Known Issues for Oracle Identity Cloud Service. |
REST API. Updates to the Token Expiry Table. Specifically, the OAuth Access Token Expiry setting. | See Token Expiry Table. |
App Gate has been replaced with replaced with App Gateway. Service change notices added to the Admin Guide and What's New. | See Deprecated Oracle Identity Cloud Service Software Appliances, Manage Oracle Identity Cloud Service App Gateways, and Download and Extract the App Gateway Binary File. |
Release 20.1.3 — May 2020
Early Access Features
Early access features must be enabled by Oracle. To enable early access features, file a Service Request with My Oracle Support.
Category | Feature | Description |
---|---|---|
SAML |
Just-In-Time (JIT) Provisioning |
Using SAML, JIT provisioning automates user account creation for target service providers when the user first tries to perform SSO and the user does not exist. In addition to automatic user creation, JIT implementation allows granting and revoking group memberships as part of provisioning. JIT implementation also updates provisioned users so the users’ attributes in the Service Provider store can be kept in sync with the Identity Store user store attributes. See Understand SAML Just-In-Time Provisioning. SAML JIT Provisioning uses Oracle Identity Cloud Service REST APIs. See Create an Identity Provider. For more information about how to use SCIM APIs, see REST API for Oracle Identity Cloud Service. |
Security |
Secure Oracle Database with RADIUS Proxy |
Enterprises can now secure their Oracle Database instances with two-factor authentication using RADIUS Proxy. Using RADIUS Proxy, Oracle Identity Cloud
Service can:
|
Active Directory (AD) Bridge |
High Availability and Load Balancing for AD Bridge |
AD bridge support for the high availability (HA) has been added to deepen the integration from a business continuity perspective. With an AD Bridge high availability deployment of at least two AD Bridges per domain, delegated authentication and data synchronization loads can be shared among all the AD Bridges. Set up high availability and load balancing for multiple AD Bridges so that you don’t have a single point of failure for your AD Bridge architecture. See About Multiple AD Bridges for High Availability and Load Balancing. |
User Experience |
Customize the sign in page by creating your own HTML code and translations. |
Instead of using the default sign in page, administrators can create a Hosted Sign In page to change the look and feel of the sign-in experience. You create a Hosted Sign In page by adding a background image as well as designing custom HTML code and specifying translations (specifying translations is optional.). |
Beta Features
Category | Feature | Description |
---|---|---|
LDAP |
LDAP2SCIM Proxy |
The LDAP2SCIM proxy will allow application clients to integrate with Oracle Identity Cloud Service using LDAP protocol. This is a beta only feature currently available on invitation basis. |
Generally Available Features
Category | Feature | Description |
---|---|---|
Multi-Factor Authentication |
Enhanced task flow to set up and use 2-Step Verification |
It's now easier for users to enroll in 2-Step Verification when they first log in to Oracle Identity Cloud Service, and it's easier to change default authentication method any time they log in. See Enroll in 2-Step Verification for Your Account. Users also have more options for managing 2-Step Verification from the My Profile console. |
Passwordless Login |
Tired of resetting passwords? Passwordless authentication is available. |
Instead of passwords, proof of identity can be verified based on possession of something that uniquely identifies the user (for example, a one-time password (OTP), a registered mobile device, or a hardware token). Once enabled, users can access protected resources either by using a user name and password or passwordless authentication. Users use self-service to set up passwordless authentication. |
Application Gateway |
Application Gateway Support for Multi-Origin Server |
Customers can now define 1-1 or 1-n mapping between Application gateway and backed origin servers. This will provide end to end high availability architecture between Load Balancers, Applications Gateway and Origin servers. |
Application Gateway |
New Header Support |
Ability to pass Application Gateway header in upper case. |
Users |
Custom Attribute Supports User Details Pages |
Provides custom attribute support for end user flows. End users will be able to see the custom attributes on the My Console User Details page and edit them as well. |
Active Directory (AD) Bridge |
Active Directory (AD) bridge support for Group Membership as Filters |
You can now bring users into Oracle Identity Cloud Service based on their group membership in Active Directory. Any changes to group membership in AD will get reflected in Oracle Identity Cloud Service User after AD Sync. |
Identity Provisioning |
Retrofit RBAC Policy - Convert individual assignment to Group Based Assignment |
You can now convert direct user assignment to apps into group based assignments. Converting assignments will ensure that User’s account and associated attribute values will be managed by their group membership. Changes at the group level are applied to all users managed by the group. |
Identity Provisioning |
Lifecycle Rules |
Manage the complete user life cycle and automate the process of the joiner, mover and leaver. If there is any change in a User attribute, you can propagate that to the downstream application (for example, if a user gets disabled, then all accounts owned by this user would be disabled automatically). |
Application Catalog |
Updates to the Identity Cloud Service Application Catalog. |
New provisioning application templates are available in Oracle Identity Cloud
Service Application Catalog for the following:
Support for Interactive account provisioning and entitlement grant in existing provisioning applications:
For the latest additions to the supported list of applications in the App Catalog, take a look at Oracle Identity Cloud Service - Application Catalog. |
Application Gateway | Application Gateway Support for Multi-Origin Server |
Customers can now define 1-1 or 1-n mapping between Application gateway and backed origin servers. This will provide end to end high availability architecture between Load Balancers, Applications Gateway and Origin servers. |
Security |
New network perimeter rules for Sign-On policies for OAuth Token Issuance |
Identity Administrators can now define a sign-on policy with the network perimeters rule applied to OAuth Clients. The OAuth Token issuance with Client Credential grant type can also be bound to the network perimeter checking. |
Security |
IDP Discovery Rules |
Identity Provider (IDP) Discovery enables you to organize the login page based on the username, for example, if you want corporate SSO login for some users and you want them to be logged in using social Identity Providers. Depending on the application being accessed and who is accessing it you can completely customize the way user can login. See:
|
Security |
Apply Password Policies to Groups |
You can have multiple password policies in Oracle Identity Cloud Service and associate them with different groups and set the priorities. Group password policies allow you to define password policies and associated rules to enforce password settings on the group level. You can create multiple policies with more- or less-restrictive rules. |
Security |
New instructions for what to do if an Identity Provider's certificate expires. |
Learn what to do if an Identity Provider certificate expires. See What is a Digital Certificate? and What if an Identity Provider's Certificate Expires? in About Digital Certificates. |
Security |
Support Social Login without Email |
Social Login now allows setup of external Identity Providers for tenants configured with user email optional. This is a requirement for support of providers such as Line.Me, requested by customers. |
OAuth |
Refresh Token grant type is available for mobile applications. |
Oracle Identity Cloud Service OAuth now allows Mobile/Public Clients to get a Refresh Token (RT) if RT is configured as one of the allowed grant types. |
Extensibility and Integrations |
Custom Connector for User Management |
You can now provision Enterprise Applications with the Custom ICF connector. By using the Custom ICF connector, you can use OIM Custom connector with Oracle Identity Cloud Service. |
Notifications |
New sync summary administrator notifications |
New sync summary notifications are sent to the Application Admin after synchronizing the identities, groups and application accounts. The details are sent in an email and include information such as users/groups created, updated and deleted. |
OAuth and Custom Claims |
Custom Issuer Claim in OAuth Tokens |
Oracle Identity Cloud Service now provides a way for tenant admins to configure the issuer value to be populated in the OAuth tokens (IT & AT) instead of using the default (https://identity.oraclecloud.com). |
Language |
New Supported Language |
The Finnish language is now supported in the Oracle Identity Cloud Service user interface. |
Import User Accounts |
New Mandatory Column |
Primary Email Type is now a mandatory column when importing users into Oracle Identity Cloud Service. See Import User Accounts. |
REST APIs |
Policy Expression Syntax Support for Defining User Correlation Mapping |
Oracle Identity Cloud SAML Service now supports policy expression syntax for defining the user correlation mapping between an external Identity Provider's SAML assertion and any Oracle Identity Cloud Service user attribute. See the following example.
|
REST APIs |
New Administrator Notifications |
Specify whether users receive an email notification when an administrator changes their primary, secondary, or recovery email changes. The following settings were added to:
/admin/v1/NotificationSettings/NotificationSettings
|
REST APIs |
The following new endpoints were added. |
The REST APIs for Oracle Identity Cloud
Service have been updated. The following endpoints have been added:
|
Application Gateway |
New Header Support |
Ability to pass Application Gateway header in upper case. |
Applications |
Performance Enhancement |
Performance improvement when rendering the Application user interface. |
Applications |
Template |
An additional attribute mapping of $(account.mail) has been added to the Microsoft Azure App template. |
Applications |
Template |
A new version of the FA template is available so that you can edit Application URLs from user interface. |
Applications |
Manage Users in PeopleSoft from Oracle Identity Cloud Service |
This guide contains instructions to manage users in PeopleSoft from Oracle Identity Cloud Service. |
Applications |
Manage Users in Database from Oracle Identity Cloud Service |
This guide contains instructions on how to manage users in Database from Oracle Identity Cloud Service |
Connectivity |
AD Bridge |
You can now test connectivity between AD Bridge client and AD Domain and also between AD bridge Client and Oracle Identity Cloud Service. |
Connectors |
Generic SCIM |
Added configuration to send the Oracle Identity Cloud
Service user id as |
EBS Asserter |
New Attribute Mapping |
Ability to map a customer user attribute in Oracle Identity Cloud Service with EBS FND_USER. |
EBS Asserter |
Validation |
Self-service validation utility for EBS Asserter. |
Error Messaging |
Show the Specific Error Message for a Login Policy Violation |
This option is switched on by default and allows the system to display the specific policy-violation error-message if the login policy is violated. If the switch is turned off, the system displays the standard error message. |
Export User Accounts |
Passwords |
Using the Oracle Identity Cloud Service Admin console, you can export the password attribute. See Export User Accounts. |
Identity and Provisioning |
Oracle Directory Server Enterprise Edition (ODSEE) |
This guide contains instructions to configure bi-directional synchronization between Oracle Identity Cloud Service and Oracle Directory Server Enterprise Edition (ODSEE). |
Identity and Provisioning |
LDAP V3 |
This guide contains instructions to configure bi-directional synchronization between Oracle Identity Cloud Service and any LDAP V3 directory. See Perform Authoritative Sync and Provisioning for Generic LDAP V3 Directory. |
Identity and Provisioning |
Oracle Internet Directory |
This guide contains instructions to configure bi-directional synchronization between Oracle Identity Cloud Service and Oracle Internet Directory. See Perform Authoritative Sync and Provisioning for Oracle Internet Directory. |
Identity and Provisioning |
Oracle Unified Directory |
This guide contains instructions to configure bi-directional synchronization between Oracle Identity Cloud Service and Oracle Unified Directory. See Perform Authoritative Sync and Provisioning for Oracle Unified Directory. |
Import User Accounts |
New Mandatory Column |
A new column "Primary Email Type" is a mandatory new column added to User CSV for import. See Import User Accounts. |
Import User Accounts |
Replacing Existing Values to CMVA Attributes |
When administrators update users by using Import, by default new values will be added to existing multi-valued attributes. See Import User Accounts. |
Integration |
Application Gateway |
Certified Application Gateway with PeopleSoft, JDEdwards, and OBIEE. |
Notifications |
New AD Bridge Connectivity Notifications |
Tenant Administrators will get a notification whenever connectivity between AD Bridge and the Oracle Identity Cloud Service server is broken and also when it is restored. |
Security |
MFA |
While using Duo as MFA Factor in 19.3.3, the administrator was not able to use any backup factor. That restriction has been removed in 20.1.3. Also, the administrator could not specify Duo factor as App Specific MFA Factor in Sign-on policy in 19.3.3 release. Starting from 20.1.3, admin can specify Duo as app specific MFA factor in Sign-on policy. |
Security |
PAM |
Added support for OEL7 in Oracle Identity Cloud Service Linux PAM. |
User Interface |
Streamlined Navigation for Applications |
You can now access Oracle Cloud Services from a separate Oracle Cloud Services menu on the Navigation Drawer. Custom Applications can be accessed by using the existing Applications menu on the Navigation Drawer. |
Release 19.3.3 — January 2020
Category | Feature | Description |
---|---|---|
Oracle Identity Cloud Service Foundation Stripes | Oracle Identity Cloud Service Foundation stripes in 19.3.3. |
Oracle Identity Cloud Service Foundation stripes are not entitled to use multi-factor authentication (MFA). Additionally, Oracle Identity Cloud Service Foundation stripes are not entitled to use any factor other than Email for account recovery. If these features were enabled in Foundation stripes then, they will be disabled post 19.3.3. |
Applications |
Forms for managed applications can now contain multi-valued attributes. |
If you're assigning a managed application to a user account or a group, then there's a form for the application. If the form contains multi-valued attributes, then an Add button appears to the right of each attribute. Click Add, and then in the Allowed Values window, select the values for the attribute, and click OK. For more information, see the following topics: |
Applications |
Skip OAuth Consent Page |
Configure confidential and mobile applications to disable all resource's requirement for consent page. See Add a Confidential Application and Add a Mobile Application. |
Applications |
Authorization Policy for Enterprise Applications |
Enterprise applications that are protected using App Gateway can now make use of authorization policies. Administrators can define, allow or deny authorization policies using authenticated IdP, group membership, network perimeter, day and time of day as authorization conditions See Configure an Authorization Policy. |
Applications |
OAuth support for Enterprise Applications |
You can configure enterprise applications to work similarly to confidential applications by setting up the Client Configuration and Resource Server Configurations sections in the OAuth Configurations page for the enterprise application. |
Applications |
Enterprise Applications headers support extended and custom user attributes |
Enterprise Application's authentication and authorization policies support sending extended and custom schema user attributes as header variables. See Supported Header Value Expressions for Authentication Policies. |
Applications |
List of default headers and cookies App Gateway adds to request |
Documentation includes a list of default headers and cookies App Gateway adds to the request forwarded to the application during authentication and authorization validation. See Default Headers App Gateway Adds to Request. |
Components |
Upgrade App Gateway |
Upgrade or patch your Oracle Identity Cloud Service App Gateway automatically by using the upgrade script. See Upgrade and Patch App Gateway. |
Components |
Identity Cloud E-Business Suite Asserter |
Integrate Oracle E-Business Suite with Oracle Identity Cloud Service for authentication and password management purposes. See Use the E-Business Suite Asserter to Enable SSO for Oracle E-Business Suite with Oracle Identity Cloud Service. |
Components |
Identity Cloud E-Business Suite Asserter support for Oracle E-Business Suite mobile applications. |
Added support to integrate Oracle Fusion Expenses mobile application in single sign-on with Oracle Identity Cloud Service. See Set up E-Business Suite Mobile Applications. |
Multi-Factor Authentication | Factor Specific MFA |
Administrators can now define sign-on policies to require end-users to verify specific MFA factors based on application, group membership and other conditions available in the sign-on policy. See Add a Sign-On Policy. |
Security | New help desk administrator role. |
A new administrator role is available for Oracle Identity Cloud Service: help desk administrator. A help desk administrator can manage all users or users of selected groups in Oracle Identity Cloud Service. Help desk administrators can view the details of a user and unlock a user account. Help desk administrators can also reset passwords, reset authentication factors, and generate bypass codes for user accounts. |
Security |
Customize social identity provider types and metadata. |
You can create your own social identity provider type and customize an icon for it. Or, you can customize metadata for an existing social identity provider type. For example, you can define custom metadata for how to authenticate users against Oracle Identity Cloud Service using the predefined Google social identity provider. You can also customize social identity provider types for particular identity domains. Suppose you have users in the United States accessing Oracle Identity Cloud Service from one identity domain, and users from India signing in to Oracle Identity Cloud Service from another identity domain. You want only the India-based users to be able to access Oracle Identity Cloud Service with their GitHub social credentials. So, you can customize a GitHub social identity provider type for the India identity domain only. |
Security |
Map a user's attribute value from an identity provider to an external ID. |
When mapping the value of a user's attribute that Oracle Identity Cloud Service receives from a SAML identity provider to a corresponding attribute for the user in Oracle Identity Cloud Service, you can specify an external ID. You use this ID when you want to map the attribute received from the identity provider to a special ID that's associated with the provider. |
Security | Duo as an authentication factor. |
Use Duo Security factors to securely authenticate and to sign into apps secured by Oracle Identity Cloud Service. |
Security |
Select MFA factor for sign-on policies |
Administrators can now define sign-on policies to require end-users to verify specific MFA factors based on application, group membership and other conditions available in the sign-on policy. |
Settings |
Integrate Oracle E-Business Suite and Oracle Identity Cloud Service |
In addition to Oracle Internet Directory, you can now use the Provisioning Bridge to integrate Oracle E-Business Suite and Oracle Identity Cloud Service. This bridge provides a link between an on-premises business application (such as Oracle E-Business Suite) and Oracle Identity Cloud Service. Through synchronization, account data that’s created and updated directly on Oracle E-Business Suite is pulled into Oracle Identity Cloud Service and stored for the corresponding Oracle Identity Cloud Service users and groups. Any changes to these records will be transferred into Oracle Identity Cloud Service. Because of this, the state of each record is synchronized between Oracle E-Business Suite and Oracle Identity Cloud Service. After users are synchronized from Oracle E-Business Suite to Oracle Identity Cloud Service, you can also use the Provisioning Bridge to provision users to the application. Provisioning allows you to use Oracle Identity Cloud Service to manage the life cycle of users in the application. This includes creating, modifying, deactivating, activating, and removing users and their profiles across the application. Any changes that you make to users or their profiles in Oracle Identity Cloud Service are propagated to Oracle E-Business Suite through the Provisioning Bridge. See: |
Settings | Improved field name for Session Expiry. |
On the Session Settings tab, the field Session Expiry has been changed to Session Duration to better reflect the purpose of the setting. No functionality has changed. |
Users | Show custom attributes and some additional out-of-the-box attributes in the Oracle Identity Cloud Service console. |
You can now check the custom attributes and some additional out-of-the-box attributes assigned to a user as other information in the user's Details page of the Oracle Identity Cloud Service console. |
REST APIs | Support for multi-value Expressions in custom claims. |
Based on user expressions, a claim can now return either a single value attribute or all the attributes associated with the expression. See Manage Custom Claims. |
REST APIs | Support Duo as a second authentication factor |
The Authenticate APIs have added a new use case to support Duo Security as a second authentication factor. This use case explains using Oracle Identity Cloud Service Authentication API to authenticate user's credentials with Duo Security. If administrators choose to enable this feature, they must ensure that all custom code which uses these authenticate APIs have been updated to support the payloads for this feature. See Use Duo as a Multi-Factor Authentication Factor. In case users choose to skip Multi-Factor Authentication during single sign-on enrollment, they can enroll to Duo Security using the self service enrollment. The self service (MyProfile) endpoints such as Initiator, validation, and Enroller are enhanced to support Duo Security. |
REST APIs | Enterprise Application creation with authorization policy |
A new use case for creating an enterprise application with authorization policies have been added in the REST APIs for Oracle Identity Cloud Service. See Creating an Enterprise Application with Authorization Policy. |
REST APIs | Trigger an email verification flow if email address is already verified |
A new use case for triggering an email verification flow if email address is already verified have been added in the REST APIs for Oracle Identity Cloud Service. See Triggering an Email Verification Flow if Email Address is Already Verified. |
Runbooks |
New runbooks for integrating Oracle Identity Cloud Service with Oracle E-Business Suite and Microsoft Azure. |
There are two new runbooks available with version 19.3.3 of Oracle Identity Cloud Service:
|
Release 19.2.1 — August 2019
Category | Feature | Description |
---|---|---|
Applications |
Customize OAuth Consent Page |
Customize the information that appears in the OAuth consent page for custom applications that require consent to access application's resources. See Edit Consent Information for Custom Applications. |
Applications |
Enterprise Application |
Learn what are enterprise applications and how to integrate them with Oracle Identity Cloud Service for authentication purposes using App Gateway. See Secure Enterprise Applications with App Gateway. |
Applications |
SAML assertion encryption support |
Oracle Identity Cloud Service now supports assertion encryption for SAML applications. You can provide certificate and encryption algorithm. See Add a SAML Application. |
Applications |
Synchronization Failure Report |
Learn about the reason behind the synchronization failures from a synchronization failure report of a provisioning application. See Work with the Synchronization Failure Report. |
Applications |
Personal Access Token |
Generate and download your personal access tokens. A client application can use these tokens to access a specific resource application for a limited period. See Generate Personal Access Tokens. |
Applications |
Assign users and groups to custom applications |
Use a form to enter values while assigning users and groups to provisioned applications. See Assign Users to Custom Applications and Assign Groups to Custom Applications. |
Applications |
Integrate your Linux environment with Oracle Identity Cloud Service. |
A new Pluggable Authentication Module for Linux that allows you to integrate your Linux environment with Oracle Identity Cloud Service to perform end user authentication with first and second factor authentication. See Manage Linux Authentication using the Identity Cloud Service Linux Pluggable Authentication Module. |
Groups |
Populate form fields for managed applications that you assign to groups. |
If you assign a managed application to a group, then a form appears for the application. You can populate the fields of this form to reflect the values of your application. Or, if you assigned the managed application to the group, then you can modify the values of the application form. |
Settings |
New notifications |
Two new notifications have been added:
|
Settings |
New Provisioning Bridge feature |
A new bridge is available for Oracle Identity Cloud Service: the Provisioning Bridge. This bridge provides a link between your on-premises apps and Oracle Identity Cloud Service. Through synchronization, account data that’s created and updated directly on the apps is pulled into Oracle Identity Cloud Service and stored for the corresponding Oracle Identity Cloud Service users and groups. Any changes to these records will be transferred into Oracle Identity Cloud Service. So, if a user is deleted in one of your apps, then this change will be propagated into Oracle Identity Cloud Service. Because of this, the state of each record is synchronized between your apps and Oracle Identity Cloud Service. |
Settings |
Enhancements to the Microsoft Active Directory (AD) Bridge |
There are now two types of imports that you can run by using the Microsoft Active Directory (AD) Bridge to import users and groups from AD into Oracle Identity Cloud Service:
After users are imported into Oracle Identity Cloud Service through the AD Bridge, if you activate or deactivate a user, modify a user's attribute values, or change group memberships for a user in Oracle Identity Cloud Service, then these changes will be reflected in AD. See Manage Microsoft Active Directory (AD) Bridges for Oracle Identity Cloud Service. |
Settings |
Enable the Access for an unknown device event of Adaptive Security for your custom sign-in page. |
Adaptive Security uses the concept of risk providers to allow administrators to configure various contextual and threat events to be analyzed within Oracle Identity Cloud Service. A default risk provider within Oracle Identity Cloud Service is seeded automatically with a list of supported contextual and threat events, such as Access from an unknown device. For this event, if a user accesses Oracle Identity Cloud Service from a device that hasn’t been previously used to access the service, then this event (commonly referred to as Device Fingerprinting) is triggered. Although Oracle Identity Cloud Service has a sign-in page, you may prefer to use your own page. If so, then you can use the Identity Cloud Service Device Fingerprint Utility to enable the Access for an unknown device event of Adaptive Security for your custom sign-in page. See Download Oracle Identity Cloud Service SDKs and Applications. |
Settings |
Handle on demand language support for email and SMS templates. |
You can now select French (Canada) as the language for email and SMS notifications. |
Security |
New App Gateway Feature |
App Gateway enables you to integrate web applications hosted on-premises or on a cloud infrastructure with Oracle Identity Cloud Service for authentication purposes. See Manage Oracle Identity Cloud Service App Gateways. |
Security |
New user manager administrator role |
A new administrator role is available for Oracle Identity Cloud Service: user manager. A user manager can manage all users or users of selected groups in Oracle Identity Cloud Service. User managers can update, activate, deactivate, remove, and unlock user accounts. User managers can also reset passwords, reset authentication factors, and generate bypass codes for user accounts. |
Security |
New Account Recovery feature |
A new feature is available for Oracle Identity Cloud Service: account recovery. Account recovery is an automated process designed to help users regain access to their accounts if they have trouble signing in, they’re locked out, or they forget their passwords. There are three account recovery factors that administrators can configure for users:
In addition to setting account recovery factors, administrators can specify:
See Manage Account Recovery in Oracle Identity Cloud Service. |
Security |
New events added to the default risk provider |
There are three new events added to the risk provider that's associated with Oracle Identity Cloud Service actions. This risk provider, known as the default risk provider, evaluates these events to determine risk-based activity for Oracle Identity Cloud Service users.
|
Security |
See the cloud account name and instance name from the Identity Cloud Service console. |
The names of both the primary or secondary instance and the Oracle Cloud account that was used to create this instance appear in the Identity Cloud Service console. To access this information, click the user icon in the upper-right corner of the console, and then select About from the drop-down menu. The Cloud Account Name and Instance Name fields display the names of the Oracle Cloud account and the instance. |
Security |
Network Failure Handling in Delegated Authentication |
Oracle Identity Cloud Service provides the local password caching functionality that helps delegated users to login into Oracle Identity Cloud Service even if Active Directory is not reachable. |
Sign-In |
Enhanced sign-in user experience |
Oracle Identity Cloud Service has updated the sign-in user experience for the standard Identity Cloud Service sign-in pages for a fresh and more intuitive sign-in process. Users see this new look throughout the sign-in and password reset flows. Although the look is different and usability improvements have been incorporated, the functionality remains the same. This change will be seen by all users of the standard Identity Cloud Service sign-in pages, including Oracle IaaS and PaaS users leveraging Oracle Identity Cloud Service. For customers who have branded the sign-in page by adding a custom logo and text, your logo and text will appear integrated into the new pages. For customers who have replaced Oracle Identity Cloud Service's default sign-in page with a custom one, your custom page won't be impacted as a result of the new sign-in experience. See Oracle is updating the Identity Cloud Service sign-in experience. |
User Settings |
Change settings associated with user accounts. |
You can now change settings associated with user accounts. For example, you can make the primary email address for a user account a required or optional attribute. By making the primary email address optional, if Oracle Identity Cloud Service integrates with another cloud service or on-premises application, then a user’s email address can be propagated from that service or application back into Oracle Identity Cloud Service, and be designated as the user’s primary email address in Oracle Identity Cloud Service. See Change User Settings. |
Users |
Use the My Profile console to edit attribute values for your user account. |
You can no longer edit attribute values for your user account from the Identity Cloud Service console. To do this, access the My Profile Details tab of the My Profile console. |
Users |
Oracle Identity Cloud Service unlocks all user accounts after 24 hours automatically. |
If a user's account is locked, and the user or an administrator doesn't unlock the account within 24 hours, then Oracle Identity Cloud Service will unlock it automatically. See Unlock User Accounts. |
Users |
See the Multi-Factor Authentication (MFA) status for users. |
By accessing the Security tab for any user account, you can see whether the user is enrolled in Multi-Factor Authentication (MFA). |
Users |
See the statement of the terms of use associated with user's consents. |
From the My Consents tab of the My Profile console, users can now see the terms of use they agreed upon accessing applications . See Access Your Consents. |
REST APIs |
New endpoints added to Oracle Identity Cloud Service REST APIs |
The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added:
|
REST APIs |
Deprecated REST API endpoint |
The following endpoints are deprecated in the 19.2.1 release:
|
REST APIs |
New Use cases |
The Authenticate APIs have added support for new features such as Account Recovery (SMS and Security Questions) and Terms of Use. If an administrator chooses to enable these new features, he must ensure that all custom code which uses these authenticate APIs have been updated to support the payloads for these new features. The following use cases have been added:
|
REST APIs |
OAuth Access Token Size |
The OAuth access token size is set to 16000 characters by default. |
Infrastructure |
Use Oracle Cloud Infrastructure service gateway to communicate with other Oracle Cloud services. |
Oracle Identity Cloud Service instances can use Oracle Cloud Infrastructure service gateway to communicate with other Oracle Cloud services within the same region, without the need of this communication to go over the internet. See Supported Cloud Services in Oracle Services Network. See Access to Oracle Services: Service Gateway to learn more about Oracle Cloud Infrastructure service gateway. |
Other Noteworthy Changes
Category | Feature | Description |
---|---|---|
Reports | PDF Deprecation | From release 19.2.1 onward, PDF report generation is deprecated. Oracle Identity Cloud Service supports only CSV, JSON format for report generation. |
Release 18.4.3 — July 2019
Category | Feature | Description |
---|---|---|
Infrastructure |
Oracle Identity Cloud Service on Oracle Cloud Infrastructure |
As a part of our efforts to improve service reliability and performance, the latest release of Oracle Identity Cloud Service now runs on Oracle Cloud Infrastructure (OCI), our next-gen infrastructure. Learn more about Oracle Cloud Infrastructure. You can find more information about Oracle Identity Cloud Service in the Oracle Help Center. Technical assistance for Oracle Identity Cloud Service is available through Oracle Support. |
Customer Migration to OCI |
Oracle Identity Cloud Service on Oracle Cloud Infrastructure |
For existing customers, Oracle Identity Cloud Service will be undergoing planned maintenance to migrate network infrastructure in multiple regions. Learn more about the benefits of Oracle Cloud Infrastructure. No action is required by customers to initiate the planned maintenance. Customers will receive an email notification in advance that indicates when the maintenance will occur, and another when the maintenance has completed. Once maintenance has completed, connectivity to Oracle Identity Cloud Service will continue automatically if you have configured your IP ranges in accordance with the instructions below.
If this IP range update is not completed prior to the start of the maintenance window you may be unable to connect to Oracle Identity Cloud Service. |
Self-Service Diagnostics |
Set the diagnostics type to capture operational logs. |
Diagnostic Data reporting has been added to the Oracle Identity Cloud Service user interface. See Run the Diagnostic Data Report. |
Release 18.4.2 — December 2018
Category | Feature | Description |
---|---|---|
Adaptive Security |
Activate and deactivate the default risk provider |
In addition to third-party risk providers, you can now activate and deactivate the default risk provider. |
Adaptive Security |
Use the slider to set the weighting for events |
Set the weighting for the Access from an unknown device, Too many unsuccessful login attempts, and Too many unsuccessful MFA attempts events to Low, Moderate, Severe, or Critical. Oracle Identity Cloud Service evaluates these events to determine risk-based activity for Oracle Identity Cloud Service users. |
Applications |
Enhancements to SAML Application Configuration |
There are two enhancements to the SAML Application Configuration:
|
Applications |
Support to allow access to OPC resources |
You can now allow clients to access OPC resources using hierarchical scope matching. If the requested scope has similar See Adding a Confidential Application and Configuring Authorized Resources. |
Notifications |
Oracle Identity Cloud Service now checks whether verification is done to the email address that will appear in the From Email field for all notifications. |
A new feature of the Notifications page is the Check Status button. By clicking this button, Oracle Identity Cloud Service checks whether verification is done to this email address through the email sent to the postmaster (domain) or email account. If the email address isn't verified, then access the notification that's sent to the email address you provided, click the verification link in the notification, and click Check Status again. The status will change to Email Verified. If the domain isn't verified, then contact the postmaster of your company so that the postmaster can verify the domain associated with the email address. |
Scenarios |
Migrate from traditional Cloud accounts to Cloud accounts with Identity Cloud Service |
You use an Oracle Cloud account to access your cloud services and log into the My Services Dashboard, which is where you manage your account and your services. When you sign in to your Oracle Cloud account, you can choose to sign in to two different types of Cloud accounts:
Traditional Cloud accounts use one identity management system which is different from the identity management system associated with Cloud accounts with Identity Cloud Service. You can migrate users and role memberships from traditional Cloud accounts for the following Oracle Cloud services:
Each service has a corresponding Cloud account with Identity Cloud Service to which you can import the users and the application role memberships. By migrating services from a traditional Cloud account to a Cloud account with Identity Cloud Service, the services can use Oracle Identity Cloud Service to manage users and to control access to the services. For this reason, you want to migrate your traditional Cloud accounts to Cloud accounts with Identity Cloud Service. See Migrating from Traditional Cloud Accounts to Cloud Accounts with Identity Cloud Service. |
Terms of Use | Customize Terms of Use for Users | Configure customized disclaimers and acceptable use policies for users on an application basis. Also collect consent from users before allowing them access to their applications. |
Social Login |
Add multiple instances of the same social identity provider |
Some cloud services have applications that may have to connect to multiple instances of the same social identity provider. For example, for application A and application B, the Facebook social identity provider can be configured as an identity provider along with distinct configuration settings, such as a Client ID and Secret, social registration settings, and so on. To support such scenarios, Oracle Identity Cloud Service now allows you to add multiple instances of the same social identity provider with different configuration settings for each instance. After adding multiple instances of a social identity provider, you can choose which instances can be used to sign in to Oracle Identity Cloud Service by using an identity provider policy. |
REST APIs | New endpoints added to Oracle Identity Cloud Service REST APIs |
The REST APIs for Oracle Identity Cloud Service have been updated. The following endpoints have been added:
|
Other Noteworthy Changes
Category | Feature | Description |
---|---|---|
AD Bridge |
Set Permissions for Microsoft Active Directory Bridge |
Read about how to set permissions for a Microsoft Active Directory user account to perform actions such as delegate password reset and synchronization between Microsoft Active Directory Bridge and Oracle Identity Cloud Service. See Setting Permissions for the Microsoft Active Directory User Account. |
Reports | Change in reports download behavior |
Oracle Identity Cloud Service supports CSV, JSON, and PDF report generation. However, the result count for the PDF report is restricted to 1000 rows. For any report exceeding 1000 rows, only the CSV download is available. |
Release 18.3.4 — August 2018
Category | Feature | Description |
---|---|---|
Reporting |
Diagnostic Data Report |
Diagnostic Data reporting has been removed from the Oracle Identity Cloud Service user interface. Use the REST API for Oracle Identity Cloud Service to capture diagnostic data. |
Release 18.2.6 — July 2018
Category | Feature | Description |
---|---|---|
Bridge |
Enhancements to AD Bridge configuration |
For version 18.2.6 of Oracle Identity Cloud
Service, there are two enhancements to the bridge:
See Configuring a Bridge. |
Notifications |
Validate the entire email address instead of the email domain only |
Now, you can verify either the domain of an email address or the entire email address. When you configure notifications, there are two options: Domain and Email. Use the Domain option to send a validation email to the postmaster account of the email’s domain or the Email option to send an email to an email address for verification purposes. |
Administration |
Support for editing Oracle Cloud Applications |
As Service Administrators, you can now edit certain UI elements of Oracle Cloud Applications in Oracle Identity Cloud Service. You can also assign Oracle Cloud Applications to Sign-On Policies. |
REST APIs |
New endpoints added to Oracle Identity Cloud Service REST APIs |
The REST APIs for Oracle Identity Cloud
Service have been updated. The following endpoints have been added:
|
REST APIs |
Deprecated REST API endpoint |
The REST APIs for Oracle Identity Cloud
Service have been updated. The following endpoint will be removed in the upcoming release 18.2.6:
In previous releases, the |
Security |
Terms of Use |
Terms of Use is a feature in Oracle Identity Cloud Service that help customers to set the conditions for the users to access the applications based on their consent. This feature allows the identity domain administrators to set relevant disclaimers for legal or compliance requirements. |
Release 18.2.4 — May 2018
See how to configure MFA, the factors available for use with MFA, and how to create a sign-on policy for MFA by watching the Configuring Multi-Factor Authentication video.
Learn how to configure a web application to authenticate with Oracle Identity Cloud Service by viewing the Use Secure Form Fill to Authenticate an Application with Oracle Identity Cloud Service Use Secure Form Fill to Authenticate an Application with Oracle Identity Cloud Service tutorial.
Category | Feature | Description |
---|---|---|
Applications |
Update your SAML applications |
If there are updates to your SAML applications, you can now choose to upgrade them starting with this release. If your SAML application has an update, you will see the Upgrade button visible in the UI. Click the button to upgrade the application. |
Applications |
Support for providing a Custom Error URL for applications. |
You can now provide a Custom Error URL to redirect a user in case of a failure. If not provided, the tenant specific Error page URL will be used. See the following topics:
|
Applications |
Support for configuring tenant specific Error page URL |
You can now provide a tenant specific custom Error page Url to redirect a user in case of a failure. See Changing Session Settings |
Applications |
Support for providing Linking callback URL |
You can now provide a Linking callback URL that Oracle Identity Cloud Service can redirect to after linking of a user between social providers and Oracle Identity Cloud Service is complete. See the following topics:
|
Applications |
Use App Gate to access your on-premises applications securely and remotely |
Use the App Gate together with Oracle Identity Cloud Service to give your employees the ability to access your on-premises applications securely and remotely. Because the App Gate integrates with Oracle Identity Cloud Service seamlessly, your employees can connect to these applications, using SSO, without the hassles of a VPN or SSL client certificates. This integration provides you with an additional layer of security, which is crucial to protecting your on-premises applications. In addition, the App Gate is an ideal solution for you if:
From the App Gateway for Identity Cloud Service application, you can access the documentation for the App Gate. You can find this application on the Downloads page of the Identity Cloud Service console. To access this page, in the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Downloads. |
Branding |
Revert custom branding to default Oracle branding |
If you have customized the Sign In page, the Admin Console, or the notifications for Oracle Identity Cloud Service, and want to revert to Oracle Branding (default), you can do so starting with this release. |
REST APIs |
Deprecated REST API endpoint |
The REST APIs for Oracle Identity Cloud
Service have been updated. The following endpoint will be removed in the upcoming release 18.2.6:
In previous releases, the |
REST APIs |
New endpoints added to Oracle Identity Cloud Service REST APIs |
The REST APIs for Oracle Identity Cloud
Service have been updated. The following endpoints have been added:
|
Application Development SDKs |
Updates to SDKs for web applications |
There are updates to the software development kits (SDKs) that enable you to easily integrate and authenticate your .NET or PHP web applications with Oracle Identity Cloud Service. Sample applications and tutorials on using these SDKs are available at the web-based Cloud Developer Portal. |
Other Noteworthy Changes
Category | Feature | Description |
---|---|---|
REST APIs | Read about OpenID Connect and see examples in the Oracle Identity Cloud Service REST API content. |
Extensive OpenID Connect documentation and examples are now available in the Oracle Identity Cloud Service 18.2.4 REST API documentation. OpenID Connect extends the OAuth 2.0 protocol to add a simple authentication and identity layer that sits on top of OAuth 2.0. Using OpenID Connect completes the picture by providing applications with information about the user, the context of their authentication, and access to their profile information. OpenID Connect allows clients of all types, including web-based, mobile, and JavaScript clients to request and receive information about authenticated sessions and end users. |
Oracle Cloud What’s New for Oracle Identity Cloud Service, Release 20.4.2
E81008-46
December 2020
Copyright © 2016, 2020, Oracle and/or its affiliates.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract. The terms governing the U.S. Government’s use of Oracle cloud services are defined by the applicable contract for such services. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc, and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.