What's New in This Guide?

This section summarizes the new features and significant changes in Administering Oracle Access Management 12c (12.2.1.3.0)

Follow the pointers into this guide to get more information about the features and how to use them.

Updates in October 2022 Documentation Refresh for 12c Release 2 (12.2.1.3.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management addresses bug fixes.

Updates in January 2021 Documentation Refresh for 12c Release 2 (12.2.1.3.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

Recommendation to Use Embedded Credential Collector (ECC) in OAM 12c
It is recommended that you use ECC for the new features introduced in OAM 12c. Some of the new features introduced in OAM 12c do not support DCC. For example, OpenIDConnect with DCC is not supported.

For additional details, see Doc ID 2634863.1 at https://support.oracle.com.

Also see, Overview of Access Manager Credential Collection and Embedded Credential Collector Versus Detached Credential Collector
Keep the OAUTH_TOKEN Response Unset

OAM provides an option to not set the OAUTH_TOKEN cookie or header when SSO Session Linking is enabled. You must set the challenge parameter IS_OAUTH_TOKEN_RESPONSE_SET to false.

Note:
If IS_OAUTH_TOKEN_RESPONSE_SET is not configured, or set to true then the OAUTH_TOKEN cookie/header is set.

Updates in October 2020 Documentation Refresh for 12c Release 2 (12.2.1.3.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

Support for AWS Role Mapping Attribute in SAML Response

Introduces a new function that can be configured in SP Attribute Profile for supporting the AWS role mapping attribute in SAML response.

For details, see AWS Role Mapping Attribute in SAML Response
Support for Attribute Value Mapping and Filters in OAM Federation

OAM federation supported Attribute Name Mapping. It extends the support for Attribute Value Mapping and Attribute Filtering features.

For details, see Using Attribute Value Mapping and Filtering

Updates in July 2020 Documentation Refresh for 12c Release 2 (12.2.1.3.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

Support for SameSite=None Attribute in OAM Cookies
OAM adds SameSite=None attribute to all the cookies set by WebGate and OAM Server.

For details, see Support for SameSite=None Attribute in OAM Cookies

Updates in April 2020 Documentation Refresh for 12c Release 2 (12.2.1.3.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management addresses bug fixes.

Updates in November 2019 Documentation Refresh for 12c Release 2 (12.2.1.3.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management addresses bug fixes.

Updates in April 2018 Documentation Refresh for 12c Release 2 (12.2.1.3.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains content updates and addresses bug fixes.

OpenIDConnect implements authentication as an extension to the OAuth 2.0 authorization process. It provides easily consumable ID Tokens that are obtained by Clients using OAuth 2.0 flows.

OpenIDConnect provides an identity layer on top of OAuth 2.0 protocol. It allows clients to:

Verify the identity of the end-user based on the authentication performed by an Authorization Server.
Obtain profile information in an interoperable REST-like manner.

See Managing the Oracle Access Management OAuth Service and OpenIDConnect to understand, manage and integrate the OpenIDConnect functionality in OAM.

Updates in January 2018 Documentation Refresh for 12c Release 2 (12.2.1.3.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains content updates and addresses bug fixes.

The forgot password feature in OAM can be accomplished using One Time Pin (OTP) generation and ChangePassword using OTP REST APIs. See Configuring Forgot Password using OTP for the setup steps required for enabling forgot password flow using OTP in OAM.

Updates in October 2017 Documentation Refresh for 12c Release 2 (12.2.1.3.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains content updates and addresses bug fixes.

Using configuration URLs, you can manually create the quick response (QR) code and scan it offline to link the OMA App to an account. See Adding an Account to the OMA App by Scanning the QR Code
If there is an exception logged in OAM server logs on the failure of oamkeystore data decryption while configuring MDC using REST APIs, you can safely ignore it and restart the clone data center to set all the internal keys between Master and Clone data centers. See Fail to Decrypt oamkeystore Data with Cipher Key from OAM Config.
Integration of Access Manager with Microsoft Sharepoint Server is supported using 11g Webgate agent. See Integrating Microsoft SharePoint Server with Access Manager relevant to 12c release.

Features of Access Manager 12.2.1.3.0

Table -1 provides an overview of Access Manager 12.2.1.3.0.

Table -1 Features in Access Manager 12.2.1.3.0

Features	Description
OAM Caching Simplification	OAM 12c supports database-backed server-side session management to synchronize the session state across multiple nodes of an OAM 12c server cluster. See Maintaining Access Manager Sessions. It implements database-based authentication plugin import, distribution and activation. See Table 22-16 The configuration and policy is propagated through the configuration and policy store using periodic polling. See Polling Interval for System and Policy Configuration
MDC lifecycle simplification	This feature simplifies the process of setting up and administering OAM Multi-data Center Topologies without using T2P tooling. New REST based APIs introduced for administrative and diagnostic purposes significantly reduce the number of configuration steps performed in the MDC environment. Migration of OAM system configuration and policy artifacts from one Data Center to another is now simplified and done through MDC Admin REST APIs. See Setting Up the Multi-Data Center: A Sequence
TLS1.2 Support	OAM 12c supports TLS1.2 to provide communications security over the internet. All the simple mode certificates that are generated out-of-the-box for WebGate SSL communication are upgraded to SHA2 . See TLS 1.2 Support in Oracle Access Management
OAuth MDC Support	OAuth MDC provides support for OAuth in a Multi Data Center environment. This feature supports the following: OAuth Artifacts (such as Identity Domains, Clients, Resources, and so on) created on Data Center1(DC1) are visible and are seamlessly synchronized across data centers. OAuth trust artifacts (such as trust certificates used to sign and issue JWT tokens) are visible across other data centers. An OAuth token generated on DC1 will be validated on other data centers. Runtime will work seamlessly with different DCs. A session created on DC1 associated with a validated token is seamlessly validated by other DCs when the request reaches them. Refresh token generated on DC1 will be valid on DC2. When played against DC2, it is validated and an access token is generated on DC2. See Configuring OAuth Services in 12c
Password policy	OAM 12c supports multiple password policies for setting up varied levels of password based complexity protection for users belonging to different groups. See Multiple Password Policies Forgot Password feature in OAM can be experienced using One Time Pin generation by using password change REST APIs. See Setting up the Forgot Password Module Forced Password change can be administered using REST API’s. See Key Password Attributes in a Password Policy
OMA App	Experience a new enhanced enrollment process for adding your accounts to the OMA app. Use App Protection feature to protect your OMA app with a fingerprint identity sensor such as Touch ID for iOS and Fingerprint for Android. Windows 10 platform is now supported. See Configuring the Oracle Mobile Authenticator

Features Not Supported in Access Manager 12.2.1.3.0

The following table lists the features that are unsupported from OAM 12.2.1.3.0 and provides the migration path.

Unsupported Features in OAM 12.2.1.3.0	Description	Migration Path
10g OSSO server co-existence	OAM 12c server does not support co-existence with the OSSO servers	Upgrade from OSSO to OAM 11g R2PS3 and then upgrade to OAM 12c.
OpenSSO server co-existence	OAM 12c server does not support co-existence with the OpenSSO server.	Upgrade to OAM 11gR2PS3 and then upgrade to OAM 12c.
OAM 10g server co-existence	OAM 12c server does not support co-existence with OAM 10g server.	Migrate to OAM 12c server.
OpenSSO agents	OpenSSO agents are not supported in the OAM 12c release.	Migrate to supported 12c agents. OAM 11g and 12c WebGates and Accessgates are supported in OAM 12.2.1.3.0
mod_osso	OAM 12c does not support mod OSSO (OSSO Agent Proxy) agents.	Migrate to 12c WebGate agents and upgrade to OAM 12c.
OAM10g WebGate	OAM 12c server does not support OAM 10 WebGates.	Migrate to OAM11g R2PS3 or OAM 12c WebGates Upgrade the server to OAM 12c.
IDMConfigTool	OAM 12c does not support the following IDMConfigTool commands and attributes: prepareIDStore=OAAM prepareIDStore=FUSION configPolicyStore configOVD disableOVDAccessConfig postProvConfig validate ovdConfigUpgrade upgradeOIMTo11gWebgate POLICYSTORE_SHARES_IDSTORE SPLIT_DOMAIN
IAMSuiteAgent	OAM 12c does not support IAMSuiteAgent. Till R2PS3, IAMSuiteAgent was the OOB agent protecting the OAM console. From 12c PS3 onwards, this is done using default OOB Login page. As per EDG (Enterprise Development Guide), it is recommended to protect OAM console using a webgate agent.
Oracle Mobile Security Suite (OMSS)	OAM 12c does not support OMSS.