What's New in This Guide?

This section summarizes the new features and significant changes in Administering Oracle Access Management 12c (12.2.1.3.0)

Follow the pointers into this guide to get more information about the features and how to use them.

Updates in April 2020 Documentation Refresh for 12c Release 2 (12.2.1.3.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management addresses bug fixes.

Updates in November 2019 Documentation Refresh for 12c Release 2 (12.2.1.3.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management addresses bug fixes.

Updates in April 2018 Documentation Refresh for 12c Release 2 (12.2.1.3.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains content updates and addresses bug fixes.

OpenIDConnect implements authentication as an extension to the OAuth 2.0 authorization process. It provides easily consumable ID Tokens that are obtained by Clients using OAuth 2.0 flows.

OpenIDConnect provides an identity layer on top of OAuth 2.0 protocol. It allows clients to:
  • Verify the identity of the end-user based on the authentication performed by an Authorization Server.

  • Obtain profile information in an interoperable REST-like manner.

See Managing the Oracle Access Management OAuth Service and OpenIDConnect to understand, manage and integrate the OpenIDConnect functionality in OAM.

Webgate can now understand OpenID Connect protocols and works with Oracle Identity Cloud Services (IDCS) and Oracle Access Management (OAM) servers. See Integrating Webgate with the Open ID Connect Server

Updates in January 2018 Documentation Refresh for 12c Release 2 (12.2.1.3.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains content updates and addresses bug fixes.

The forgot password feature in OAM can be accomplished using One Time Pin (OTP) generation and ChangePassword using OTP REST APIs. See Configuring Forgot Password using OTP for the setup steps required for enabling forgot password flow using OTP in OAM.

Updates in October 2017 Documentation Refresh for 12c Release 2 (12.2.1.3.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains content updates and addresses bug fixes.

Features of Access Manager 12.2.1.3.0

Table -1 provides an overview of Access Manager 12.2.1.3.0.

Table -1 Features in Access Manager 12.2.1.3.0

Features Description

OAM Caching Simplification

OAM 12c supports database-backed server-side session management to synchronize the session state across multiple nodes of an OAM 12c server cluster. See Maintaining Access Manager Sessions.

It implements database-based authentication plugin import, distribution and activation. See Table 22-16

The configuration and policy is propagated through the configuration and policy store using periodic polling. See Polling Interval for System and Policy Configuration

MDC lifecycle simplification

This feature simplifies the process of setting up and administering OAM  Multi-data Center Topologies without using T2P tooling. New REST based APIs introduced for administrative and diagnostic purposes significantly reduce the number of configuration steps performed in the MDC environment. Migration of OAM system configuration and policy artifacts from one Data Center to another is now simplified and done through MDC Admin REST APIs.

See Setting Up the Multi-Data Center: A Sequence

TLS1.2 Support

OAM 12c supports TLS1.2 to provide communications security over the internet. All the simple mode certificates that are generated out-of-the-box for WebGate SSL communication are upgraded to SHA2 .

See TLS 1.2 Support in Oracle Access Management

OAuth MDC Support

OAuth MDC provides support for OAuth in a Multi Data Center environment. This feature supports the following:

  • OAuth Artifacts (such as Identity Domains, Clients, Resources, and so on) created on Data Center1(DC1) are visible and are seamlessly synchronized across data centers.

  • OAuth trust artifacts (such as trust certificates used to sign and issue JWT tokens) are visible across other data centers.

  • An OAuth token generated on DC1 will be validated on other data centers. Runtime will work seamlessly with different DCs.

  • A session created on DC1 associated with a validated token is seamlessly validated by other DCs when the request reaches them.

  • Refresh token generated on DC1 will be valid on DC2. When played against DC2, it is validated and an access token is generated on DC2.

See Configuring OAuth Services in 12c

Password policy

OAM 12c supports multiple password policies for setting up varied levels of password based complexity protection for users belonging to different groups. See Multiple Password Policies

Forgot Password feature in OAM can be experienced using One Time Pin generation by using password change REST APIs. See Setting up the Forgot Password Module

Forced Password change can be administered using REST API’s. See Key Password Attributes in a Password Policy

OMA App
  • Experience a new enhanced enrollment process for adding your accounts to the OMA app.

  • Use App Protection feature to protect your OMA app with a fingerprint identity sensor such as Touch ID for iOS and Fingerprint for Android.

  • Windows 10 platform is now supported.

See Configuring the Oracle Mobile Authenticator

Features Not Supported in Access Manager 12.2.1.3.0

The following table lists the features that are unsupported from OAM 12.2.1.3.0 and provides the migration path.

Unsupported Features in OAM 12.2.1.3.0 Description Migration Path

10g OSSO server co-existence

OAM 12c server does not support co-existence with the OSSO servers

Upgrade from OSSO to OAM 11g R2PS3 and then upgrade to OAM 12c.

OpenSSO server co-existence

OAM 12c server does not support co-existence with the OpenSSO server. Upgrade to OAM 11gR2PS3 and then upgrade to OAM 12c.
OAM 10g server co-existence OAM 12c server does not support co-existence with OAM 10g server. Migrate to OAM 12c server.
OpenSSO agents OpenSSO agents are not supported in the OAM 12c release.

Migrate to supported 12c agents.

OAM 11g and 12c WebGates and Accessgates are supported in OAM 12.2.1.3.0

mod_osso OAM 12c does not support mod OSSO (OSSO Agent Proxy) agents. Migrate to 12c WebGate agents and upgrade to OAM 12c.
OAM10g WebGate OAM 12c server does not support OAM 10 WebGates.

Migrate to OAM11g R2PS3 or OAM 12c WebGates

Upgrade the server to OAM 12c.

IDMConfigTool OAM 12c does not support the following IDMConfigTool commands and attributes:
  • prepareIDStore=OAAM

  • prepareIDStore=FUSION

  • configPolicyStore

  • configOVD

  • disableOVDAccessConfig

  • postProvConfig

  • validate

  • ovdConfigUpgrade

  • upgradeOIMTo11gWebgate

  • POLICYSTORE_SHARES_IDSTORE

  • SPLIT_DOMAIN

 
IAMSuiteAgent

OAM 12c does not support IAMSuiteAgent.

Till R2PS3, IAMSuiteAgent was the OOB agent protecting the OAM console. From 12c PS3 onwards, this is done using default OOB Login page.

As per EDG (Enterprise Development Guide), it is recommended to protect OAM console using a webgate agent.

 
Oracle Mobile Security Suite (OMSS) OAM 12c does not support OMSS.