What's New in This Guide?

This section summarizes the new features and significant changes in Administering Oracle Access Management 12c (12.2.1.4.0)

Follow the pointers into this guide to get more information about the features and how to use them.

Features of Oracle Access Management 12c Release 2 (12.2.1.4.0)

Oracle Access Management 12c (12.2.1.4.0) includes the following features:

  • Passwordless Login

    Passwordless authentication allows you to bypass the standard web form based authentication when using a mobile device. For details, see Using Passwordless Authentication with OAM.

  • Dynamic Client Registration

    Dynamic client Registration (DCR) provides a way for the native mobile apps (Android) to dynamically register as clients with the OAuth Server (OAM). For details, see Dynamic Client Registration.

  • OAP over REST

    Oracle Access Protocol (OAP) over REST enables the use of HTTP(S) infrastructure to route and load balance requests. Changing the transport mechanism between WebGate and server has a beneficial impact on reducing operational cost for hybrid deployments where some components are On-Premise and others have moved to cloud. For details, see Securing Communication between OAM Servers and WebGates using OAP over REST

  • WebGate using PFS and Approved Cipher Suites for OAP Simple/Cert Mode Communication

    When the Simple/Cert Mode communication occurs, WebGate ensure that valid and approved cipher suites defined by the admin are used. For details, see About WebGate Usage of PFS and Approved Cipher Suites for OAP Simple/Cert Mode Communication in Administering Oracle Access Management

  • HealthCheck Framework

    HealthCheck Framework enables health check on servers. These checks can be performed using REST API or by scheduling periodic checks on the server. Each schedule can be associated with a specified set of tests to be run. For details, see Monitoring Server Health with Health Check Framework

  • Modified UserInfo Response

    The format of the UserInfo response for OAuth flows is modified with the following changes:

    • Additional new parameters guid and sub are included in the response.
    • The parameters Profile, Email, Address, and Phone are returned directly under the root tag instead of seperate containers for each of the parameters.
    • The parameters email_verified and phone_number_verified are returned as booleans.

    For example,

    {
               "guid": "6C9CF210194A11E99FB45DDD0C60B95A",
               "sub": "weblogic",
               "family_name": "weblogic",
               "preferred_username": "weblogic",
               "updated_at": "1548740667872",
               "email_verified": false,
               "phone_number_verified": false
    }

    To retrieve the user info attributes in the older format (see the following example), set the custom attribute UserInfoScopeCont to true at the domain level.

    Sample UserInfo response format when the custom attribute UserInfoScopeCont is set,

    {
         "profile": {
                    "guid": "6C9CF210194A11E99FB45DDD0C60B95A",
                     "sub": "weblogic",
                     "family_name": "weblogic",
                     "preferred_username": "weblogic",
                    "updated_at": "1548743708100"
         },
         "email": {
                    "email_verified": false
         },
         "address": {},
         "phone": {
                    "phone_number_verified": false
         }
    }
  • Policy Cache Resiliency

    Improved resilience of the managed servers with the ability to read, validate and replace policy cache in a small step within the server, and delegation of cache building to the Admin Server. Introduced distribution of policy cache from Admin to manage servers with write once and read many times and reducing contention between multiple OAM server’s policy cache present in a cluster.

    Policy cache can be fine-tuned using parameters. For details, see Configuring Policy Cache Parameters.

Features Not Supported in Access Manager

This section provides a list of features that are not supported in Acccess Manager releases.

Features Not Supported in Access Manager 12.2.1.4.0

The unsupported features are the same as in 12.2.1.3.0 release.

Features Not Supported in Access Manager 12.2.1.3.0

The following table lists the features that will be unsupported from OAM 12.2.1.3.0 and provides the migration path:

Unsupported Features in OAM 12.2.1.3.0 Description Migration Path

10g OSSO server co-existence

OAM 12c server does not support co-existence with the OSSO servers

Upgrade from OSSO to OAM 11g R2PS3 and then upgrade to OAM 12c.

OpenSSO server co-existence

OAM 12c server does not support co-existence with the OpenSSO server.

Upgrade to OAM 11gR2PS3 and then upgrade to OAM 12c.

OAM 10g server co-existence

OAM 12c server does not support co-existence with OAM 10g server.

Migrate to OAM 12c server.

OpenSSO agents

OpenSSO agents are not supported in the OAM 12c release.

Migrate to supported 12c agents.

OAM 11g and 12c WebGates and Accessgates are supported in OAM 12.2.1.3.0

mod_osso

OAM 12c does not support mod OSSO (OSSO Agent Proxy) agents.

Migrate to 12c WebGate agents and upgrade to OAM 12c.

OAM10g WebGate

OAM 12c server does not support OAM 10 WebGates.

Migrate to OAM11g R2PS3 or OAM 12c WebGates

Upgrade the server to OAM 12c.

IDMConfigTool

OAM 12c does not support the following commands and attributes:

  • prepareIDStore= FUSION

  • prepareIDStore= OAAM

  • configPolicyStore

  • configOVD

  • disableOVDAccessConfig

  • postProvConfig

  • validate: All options are not supported

  • ovdConfigUpgrade

  • upgradeOIMTo11gWebgate

  • POLICYSTORE_SHARES_IDSTORE

  • SPLIT_DOMAIN

 

IAMSuiteAgent

OAM 12c does not support IAMSuiteAgent.

Till R2PS3, IAMSuiteAgent was the OOB agent protecting the OAM console. From 12c PS3 onwards, this is done using default OOB Login page.

As per EDG (Enterprise Development Guide), it is recommended to protect OAM console using a webgate agent.

 

Oracle Mobile Security Suite (OMSS)

OAM 12c does not support OMSS.

It is recommeded to use OpenID Connect. For details, see OIDC Client Integrations with Social Identity Providers.

Security Token Service (STS)

OAM 12c does not support STS.

It is recommeded to use OAuth. For details, see Understanding OAuth Services

Note:

There is no 12c version of Oracle Adaptive Access Manager (OAAM), continue to use OAAM 11g with OAM 12c.

In 12c, for mobile and social login usecases, we recommend customers to use standard OAuth. We are deprecating proprietary way of achieving these use cases so that the customers can move to a more standards-based approach that would allow better interoperability. The following services are deprecated in 12c:

  • Mobile and Social Services

  • Mobile OAuth Service

  • Security Token Service

  • Access Portal Service