What's New in This Guide?

This section summarizes the new features and significant changes in Administering Oracle Access Management 12c (12.2.1.4.0)

Follow the pointers into this guide to get more information about the features and how to use them.

• Updates in April 2024 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
• Updates in October 2023 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
• Updates in October 2022 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
• Updates in October 2021 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
• Updates in April 2021 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
• Updates in January 2021 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
• Updates in October 2020 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
• Updates in July 2020 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
• Updates in April 2020 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
• Features of Oracle Access Management 12c Release 2 (12.2.1.4.0)

• Features Not Supported in Access Manager

Updates in April 2024 Documentation Refresh for 12c Release 2 (12.2.1.4.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• Checking Authentication Context when OAM is acting as a Service Provider (SP)

  If OAM is acting as a SP, it identifies the Authentication Context of any external SAML Identity Provider (IdP) and proceeds with the SAML authentication based on the authnassurancelevel property. For details, see Checking Authentication Context when OAM is acting as SP.

• Changing Default Consent Acknowledgment Expiry Time

  A new custom attribute consentAcknowledgeExpiryTimeInSeconds allows you to change the default expiry time to acknowledge the consent approval. For details, see Changing Default Consent Acknowledgment Expiry Time.

• Ability to set the expiry time for ID_TOKEN

  You can set an expiry time for ID_TOKEN instead of using the expiry time in the ACCESS_TOKEN settings. For details, see Creating an Identity Domain.

• User Password Change Validation

  Setting the userPasswordChangeCheckEnabled= true property in oam-config.xml, validates the tokens generated before the user password update. For details see Enabling User Password Change Validation.

• Client Secret Expiration and Rotation

  By using the custom attribute oldSecretRetentionTimeInDays, you can configure the time for which the old client secret will continue to work. This custom attribute can be defined both at the domain-level and at the client-level. However, the value defined at the client-level takes precedence. For details, see Table 39-1.

• Ability to Customize Issuer discovery identifier and Iss Token Claim

  With the implementation of this enhancement, we can mask/omit the port from issuer and customize the path component in the OpenID configurations. For details, see Custom Issuer Support.

  Note:

  Perform a GET operation on the /DeployedComponent/Server/NGAMServer/Profile/ssoengine/OAuthConfig endpoint and a PUT operation on the same endpoint to enable Custom Issuer Support feature. It ensures that the configuration that has already been applied continues to be effective.

• Added New Field to View API Key

  With this release a new field API Key is added in the partner details screen. This field allows administrators to share the key details with the relevant partners for secure updates. For details, see Configuring the Signing and Encryption Key.

• Ability to mask SAML Response attribute in OAM Log Messages

  With this release, Oracle Access Management masks SAML Response attributes in OAM log messages. For details, see Masking SAML Attributes in Log Records.

Updates in October 2023 Documentation Refresh for 12c Release 2 (12.2.1.4.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• New parameter to fetch the authorization grant details

  A new request parameter response_mode that determines how the authorization server returns result parameters from the authorization endpoint is added to fetch the authorization grants to redirect_uri in an appropriate format. For details, see Table 40-7.

• Support for authentication in multiple browser tabs

  OAM supports multi-tab feature when serverReuestCacheType parameter is set to COOKIE. For details, see Supporting Authentication in Multiple Browser Tabs.

Updates in October 2022 Documentation Refresh for 12c Release 2 (12.2.1.4.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• Federation partners support certificates using RSASSA-PSS signature algorithms
  Includes support for the Signature Algorithm SHA256-RSA-MGF1.

  Note:

  This update is dependent on OWSM patch 34566592.

  For details, see Configuring RSA OAEP Key Transport Digest and MGF Digest.

Updates in October 2021 Documentation Refresh for 12c Release 2 (12.2.1.4.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• OAM SAML 2.0 Supported Encryption Algorithms

  OAM supports AES-GCM encryption modes.

  For details, see OAM SAML 2.0 Supported Encryption Algorithms and Changing Default Encryption Algorithm

• Two-way SSL for OAP over REST Communication.

  You can enable mutual authentication for OAP over REST between WebGate and OAM Server, therefore ensuring that the Server communicates with authentic clients.

  For details, see Enabling two-way SSL for OAP over REST

• TOTP-based Multi Factor Authentication in OAM

  You can configure MFA using the configureMFA command with config-utility.jar

  For details, see Configuring TOTP-based Multi Factor Authentication in OAM

• Token Signing Using Third-Party Certificates

  Access tokens can be signed using a self-signed key pair generated out-of-the-box. In this release, OAM extends the support to allow signing of access tokens using third-party key pairs.

  For details, see Token Signing Using Third-Party Certificates

• Mutual-TLS (mTLS) Client Authentication in OAM

  In TLS authentication, the server confirms its identity by producing a certificate (public key), which is then verified by the TLS verification process. In mTLS (mutual-TLS), along with the server, the client's identity is also verified. The TLS handshake is utilized to validate the client's possession of the private key corresponding to the public key in the certificate and to validate the corresponding certificate chain.

  For details, see Configuring Client Authentication and Configuring mTLS Client Authentication

• Custom Claims

  OAM extends the ability to define the custom claims using templates that can be configured at client or domain level. The custom claims can be included in all the access tokens, ID tokens and userinfo. You can also perform value transformation as well as value filtering of the custom claim.

  For details, see Custom Claims

• OAuth Access Token Maximum Size

  Default OAuth access token length limit has been increased to 7500. This value can be overridden using the OAuth Identity domain custom parameter: accessTokenMaxLength.

• OAuth Client Update - Support for PATCH Request

  Introduces support for PATCH request during modification of OAuth clients. With PATCH operation, OAM appends existing scopes with values from the request. Similar behavior is provided for redirect_uris, grant types, and custom attributes. The existing PUT operation replaces the contents of OAuth client parameters with the values from the request.

Updates in April 2021 Documentation Refresh for 12c Release 2 (12.2.1.4.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• Session Management Optimizations

  Session Management Engine has been optimized and tuned to provide improved system performance under load.

  Also see, Database Tuning for Oracle Access Management in the Tuning Performance Guide

• OAuth Refresh Token Management

  OAuth Token Management capabilities have been enhanced with the ability to invalidate Refresh Tokens.

  For details, see Revoking OAuth Tokens

• 12c WebGates for Apache and IIS Web Servers

  WebGates for IIS and Apache Web Servers are made available in this release.

  For details, see Installing and Configuring IIS 12c WebGate for OAM in Installing WebGates for Oracle Access Manager

• Support for TLS 1.3 & FIPS 140-2

  This release is compliant with the latest FIPS and TLS standards and versions.

  For details, see Enabling FIPS Mode on OAM Server and TLS 1.3 and TLS 1.2 Support in Oracle Access Management

Updates in January 2021 Documentation Refresh for 12c Release 2 (12.2.1.4.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• Recommendation to Use Embedded Credential Collector (ECC) in OAM 12c

  It is recommended that you use ECC for the new features introduced in OAM 12c. Some of the new features introduced in OAM 12c do not support DCC. For example, OpenIDConnect with DCC is not supported.

  For additional details, see Doc ID 2634863.1 at https://support.oracle.com.

  Also see, Overview of Access Manager Credential Collection and Embedded Credential Collector Versus Detached Credential Collector

• Proof Key for Code Exchange (PKCE) Support in OAM

  Introduces PKCE support in the existing OAM OAuth Authorization Code Grant Flow. It can be used to enhance the security of the existing 3-legged OAuth, mitigating possible authorization code interception attacks. You can enable PKCE at the domain level or just for a specific client.

  Note:

  OAM validates code_challenge for Base64 with padding. To fix this and ensure RFC compliant behavior for the code_challenge (Base64 without padding as described in https://tools.ietf.org/html/rfc7636#appendix-A), you must download and apply the OAM Patch 32406872. For details, see the note How To Enable OAuth Proof Key For Code Exchange (PKCE) in Oracle Access Manager (OAM) 12.2.1.4 (Doc ID 2755209.1) at https://support.oracle.com.

  OAM will support only the RFC compliant behavior in all the subsequent releases.

  For more information, see Proof Key for Code Exchange (PKCE) Support in OAM.

• Keep the OAUTH_TOKEN Response Unset

  OAM provides an option to not set the OAUTH_TOKEN cookie or header when SSO Session Linking is enabled. You must set the challenge parameter IS_OAUTH_TOKEN_RESPONSE_SET to false.

  Note:

  If IS_OAUTH_TOKEN_RESPONSE_SET is not configured, or set to true then the OAUTH_TOKEN cookie/header is set.

Updates in October 2020 Documentation Refresh for 12c Release 2 (12.2.1.4.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• Support for AWS Role Mapping Attribute in SAML Response

  Introduces a new function that can be configured in SP Attribute Profile for supporting the AWS role mapping attribute in SAML response.

  For details, see AWS Role Mapping Attribute in SAML Response

• Support for Attribute Value Mapping and Filters in OAM Federation

  OAM federation supported Attribute Name Mapping. It extends the support for Attribute Value Mapping and Attribute Filtering features.

  For details, see Using Attribute Value Mapping and Filtering

Updates in July 2020 Documentation Refresh for 12c Release 2 (12.2.1.4.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• Support for SameSite=None Attribute in OAM Cookies

  OAM adds SameSite=None attribute to all the cookies set by WebGate and OAM Server.

  For details, see Support for SameSite=None Attribute in OAM Cookies

• X.509 Authentication with Extended Key Usage (EKU)

  In X.509 authentication flows, Extended Key Usage (EKU) certification extension check can be added optionally to ensure that the usage of the certificate is allowed.

  For details, see X.509 Authentication Using Extended Key Usage (EKU).

Updates in April 2020 Documentation Refresh for 12c Release 2 (12.2.1.4.0)

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• OAuth Consent Management

  Provides capability for managing user consents, persisting user consents and providing mechanism to revoke them across DataCenters. Consent revocation capability is provided for both Administrators as well as individual users.

  For details, see Enabling Consent Management and Enabling Consent Management on MDC

• OAuth Just-In-Time (JIT) User Linking and Creation

  Provides capability to provision users automatically. The idToken as received from IDP has user attributes. These user attributes can have values like userId, user name, first name, last name, email address, and so on, which could be used for linking users to entries in the local id store or create them, if they do not exist.

  For details, see OAuth Just-In-Time (JIT) User Provisioning

• OAM Snapshot Tool

  Provides tooling to create a snapshot of the OAM Domain with all its configurations, persist it, and use it for creating fully functional OAM Domain clones.

  For details, see Using the OAM Snapshot Tool

Features of Oracle Access Management 12c Release 2 (12.2.1.4.0)

Oracle Access Management 12c (12.2.1.4.0) includes the following features:

• Passwordless Login

  Passwordless authentication allows you to bypass the standard web form based authentication when using a mobile device. For details, see Using Passwordless Authentication with OAM.

• Dynamic Client Registration

  Dynamic client Registration (DCR) provides a way for the native mobile apps (Android) to dynamically register as clients with the OAuth Server (OAM). For details, see Dynamic Client Registration.

• OAP over REST

  Oracle Access Protocol (OAP) over REST enables the use of HTTP(S) infrastructure to route and load balance requests. Changing the transport mechanism between WebGate and server has a beneficial impact on reducing operational cost for hybrid deployments where some components are On-Premise and others have moved to cloud. For details, see Securing Communication between OAM Servers and WebGates using OAP over REST

• WebGate using PFS and Approved Cipher Suites for OAP Simple/Cert Mode Communication

  When the Simple/Cert Mode communication occurs, WebGate ensure that valid and approved cipher suites defined by the admin are used. For details, see About WebGate Usage of PFS and Approved Cipher Suites for OAP Simple/Cert Mode Communication in Administering Oracle Access Management

• HealthCheck Framework

  HealthCheck Framework enables health check on servers. These checks can be performed using REST API or by scheduling periodic checks on the server. Each schedule can be associated with a specified set of tests to be run. For details, see Monitoring Server Health with Health Check Framework

• Modified UserInfo Response

  The format of the UserInfo response for OAuth flows is modified with the following changes:

  • Additional new parameters guid and sub are included in the response.
  • The parameters Profile, Email, Address, and Phone are returned directly under the root tag instead of seperate containers for each of the parameters.
  • The parameters email_verified and phone_number_verified are returned as booleans.

  For example,

  {
             "guid": "6C9CF210194A11E99FB45DDD0C60B95A",
             "sub": "weblogic",
             "family_name": "weblogic",
             "preferred_username": "weblogic",
             "updated_at": "1548740667872",
             "email_verified": false,
             "phone_number_verified": false
  }

  To retrieve the user info attributes in the older format (see the following example), set the custom attribute UserInfoScopeCont to true at the domain level.

  Sample UserInfo response format when the custom attribute UserInfoScopeCont is set,

  {
       "profile": {
                  "guid": "6C9CF210194A11E99FB45DDD0C60B95A",
                   "sub": "weblogic",
                   "family_name": "weblogic",
                   "preferred_username": "weblogic",
                  "updated_at": "1548743708100"
       },
       "email": {
                  "email_verified": false
       },
       "address": {},
       "phone": {
                  "phone_number_verified": false
       }
  }

• Policy Cache Resiliency

  Improved resilience of the managed servers with the ability to read, validate and replace policy cache in a small step within the server, and delegation of cache building to the Admin Server. Introduced distribution of policy cache from Admin to manage servers with write once and read many times and reducing contention between multiple OAM server’s policy cache present in a cluster.

  Policy cache can be fine-tuned using parameters. For details, see Configuring Policy Cache Parameters.

Features Not Supported in Access Manager

This section provides a list of features that are not supported in Acccess Manager releases.

• Features Not Supported in Access Manager 12.2.1.4.0

• Features Not Supported in Access Manager 12.2.1.3.0

Features Not Supported in Access Manager 12.2.1.4.0

The unsupported features are the same as in 12.2.1.3.0 release.

Features Not Supported in Access Manager 12.2.1.3.0

The following table lists the features that will be unsupported from OAM 12.2.1.3.0 and provides the migration path:

Unsupported Features in OAM 12.2.1.3.0	Description	Migration Path
10g OSSO server co-existence	OAM 12c server does not support co-existence with the OSSO servers	Upgrade from OSSO to OAM 11g R2PS3 and then upgrade to OAM 12c.
OpenSSO server co-existence	OAM 12c server does not support co-existence with the OpenSSO server.	Upgrade to OAM 11gR2PS3 and then upgrade to OAM 12c.
OAM 10g server co-existence	OAM 12c server does not support co-existence with OAM 10g server.	Migrate to OAM 12c server.
OpenSSO agents	OpenSSO agents are not supported in the OAM 12c release.	Migrate to supported 12c agents. OAM 11g and 12c WebGates and Accessgates are supported in OAM 12.2.1.3.0
mod_osso	OAM 12c does not support mod OSSO (OSSO Agent Proxy) agents.	Migrate to 12c WebGate agents and upgrade to OAM 12c.
OAM10g WebGate	OAM 12c server does not support OAM 10 WebGates.	Migrate to OAM11g R2PS3 or OAM 12c WebGates Upgrade the server to OAM 12c.
IDMConfigTool	OAM 12c does not support the following commands and attributes: prepareIDStore= FUSION prepareIDStore= OAAM configPolicyStore configOVD disableOVDAccessConfig postProvConfig validate: All options are not supported ovdConfigUpgrade upgradeOIMTo11gWebgate POLICYSTORE_SHARES_IDSTORE SPLIT_DOMAIN
IAMSuiteAgent	OAM 12c does not support IAMSuiteAgent. Till R2PS3, IAMSuiteAgent was the OOB agent protecting the OAM console. From 12c PS3 onwards, this is done using default OOB Login page. As per EDG (Enterprise Development Guide), it is recommended to protect OAM console using a webgate agent.
Oracle Mobile Security Suite (OMSS)	OAM 12c does not support OMSS.	It is recommeded to use OpenID Connect. For details, see OIDC Client Integrations with Social Identity Providers.
Security Token Service (STS)	OAM 12c does not support STS.	It is recommeded to use OAuth. For details, see Understanding OAuth Services

Note:

There is no 12c version of Oracle Adaptive Access Manager (OAAM), continue to use OAAM 11g with OAM 12c.

In 12c, for mobile and social login usecases, we recommend customers to use standard OAuth. We are deprecating proprietary way of achieving these use cases so that the customers can move to a more standards-based approach that would allow better interoperability. The following services are deprecated in 12c:

• Mobile and Social Services

• Mobile OAuth Service

• Security Token Service

• Access Portal Service