Embed Size (px)
Citation preview
Oracle® CloudWhat’s New for Oracle Identity Cloud Service
Release 19.3.3
E81008-41
January 2020
What’s New for Oracle Identity Cloud ServiceWhen new and changed features become available, Oracle Identity Cloud Serviceinstances are upgraded in the data centers where Oracle Cloud services are hosted.Here’s an overview of new features and enhancements added recently to improveyour Oracle Identity Cloud Service experience.
This guide documents the complete set of new and changed features for OracleIdentity Cloud Service. Your localized version of Oracle Identity Cloud Service mightcontain a subset of these features. Therefore, you might find features in thisdocumentation that are not available in your localized version of Oracle Identity CloudService.
Application IntegrationTo find out about the new applications and features that have been added to theOracle Identity Cloud Service Application Catalog, see the What's New section of theOracle Identity Cloud Service - Application Catalog.
Topics:• Release 19.3.3 — January 2020
• Release 19.2.1 — August 2019
• Release 18.4.3 — July 2019
• Release 18.4.2 — December 2018
• Release 18.3.4 — August 2018
• Release 18.2.6 — July 2018
• Release 18.2.4 — May 2018
• Release 18.1.6 — March 2018
• Release 18.1.2 — February 2018
• Release 17.4.6 — December 2017
• Release 17.4.2 — November 2017
1
• Release 17.3.6 — September 2017
• Release 17.3.4 — September 2017
• Release 17.3.2 — July 2017
Release 19.3.3 — January 2020
Category Feature Description
Oracle Identity CloudService FoundationStripes
Oracle Identity CloudService Foundationstripes in 19.3.3.
Oracle Identity Cloud ServiceFoundation stripes are not entitled touse multi-factor authentication (MFA).Additionally, Oracle Identity CloudService Foundation stripes are notentitled to use any factor other thanEmail for account recovery. If thesefeatures were enabled in Foundationstripes then, they will be disabled post19.3.3.
Applications Forms for managedapplications can nowcontain multi-valuedattributes.
If you're assigning a managedapplication to a user account or a group,then there's a form for the application. Ifthe form contains multi-valued attributes,then an Add button appears to the rightof each attribute. Click Add, and then inthe Allowed Values window, select thevalues for the attribute, and click OK.
For more information, see the followingtopics:
• Assign Applications to the UserAccount
• Assign Applications to the Group• Assign Users to Custom
Applications• Assign Groups to Custom
Applications
Applications Skip OAuth ConsentPage
Configure confidential and mobileapplications to disable all resource'srequirement for consent page. See Adda Confidential Application and Add aMobile Application.
Applications Authorization Policy forEnterprise Applications
Enterprise applications that areprotected using App Gateway can nowmake use of authorization policies.Administrators can define, allow or denyauthorization policies usingauthenticated IdP, group membership,network perimeter, day and time of dayas authorization conditions See Configure an Authorization Policy.
2
Category Feature Description
Applications OAuth support forEnterprise Applications
You can configure enterpriseapplications to work similarly toconfidential applications by setting upthe Client Configuration andResource Server Configurationssections in the OAuth Configurationspage for the enterprise application.
Applications Enterprise Applicationsheaders supportextended and customuser attributes
Enterprise Application's authenticationand authorization policies supportsending extended and custom schemauser attributes as header variables. See Supported Header Value Expressionsfor Authentication Policies.
Applications List of default headersand cookies AppGateway adds to request
Documentation includes a list of defaultheaders and cookies App Gateway addsto the request forwarded to theapplication during authentication andauthorization validation. See DefaultHeaders App Gateway Adds to Request.
Components Upgrade App Gateway Upgrade or patch your Oracle IdentityCloud Service App Gatewayautomatically by using the upgradescript. See Upgrade and Patch AppGateway.
Components Identity Cloud E-BusinessSuite Asserter
Integrate Oracle E-Business Suite withOracle Identity Cloud Service forauthentication and passwordmanagement purposes. See Use the E-Business Suite Asserter to Enable SSOfor Oracle E-Business Suite with OracleIdentity Cloud Service.
Components Identity Cloud E-BusinessSuite Asserter support forOracle E-Business Suitemobile applications.
Added support to integrate OracleFusion Expenses mobile application insingle sign-on with Oracle Identity CloudService. See Set up E-Business SuiteMobile Applications.
Multi-FactorAuthentication
Factor Specific MFA Administrators can now define sign-onpolicies to require end-users to verifyspecific MFA factors based onapplication, group membership andother conditions available in the sign-onpolicy.
See Add a Sign-On Policy.
3
Category Feature Description
Security New help deskadministrator role.
A new administrator role is available forOracle Identity Cloud Service: help deskadministrator. A help desk administratorcan manage all users or users ofselected groups in Oracle Identity CloudService. Help desk administrators canview the details of a user and unlock auser account. Help desk administratorscan also reset passwords, resetauthentication factors, and generatebypass codes for user accounts.
See Understand Administrator Roles.
Security Customize social identityprovider types andmetadata.
You can create your own social identityprovider type and customize an icon forit. Or, you can customize metadata foran existing social identity provider type.For example, you can define custommetadata for how to authenticate usersagainst Oracle Identity Cloud Serviceusing the predefined Google socialidentity provider.
You can also customize social identityprovider types for particular identitydomains. Suppose you have users inthe United States accessing OracleIdentity Cloud Service from one identitydomain, and users from India signing into Oracle Identity Cloud Service fromanother identity domain. You want onlythe India-based users to be able toaccess Oracle Identity Cloud Servicewith their GitHub social credentials. So,you can customize a GitHub socialidentity provider type for the Indiaidentity domain only.
See Add a Social Identity Provider.
Security Map a user's attributevalue from an identityprovider to an externalID.
When mapping the value of a user'sattribute that Oracle Identity CloudService receives from a SAML identityprovider to a corresponding attribute forthe user in Oracle Identity CloudService, you can specify an external ID.You use this ID when you want to mapthe attribute received from the identityprovider to a special ID that's associatedwith the provider.
See Import Metadata for a SAMLIdentity Provider.
4
Category Feature Description
Security Duo as an authenticationfactor.
Use Duo Security factors to securelyauthenticate and to sign into appssecured by Oracle Identity CloudService.
See Configure Duo Security Settings.
Security Select MFA factor forsign-on policies
Administrators can now define sign-onpolicies to require end-users to verifyspecific MFA factors based onapplication, group membership andother conditions available in the sign-onpolicy.
Settings Integrate Oracle E-Business Suite andOracle Identity CloudService
In addition to Oracle Internet Directory,you can now use the ProvisioningBridge to integrate Oracle E-BusinessSuite and Oracle Identity Cloud Service.This bridge provides a link between anon-premises business application (suchas Oracle E-Business Suite) and OracleIdentity Cloud Service. Throughsynchronization, account data that’screated and updated directly on OracleE-Business Suite is pulled into OracleIdentity Cloud Service and stored for thecorresponding Oracle Identity CloudService users and groups. Any changesto these records will be transferred intoOracle Identity Cloud Service. Becauseof this, the state of each record issynchronized between Oracle E-Business Suite and Oracle IdentityCloud Service.
After users are synchronized fromOracle E-Business Suite to OracleIdentity Cloud Service, you can also usethe Provisioning Bridge to provisionusers to the application. Provisioningallows you to use Oracle Identity CloudService to manage the life cycle of usersin the application. This includes creating,modifying, deactivating, activating, andremoving users and their profiles acrossthe application. Any changes that youmake to users or their profiles in OracleIdentity Cloud Service are propagated toOracle E-Business Suite through theProvisioning Bridge.
See:
• Manage Provisioning Bridges inOracle Identity Cloud Service
• Synchronize and Provision UsersBetween Oracle E-Business Suiteand Oracle Identity Cloud Service
5
Category Feature Description
Settings Improved field name forSession Expiry.
On the Session Settings tab, the fieldSession Expiry has been changed toSession Duration to better reflect thepurpose of the setting. No functionalityhas changed.
See Change Session Settings.
Users Show custom attributesand some additional out-of-the-box attributes inthe Oracle Identity CloudService console.
You can now check the customattributes and some additional out-of-the-box attributes assigned to a user asother information in the user's Detailspage of the Oracle Identity CloudService console.
See View Details About User Accounts.
REST APIs Support for multi-valueExpressions in customclaims.
Based on user expressions, a claim cannow return either a single value attributeor all the attributes associated with theexpression.
See Manage Custom Claims.
REST APIs Support Duo as a secondauthentication factor
The Authenticate APIs have added anew use case to support Duo Securityas a second authentication factor. Thisuse case explains using Oracle IdentityCloud Service Authentication API toauthenticate user's credentials with DuoSecurity. If administrators choose toenable this feature, they must ensurethat all custom code which uses theseauthenticate APIs have been updated tosupport the payloads for this feature.
See Use Duo as a Multi-FactorAuthentication Factor.
In case users choose to skip Multi-Factor Authentication during single sign-on enrollment, they can enroll to DuoSecurity using the self serviceenrollment. The self service (MyProfile)endpoints such as Initiator, validation,and Enroller are enhanced to supportDuo Security.
See Using Self Service to Enroll in MFAwith Duo Security.
REST APIs Enterprise Applicationcreation withauthorization policy
A new use case for creating anenterprise application with authorizationpolicies have been added in the RESTAPIs for Oracle Identity Cloud Service.
See Creating an Enterprise Applicationwith Authorization Policy.
6
Category Feature Description
REST APIs Trigger an emailverification flow if emailaddress is alreadyverified
A new use case for triggering an emailverification flow if email address isalready verified have been added in theREST APIs for Oracle Identity CloudService.
See Triggering an Email VerificationFlow if Email Address is AlreadyVerified.
Runbooks New runbooks forintegrating Oracle IdentityCloud Service withOracle E-Business Suiteand Microsoft Azure.
There are two new runbooks availablewith version 19.3.3 of Oracle IdentityCloud Service:
• Oracle E-Business Suite: Thisrunbook describes how tosynchronize users, roles, andresponsibilities between Oracle E-Business Suite and Oracle IdentityCloud Service.
• Microsoft Azure: This runbookdescribes how to configure OracleIdentity Cloud Service tosynchronize users, groups, anduser group memberships fromMicrosoft Azure to Oracle IdentityCloud Service.
Release 19.2.1 — August 2019
Category Feature Description
Applications Customize OAuthConsent Page
Customize the information that appearsin the OAuth consent page for customapplications that require consent toaccess application's resources. See EditConsent Information for CustomApplications.
Applications Enterprise Application Learn what are enterprise applicationsand how to integrate them with OracleIdentity Cloud Service for authenticationpurposes using App Gateway. See Secure Enterprise Applications with AppGateway.
Applications SAML assertionencryption support
Oracle Identity Cloud Service nowsupports assertion encryption for SAMLapplications. You can provide certificateand encryption algorithm. See Add aSAML Application.
7
Category Feature Description
Applications Synchronization FailureReport
Learn about the reason behind thesynchronization failures from asynchronization failure report of aprovisioning application. See Work withthe Synchronization Failure Report.
Applications Personal Access Token Generate and download your personalaccess tokens. A client application canuse these tokens to access a specificresource application for a limited period.See Generate Personal Access Tokens.
Applications Assign users and groupsto custom applications
Use a form to enter values whileassigning users and groups toprovisioned applications. See AssignUsers to Custom Applications and Assign Groups to Custom Applications.
Applications Integrate your Linuxenvironment with OracleIdentity Cloud Service.
A new Pluggable Authentication Modulefor Linux that allows you to integrateyour Linux environment with OracleIdentity Cloud Service to perform enduser authentication with first and secondfactor authentication.
See Manage Linux Authentication usingthe Identity Cloud Service LinuxPluggable Authentication Module.
Groups Populate form fields formanaged applicationsthat you assign to groups.
If you assign a managed application to agroup, then a form appears for theapplication. You can populate the fieldsof this form to reflect the values of yourapplication. Or, if you assigned themanaged application to the group, thenyou can modify the values of theapplication form.
See Assign Applications to the Group.
8
Category Feature Description
Settings New notifications Two new notifications have been added:• Exceeded Maximum Number of
Account Recovery Attempts: After auser exceeds the maximum numberof attempts to reset their passwordto recover their account, thisnotification is sent to the user’sprimary email address.
• New Device Login Detected withYour Account: If an attempt is madeto log in to a user's account from adevice, IP address, or web browser,and Oracle Identity Cloud Servicedoesn't recognize that the device,address, or browser is associatedwith the account, then thisnotification is sent to the user. Thenotification contains a link that theuser can click to reset their SSOpassword in case the user doesn'trecognize the login attempt.
See About User Notifications.
Settings New Provisioning Bridgefeature
A new bridge is available for OracleIdentity Cloud Service: the ProvisioningBridge. This bridge provides a linkbetween your on-premises apps andOracle Identity Cloud Service. Throughsynchronization, account data that’screated and updated directly on theapps is pulled into Oracle Identity CloudService and stored for thecorresponding Oracle Identity CloudService users and groups. Any changesto these records will be transferred intoOracle Identity Cloud Service. So, if auser is deleted in one of your apps, thenthis change will be propagated intoOracle Identity Cloud Service. Becauseof this, the state of each record issynchronized between your apps andOracle Identity Cloud Service.
See Understand the ProvisioningBridge.
9
Category Feature Description
Settings Enhancements to theMicrosoft Active Directory(AD) Bridge
There are now two types of imports thatyou can run by using the MicrosoftActive Directory (AD) Bridge to importusers and groups from AD into OracleIdentity Cloud Service:
• Full import: The AD Bridge polls ADand retrieves data associated withall user and groups that youselected in the Selectorganizational units (OUs) forusers and Select organizationalunits (OUs) for groups panes ofthe Configuration tab for thebridge. This data represents usersand groups that were created,modified, or removed in AD.
• Incremental import: Similar to a fullimport, but for this type of import,the AD Bridge polls AD andretrieves only user and group datathat changed since you last usedthe AD Bridge to import users andgroups into Oracle Identity CloudService.
After users are imported into OracleIdentity Cloud Service through the ADBridge, if you activate or deactivate auser, modify a user's attribute values, orchange group memberships for a user inOracle Identity Cloud Service, thenthese changes will be reflected in AD.
See Manage Microsoft Active Directory(AD) Bridges for Oracle Identity CloudService.
10
Category Feature Description
Settings Enable the Access foran unknown deviceevent of AdaptiveSecurity for your customsign-in page.
Adaptive Security uses the concept ofrisk providers to allow administrators toconfigure various contextual and threatevents to be analyzed within OracleIdentity Cloud Service. A default riskprovider within Oracle Identity CloudService is seeded automatically with alist of supported contextual and threatevents, such as Access from anunknown device. For this event, if auser accesses Oracle Identity CloudService from a device that hasn’t beenpreviously used to access the service,then this event (commonly referred to asDevice Fingerprinting) is triggered.
Although Oracle Identity Cloud Servicehas a sign-in page, you may prefer touse your own page. If so, then you canuse the Identity Cloud Service DeviceFingerprint Utility to enable the Accessfor an unknown device event ofAdaptive Security for your custom sign-in page.
See Download Oracle Identity CloudService SDKs and Applications.
Settings Handle on demandlanguage support foremail and SMStemplates.
You can now select French (Canada) asthe language for email and SMSnotifications.
Security New App GatewayFeature
App Gateway enables you to integrateweb applications hosted on-premises oron a cloud infrastructure with OracleIdentity Cloud Service for authenticationpurposes. See Manage Oracle IdentityCloud Service App Gateways.
Security New user manageradministrator role
A new administrator role is available forOracle Identity Cloud Service: usermanager. A user manager can manageall users or users of selected groups inOracle Identity Cloud Service. Usermanagers can update, activate,deactivate, remove, and unlock useraccounts. User managers can also resetpasswords, reset authentication factors,and generate bypass codes for useraccounts.
See Understand Administrator Roles.
11
Category Feature Description
Security New Account Recoveryfeature
A new feature is available for OracleIdentity Cloud Service: accountrecovery. Account recovery is anautomated process designed to helpusers regain access to their accounts ifthey have trouble signing in, they’relocked out, or they forget theirpasswords.
There are three account recoveryfactors that administrators can configurefor users:
• Security questions: You can allow auser to select and answer securityquestions, and provide hints foranswers to these questions, toverify their identity. If they have torecover their account, then theymust answer these questionscorrectly to regain access.
• Email: By default, a user’s primaryemail address has been set as theemail address that Oracle IdentityCloud Service will use to help theuser recover their account. If theuser has to regain access, thenOracle Identity Cloud Service willsend a notification to this emailaddress. The user follows theinstructions in the notification torecover their account. Instead oftheir primary email address, youcan allow the user to specify analternate (recovery) email addressto regain access to their account.
• Text message (SMS): You canallow a user to provide a mobilenumber that Oracle Identity CloudService will use to help themrecover access to their account.This way, if they have to regainaccess, then Oracle Identity CloudService will send a passcode in atext message (SMS) to this mobilenumber. The user enters thispasscode to recover their account.
In addition to setting account recoveryfactors, administrators can specify:
• How many consecutive,unsuccessful account recoveryattempts a user can make beforethe user’s account is locked.
12
Category Feature Description
• How long the user’s account will belocked before they can attempt torecover their account again.
See Manage Account Recovery inOracle Identity Cloud Service.
Security New events added to thedefault risk provider
There are three new events added tothe risk provider that's associated withOracle Identity Cloud Service actions.This risk provider, known as the defaultrisk provider, evaluates these events todetermine risk-based activity for OracleIdentity Cloud Service users.
• Impossible travel betweenlocations: Oracle Identity CloudService obtains the user’s currentaccess location, using the IPaddress, and calculates thedistance between this location andthe user’s immediately precedingaccess location. If it determines thatthis distance can’t be covered at thespeed specified in the threshold,then this event (commonly referredto as geo-velocity) is triggered.
• Access from an unfamiliar location:If a user accesses Oracle IdentityCloud Service from a location thathasn’t been used previously toaccess the service, then this eventis triggered. Oracle Identity CloudService obtains the user’s currentaccess location, using the IPaddress, and determines if thislocation has been used previously.If it's a new location, then theservice determines the distancebetween the current access locationand the user’s immediatelypreceding access location. If thedistance between these twolocations exceeds the valuespecified in the threshold, then thisevent is triggered.
• Access from suspicious IPaddresses: If the IP address fromwhere the user is accessing OracleIdentity Cloud Service is flagged assuspicious by the integrated IPreputation provider, then this eventis triggered.
See Configure Oracle Identity CloudService Risk Events.
13
Category Feature Description
Security See the cloud accountname and instance namefrom the Identity CloudService console.
The names of both the primary orsecondary instance and the OracleCloud account that was used to createthis instance appear in the IdentityCloud Service console. To access thisinformation, click the user icon in theupper-right corner of the console, andthen select About from the drop-downmenu. The Cloud Account Name andInstance Name fields display the namesof the Oracle Cloud account and theinstance.
See Identify and Switch Instances.
Security Network Failure Handlingin DelegatedAuthentication
Oracle Identity Cloud Service providesthe local password caching functionalitythat helps delegated users to login intoOracle Identity Cloud Service even ifActive Directory is not reachable.
See Handle Network Failure inDelegated Authentication.
Sign-In Enhanced sign-in userexperience
Oracle Identity Cloud Service hasupdated the sign-in user experience forthe standard Identity Cloud Service sign-in pages for a fresh and more intuitivesign-in process. Users see this new lookthroughout the sign-in and passwordreset flows. Although the look is differentand usability improvements have beenincorporated, the functionality remainsthe same. This change will be seen byall users of the standard Identity CloudService sign-in pages, including OracleIaaS and PaaS users leveraging OracleIdentity Cloud Service.
For customers who have branded thesign-in page by adding a custom logoand text, your logo and text will appearintegrated into the new pages. Forcustomers who have replaced OracleIdentity Cloud Service's default sign-inpage with a custom one, your custompage won't be impacted as a result ofthe new sign-in experience.
See Oracle is updating the IdentityCloud Service sign-in experience.
14
Category Feature Description
User Settings Change settingsassociated with useraccounts.
You can now change settingsassociated with user accounts. Forexample, you can make the primaryemail address for a user account arequired or optional attribute.
By making the primary email addressoptional, if Oracle Identity Cloud Serviceintegrates with another cloud service oron-premises application, then a user’semail address can be propagated fromthat service or application back intoOracle Identity Cloud Service, and bedesignated as the user’s primary emailaddress in Oracle Identity CloudService.
See Change User Settings.
Users Use the My Profileconsole to edit attributevalues for your useraccount.
You can no longer edit attribute valuesfor your user account from the IdentityCloud Service console. To do this,access the My Profile Details tab of theMy Profile console.
See Edit Attribute Values for the UserAccount.
Users Oracle Identity CloudService unlocks all useraccounts after 24 hoursautomatically.
If a user's account is locked, and theuser or an administrator doesn't unlockthe account within 24 hours, then OracleIdentity Cloud Service will unlock itautomatically.
See Unlock User Accounts.
Users See the Multi-FactorAuthentication (MFA)status for users.
By accessing the Security tab for anyuser account, you can see whether theuser is enrolled in Multi-FactorAuthentication (MFA).
See View Details About User Accounts.
Users See the statement of theterms of use associatedwith user's consents.
From the My Consents tab of the MyProfile console, users can now see theterms of use they agreed uponaccessing applications . See AccessYour Consents.
15
Category Feature Description
REST APIs New endpoints added toOracle Identity CloudService REST APIs
The REST APIs for Oracle IdentityCloud Service have been updated. Thefollowing endpoints have been added:• UserAttributesSettings - Use this
endpoint to set the User schemaattribute.
• AccountRecoverySettings - Use thisendpoint to manage tenant-specificaccount recovery settings.
• MePasswordRecoveryFactorValidator - Use this endpoint to validate thepassword recovery factors of auser.
• MeRemovePendingEmailVerification - Use this endpoint to removepending verification email(s) and todelete an associated user token.
See REST API for Oracle Identity CloudService..
REST APIs Deprecated REST APIendpoint
The following endpoints are deprecatedin the 19.2.1 release:• /
ManagedObjectSyncDetailedJobReport
• /sso/v1/sdk/idp (Alternateendpoint /sso/v1/sdk/secure/idp)
• /sso/v1/sdk/session (Alternateendpoint /sso/v1/sdk/session/secure/idp)
See REST API for Oracle Identity CloudService..
16
Category Feature Description
REST APIs New Use cases The Authenticate APIs have addedsupport for new features such asAccount Recovery (SMS and SecurityQuestions) and Terms of Use. If anadministrator chooses to enable thesenew features, he must ensure that allcustom code which uses theseauthenticate APIs have been updated tosupport the payloads for these newfeatures.
The following use cases have beenadded:• Authenticating User Name and
Password with TOU Consent - Thisuse case explains using IDCSauthenticate API to authenticateuser's credentials with TOU consent
• Generate Access Token UsingAuthentication API - This use caseexplains how to generate accesstoken using authentication API
• Authenticating User Name andPassword and Enrolling in AccountRecovery - This use case explainsusing IDCS authenticate API toauthenticate with user's credentialsand enroll in Account Recovery
• Authenticating User Name andPassword and Enrolling in AccountRecovery and MFA - This use caseexplains using IDCS authenticateAPI to authenticate with user'scredentials and enroll in AccountRecovery and Multi-FactorAuthentication (MFA).
• Factor Enrollment with Verification -This use case explains using IDCSAuthenticate API that allow a userto enroll for various MFA factors.
See REST API for Oracle Identity CloudService..
REST APIs OAuth Access TokenSize
The OAuth access token size is set to16000 characters by default.
17
Category Feature Description
Infrastructure Use Oracle CloudInfrastructure servicegateway to communicatewith other Oracle Cloudservices.
Oracle Identity Cloud Service instancescan use Oracle Cloud Infrastructureservice gateway to communicate withother Oracle Cloud services within thesame region, without the need of thiscommunication to go over the internet.
See Supported Cloud Services in OracleServices Network.
See Access to Oracle Services: ServiceGateway to learn more about OracleCloud Infrastructure service gateway.
Other Noteworthy Changes
Category Feature Description
Reports PDF Deprecation From release 19.2.1 onward,PDF report generation isdeprecated. Oracle IdentityCloud Service supports onlyCSV, JSON format for reportgeneration.
Release 18.4.3 — July 2019
Category Feature Description
Infrastructure Oracle Identity CloudService on OracleCloud Infrastructure
As a part of our efforts to improve servicereliability and performance, the latest releaseof Oracle Identity Cloud Service now runs onOracle Cloud Infrastructure (OCI), our next-gen infrastructure. Learn more about OracleCloud Infrastructure.
You can find more information about OracleIdentity Cloud Service in the Oracle HelpCenter. Technical assistance for OracleIdentity Cloud Service is available through Oracle Support.
18
Category Feature Description
Customer Migration toOCI
Oracle Identity CloudService on OracleCloud Infrastructure
For existing customers, Oracle Identity CloudService will be undergoing plannedmaintenance to migrate network infrastructurein multiple regions. Learn more about thebenefits of Oracle Cloud Infrastructure. Noaction is required by customers to initiate theplanned maintenance. Customers will receivean email notification in advance that indicateswhen the maintenance will occur, and anotherwhen the maintenance has completed. Oncemaintenance has completed, connectivity toOracle Identity Cloud Service will continueautomatically if you have configured your IPranges in accordance with the instructionsbelow.
• If you have whitelisted the IP ranges ofOracle Identity Cloud Service, you arerequired to update your access rules withthe IP ranges for each Oracle CloudInfrastructure region. See Review the IPranges for different Oracle CloudInfrastructure regions.
• Once the maintenance window has beencompleted, Oracle recommends youremove the old IP ranges from youraccess rules.
If this IP range update is not completed prior tothe start of the maintenance window you maybe unable to connect to Oracle Identity CloudService.
Self-ServiceDiagnostics
Set the diagnosticstype to captureoperational logs.
Diagnostic Data reporting has been added tothe Oracle Identity Cloud Service userinterface. See Run the Diagnostic DataReport.
Release 18.4.2 — December 2018
Category Feature Description
Adaptive Security Activate and deactivatethe default risk provider
In addition to third-party risk providers,you can now activate and deactivate thedefault risk provider.
See Activating and Deactivating RiskProviders.
19
Category Feature Description
Adaptive Security Use the slider to set theweighting for events
Set the weighting for the Access froman unknown device, Too manyunsuccessful login attempts, and Toomany unsuccessful MFA attemptsevents to Low, Moderate, Severe, orCritical. Oracle Identity Cloud Serviceevaluates these events to determinerisk-based activity for Oracle IdentityCloud Service users.
See Configuring the Default RiskProvider.
Applications Enhancements to SAMLApplication Configuration
There are two enhancements to theSAML Application Configuration:
• You can now collectively configureUser and Group attributes under theAttributes section in SAMLApplication Configuration.
• In addition to configuring anattribute to have one of thepredefined user attribute values,you can also specify pathexpressions to define how the valueof the assertion attribute should becalculated.
See Adding a SAML Application.
Applications Support to allow accessto OPC resources
You can now allow clients to accessOPC resources using hierarchical scopematching. If the requested scope hassimilar urn:opc:resource:consumerprefix in any of the clients' AllowedScopes, then the client can access theOPC resource. However, if therequested scope has a different qualifier(with the exception of ::all) that doesn'tmatch with the Allowed Scopes, then theclient can't access the OPC resource.
See Adding a Confidential Applicationand Configuring Authorized Resources.
20
Category Feature Description
Notifications Oracle Identity CloudService now checkswhether verification isdone to the emailaddress that will appearin the From Email fieldfor all notifications.
A new feature of the Notifications pageis the Check Status button. By clickingthis button, Oracle Identity CloudService checks whether verification isdone to this email address through theemail sent to the postmaster (domain) oremail account.
If the email address isn't verified, thenaccess the notification that's sent to theemail address you provided, click theverification link in the notification, andclick Check Status again. The statuswill change to Email Verified.
If the domain isn't verified, then contactthe postmaster of your company so thatthe postmaster can verify the domainassociated with the email address.
See Activating Notifications.
21
Category Feature Description
Scenarios Migrate from traditionalCloud accounts to Cloudaccounts with IdentityCloud Service
You use an Oracle Cloud account toaccess your cloud services and log intothe My Services Dashboard, which iswhere you manage your account andyour services. When you sign in to yourOracle Cloud account, you can chooseto sign in to two different types of Cloudaccounts:
• A traditional Cloud account (alsoknown as a cloud service account)
• A cloud account with Identity CloudService
Traditional Cloud accounts use oneidentity management system which isdifferent from the identity managementsystem associated with Cloud accountswith Identity Cloud Service.
You can migrate users and rolememberships from traditional Cloudaccounts for the following Oracle Cloudservices:
• Oracle Business Intelligence CloudService
• Oracle Integration Cloud Service• Oracle Mobile Cloud Service• Oracle Process Cloud Service• Oracle Visual Builder Cloud ServiceEach service has a corresponding Cloudaccount with Identity Cloud Service towhich you can import the users and theapplication role memberships. Bymigrating services from a traditionalCloud account to a Cloud account withIdentity Cloud Service, the services canuse Oracle Identity Cloud Service tomanage users and to control access tothe services. For this reason, you wantto migrate your traditional Cloudaccounts to Cloud accounts with IdentityCloud Service.
See Migrating from Traditional CloudAccounts to Cloud Accounts withIdentity Cloud Service.
Terms of Use Customize Terms of Usefor Users
Configure customized disclaimers andacceptable use policies for users on anapplication basis. Also collect consentfrom users before allowing them accessto their applications.See Managing Terms of Use
22
Category Feature Description
Social Login Add multiple instances ofthe same social identityprovider
Some cloud services have applicationsthat may have to connect to multipleinstances of the same social identityprovider. For example, for application Aand application B, the Facebook socialidentity provider can be configured as anidentity provider along with distinctconfiguration settings, such as a ClientID and Secret, social registrationsettings, and so on. To support suchscenarios, Oracle Identity CloudService now allows you to add multipleinstances of the same social identityprovider with different configurationsettings for each instance.
After adding multiple instances of asocial identity provider, you can choosewhich instances can be used to sign into Oracle Identity Cloud Service byusing an identity provider policy.
See Adding a Social Identity Provider.
REST APIs New endpoints added toOracle Identity CloudService REST APIs
The REST APIs for Oracle IdentityCloud Service have been updated. Thefollowing endpoints have been added:
• /mfa/v1/requests - Use this endpointto initiate and complete verificationof a default Multi-FactorAuthentication factor or a backupfactor.
• /FromEmailAddressValidator - Usethis endpoint to validate the statusof the From Email Address orEmail Domain from the OPCNotification Service.
REST API for Oracle Identity CloudService.
Other Noteworthy Changes
Category Feature Description
AD Bridge Set Permissions forMicrosoft Active DirectoryBridge
Read about how to set permissions for aMicrosoft Active Directory user accountto perform actions such as delegatepassword reset and synchronizationbetween Microsoft Active DirectoryBridge and Oracle Identity CloudService.
See Setting Permissions for theMicrosoft Active Directory User Account.
23
Category Feature Description
Reports Change in reportsdownload behavior
Oracle Identity Cloud Service supportsCSV, JSON, and PDF report generation.However, the result count for the PDFreport is restricted to 1000 rows. For anyreport exceeding 1000 rows, only theCSV download is available.
See Organize the Report Data.
Release 18.3.4 — August 2018
Category Feature Description
Reporting Diagnostic Data Report Diagnostic Data reporting has beenremoved from the Oracle Identity CloudService user interface. Use the RESTAPI for Oracle Identity Cloud Service tocapture diagnostic data.See Diagnostic Records RESTEndpoints
Release 18.2.6 — July 2018
Category Feature Description
Bridge Enhancements to ADBridge configuration
For version 18.2.6 of Oracle IdentityCloud Service, there are twoenhancements to the bridge:• The Include hierarchy check box.
If you select this check box, andthen select a parent OU, all childrenOUs will be selected. The OUscontain the users and groups thatyou want to import into OracleIdentity Cloud Service.
• The Filter text box. Use this textbox to enter a custom filter tosearch for user or group OUs. Forexample, enter(&(objectClass=User)(sn=Smith))to return all users with the lastname of Smith. Or, enter(department=IT) to return the ITgroup.
See Configuring a Bridge.
24
Category Feature Description
Notifications Validate the entire emailaddress instead of theemail domain only
Now, you can verify either the domain ofan email address or the entire emailaddress. When you configurenotifications, there are two options:Domain and Email.Use the Domain option to send avalidation email to the postmasteraccount of the email’s domain or theEmail option to send an email to anemail address for verification purposes.
See Activating Notifications.
Administration Support for editing OracleCloud Applications
As Service Administrators, you can nowedit certain UI elements of Oracle CloudApplications in Oracle Identity CloudService. You can also assign OracleCloud Applications to Sign-On Policies.
See Editing High-Level Information forOracle Applications.
REST APIs New endpoints added toOracle Identity CloudService REST APIs
The REST APIs for Oracle IdentityCloud Service have been updated. Thefollowing endpoints have been added:• /TermsOfUse - Use this endpoint to
manage terms of use, whichmaintains the terms of usestatements for applications.
• /TermsOfUseStatements - Usethis endpoint to manage the termsof use statement, which maintainsthe terms of use statement that isassociated with the terms of use.
• /SocialIdentityProviderMetadata - Use this endpoint to managemetadata for defining interactionwith various social identity providerssuch as Facebook, LinkedIn, andGoogle.
• /UserAppsEnabledForAuthentication - Use this endpoint to returna list of all available target apps fora user on which delegatedauthentication can be performed.
See REST API for Oracle Identity CloudService.
25
Category Feature Description
REST APIs Deprecated REST APIendpoint
The REST APIs for Oracle IdentityCloud Service have been updated. Thefollowing endpoint will be removed in theupcoming release 18.2.6:
/ServiceProviders
In previous releases, the /ServiceProviders endpoint was usedto configure SAML service providerpartners. The introduction of SAMLApps in release 16.4.6 rendered thisendpoint obsolete and it wasdeprecated. In the upcoming 18.2.6release, the /ServiceProvidersendpoint will be removed.
See REST API for Oracle Identity CloudService.
Security Terms of Use Terms of Use is a feature in OracleIdentity Cloud Service that helpcustomers to set the conditions for theusers to access the applications basedon their consent.
This feature allows the identity domainadministrators to set relevantdisclaimers for legal or compliancerequirements.
Release 18.2.4 — May 2018See how to configure MFA, the factors available for use with MFA, and how to create asign-on policy for MFA by watching the Configuring Multi-Factor Authentication video.
Learn how to configure a web application to authenticate with Oracle Identity CloudService by viewing the Use Secure Form Fill to Authenticate an Application withOracle Identity Cloud Service Use Secure Form Fill to Authenticate an Application withOracle Identity Cloud Service tutorial.
Category Feature Description
Applications Update your SAML applications If there are updates to your SAMLapplications, you can now chooseto upgrade them starting with thisrelease. If your SAML applicationhas an update, you will see theUpgrade button visible in the UI.Click the button to upgrade theapplication.
See Upgrading a SAML Application.
26
Category Feature Description
Applications Support for providing a CustomError URL for applications.
You can now provide a CustomError URL to redirect a user in caseof a failure. If not provided, thetenant specific Error page URL willbe used.
See the following topics:• Adding a Trusted Application• Adding a Mobile Application• Adding a SAML Application• Adding an App Catalog
Application
Applications Support for configuring tenantspecific Error page URL
You can now provide a tenantspecific custom Error page Url toredirect a user in case of a failure.See Changing Session Settings
Applications Support for providing Linkingcallback URL
You can now provide a Linkingcallback URL that Oracle IdentityCloud Service can redirect to afterlinking of a user between socialproviders and Oracle Identity CloudService is complete.
See the following topics:• Adding a Trusted Application• Adding a Mobile Application• Adding a SAML Application• Adding an App Catalog
Application
27
Category Feature Description
Applications Use App Gate to access your on-premises applications securelyand remotely
Use the App Gate together withOracle Identity Cloud Service togive your employees the ability toaccess your on-premisesapplications securely and remotely.
Because the App Gate integrateswith Oracle Identity Cloud Serviceseamlessly, your employees canconnect to these applications, usingSSO, without the hassles of a VPNor SSL client certificates. Thisintegration provides you with anadditional layer of security, which iscrucial to protecting your on-premises applications.
In addition, the App Gate is an idealsolution for you if:• You want to unify all of your
Identity and AccessManagement products underone Identity as a Service(IDaaS) platform, but you haveto integrate with applicationsthat don’t support federation(such as SAML or WS-Fed).
• Your vendors, customers, orpartners must access yourinternal business applicationssuch as Oracle E-BusinessSuite from the Internet.
• You want to restrictunauthorized network access toyour applications.
• You must comply with industryregulations, like Sarbanes-Oxley, HIPPA, and others.
• Your enterprise has Webapplications that lack a nativeauthentication mechanism.
• You’re looking for a cost-effective replacement for youron-premises Web-accessmanagement solution.
• You need a supportedreplacement of Shibboleth.
From the App Gateway for IdentityCloud Service application, you canaccess the documentation for theApp Gate. You can find thisapplication on the Downloads pageof the Identity Cloud Serviceconsole. To access this page, in theIdentity Cloud Service console,
28
Category Feature Description
expand the Navigation Drawer,click Settings, and then clickDownloads.
Branding Revert custom branding todefault Oracle branding
If you have customized the Sign Inpage, the Admin Console, or thenotifications for Oracle IdentityCloud Service, and want to revert toOracle Branding (default), you cando so starting with this release.
See Branding the Oracle IdentityCloud Service Interface.
REST APIs Deprecated REST API endpoint The REST APIs for Oracle IdentityCloud Service have been updated.The following endpoint will beremoved in the upcoming release18.2.6:
/ServiceProviders
In previous releases, the /ServiceProviders endpoint wasused to configure SAML serviceprovider partners. The introductionof SAML Apps in release 16.4.6rendered this endpoint obsolete andit was deprecated. In the upcoming18.2.6 release, the /ServiceProviders endpoint willbe removed.
See REST API for Oracle IdentityCloud Service.
29
Category Feature Description
REST APIs New endpoints added to OracleIdentity Cloud Service RESTAPIs
The REST APIs for Oracle IdentityCloud Service have been updated.The following endpoints have beenadded:• /
AppEntitlementCollection- Use this endpoint to managecollections of entitlements fromApps. For example, anadministrator can grant anAppEntitlementCollectionas a single gesture that causesthe grantee to receive everyentitlement in that collection.
• /UserAuditEventsPurger -Use this endpoint to delete allof the audit events that arerelated to a deleted user.
• /DBGroups - Use this endpointto manage all groupadministrative tasks. A groupcontains one or more users andworks as a role for theenterprise to apply securityfeatures.
See REST API for Oracle IdentityCloud Service.
ApplicationDevelopment SDKs
Updates to SDKs for webapplications
There are updates to the softwaredevelopment kits (SDKs) thatenable you to easily integrate andauthenticate your .NET or PHP webapplications with Oracle IdentityCloud Service.
Sample applications and tutorialson using these SDKs are availableat the web-based Cloud DeveloperPortal.
Other Noteworthy Changes
30
Category Feature Description
REST APIs Read about OpenIDConnect and seeexamples in the OracleIdentity Cloud ServiceREST API content.
Extensive OpenID Connectdocumentation and examples are nowavailable in the Oracle Identity CloudService 18.2.4 REST APIdocumentation.
OpenID Connect extends the OAuth 2.0protocol to add a simple authenticationand identity layer that sits on top ofOAuth 2.0. Using OpenID Connectcompletes the picture by providingapplications with information about theuser, the context of their authentication,and access to their profile information.OpenID Connect allows clients of alltypes, including web-based, mobile, andJavaScript clients to request and receiveinformation about authenticatedsessions and end users.
See Using OpenID Connect to ExtendOAuth 2.0.
Release 18.1.6 — March 2018
Category Feature Description
DelegatedAuthentication (On-demand)
Sign in with your Microsoft ActiveDirectory password
With the Delegated Authenticationfeature in Oracle Identity CloudService, you no longer have tosynchronize all your enterpriseusers' passwords between your on-premises Microsoft Active Directoryand the cloud. Users can beconfigured to use their existingMicrosoft Active Directorypasswords to authenticate, andaccess resources and applicationsprotected by Oracle Identity CloudService.
See Managing DelegatedAuthentication in Oracle IdentityCloud Service.
31
Category Feature Description
Adaptive Security Risk- and context-based analysisto detect and remediateanomalous activities
Oracle Identity Cloud Service isexcited to announce brand newfunctionality called AdaptiveSecurity that can provide customerswith strong authenticationcapabilities based on user behaviorin Oracle Identity Cloud Service,and across multiple heterogeneouson-premises and cloud systems.When enabled, the AdaptiveSecurity feature can analyze auser's risk profile within OracleIdentity Cloud Service, based ontheir historical behavior, such as toomany unsuccessful login attempts,too many unsuccessful MFAattempts, and real-time devicecontext, such as logins fromunknown devices.
To evaluate a user's behavioracross other systems with whichOracle Identity Cloud Service is notdirectly involved, the AdaptiveSecurity feature enables you toconfigure your existing riskproviders like Cloud AccessSecurity Broker (CASB), SecurityInformation and Event Management(SIEM), and so on, to obtain theuser's risk score from these externalproviders.
With this enriched context and riskinformation, Adaptive Security riskprofiles each and every user andarrives at its own risk score and anoverall consolidated risk level (High,Medium, Low) that can be used withOracle Identity Cloud Servicepolicies to take remediation action,such as allow or deny the user fromaccessing Oracle Identity CloudService, requiring the user toprovide a second factor, and so on.Administrators can also view howthe user's risk profile trended over aperiod of time and drill-down to seeeach detail of the event.
See Managing Adaptive Security inOracle Identity Cloud Service.
32
Category Feature Description
Schema Management Extend the user schema byadding custom attributes to it
If you're creating your own userinterface, and you don't find a userschema attribute that you need inthe base Oracle Identity CloudService schema attributes, then addyour own custom attribute to theschema from within the OracleIdentity Cloud Service console.
See Adding Custom SchemaAttributes.
ApplicationDevelopment SDKs
New SDKs for Web and Mobileapplications
Oracle Identity Cloud Serviceprovides you with softwaredevelopment kits (SDKs) thatenable you to easily integrate andauthenticate your .NET or PHP webapplications and your Android oriOS mobile applications with OracleIdentity Cloud Service.
Sample applications and tutorialson using these SDKs are availableat the web-based Cloud DeveloperPortal.
Single Sign-On Secure Form Fill Admin Client You can use the Secure Form Fillfeature if your web applicationscan't be modified to integrate withOracle Identity Cloud Service forSSO. The new Secure Form FillAdmin Client helps you map thesign-in form for your web applicationso that Oracle Identity CloudService knows how to populate theuser's user name and passwordautomatically, and helps you tosubmit the user's credentials to theapplication's identity store. You candownload this Secure Form FillAdmin Client from within the OracleIdentity Cloud Service console.
See Downloading Oracle IdentityCloud Service SDKs andApplications.
33
Category Feature Description
Identity Administration Auto provision birthrightapplications
You can now configure a set ofapplications to be automaticallyprovisioned for every user on-boarded to Oracle Identity CloudService.
See the following topics:• Assigning Groups to Oracle
Applications• Removing Groups from Oracle
Applications• Assigning Groups to Custom
Applications• Removing Groups from Custom
Applications
Identity Administration Synchronize User Accounts froma Flat File Using REST APIs
For target applications that don’tsupport synchronization of useraccounts with Oracle Identity CloudService, you can now import useraccounts from a flat file using RESTAPIs, providing a quick and error-free synchronization.
See Importing User Accounts froma Flat File Using REST APIs.
Identity Administration Synchronize User Accounts froma Flat File using the OracleIdentity Cloud Service UI
For target applications that do notsupport synchronization of useraccounts with Oracle Identity CloudService, you can now import andsynchronize user accounts from aflat file using the Oracle IdentityCloud Service Administrationconsole. You can also activate anddeactivate these synchronized useraccounts from the console. See Importing and Synchronizing UserAccounts Using a Flat File in OracleIdentity Cloud Service UI.
34
Category Feature Description
Identity Administration Manage Web Tier policies fromthe admin console
In the previous versions, there wasno option in the admin console tocreate or edit Web Tier policies.You can now manage Web Tierpolicies from the admin console andspecify a list of resource filters, suchas, application URLs, thecorresponding authenticationmethod, and so on, to control andprotect your corporate resources.
See Creating and Managing WebTier Policies.
Note: Use the Web Tier Policyfeature for Oracle Identity CloudService only. Customers shouldrefer to the relevant documentationfor their services to understand howto use this feature.
Identity Administration Additional attributes to filtersynchronization results
You can now use Situation andSynchronization Status asadditional filter attributes to filter theuser account import search results.Select values from the respectivedrop-down lists to view useraccounts matching the searchcriteria.
See Synchronizing User Accounts.
Identity Administration Apply Default Trust Scope fromOAuth settings for ClientApplication configuration
In the previous versions, for aTrusted Application you can selectAll Resources, Allowed Tags orAllowed Scopes to configure TrustScopes for your Client Application.By selecting the Default option, youcan now apply the Default TrustScope configured in the OAuthsettings to your client application.See Adding a Trusted Application.
Bridge Installer Enhanced Microsoft ActiveDirectory Bridge installation
The bridge installer is streamlinedand simplified for a better userexperience.
See Creating a Bridge.
35
Category Feature Description
Administrative Settings Set Norwegian as your preferredlanguage
The Oracle Identity Cloud ServiceUI now supports the Norwegianlanguage.
Administrators can set Norwegianas the default language for anidentity domain. See ChangingDefault Settings.
Users can set Norwegian as thedefault language for their account.See Setting Up or Modifying YourProfile.
Security Settings Support for Configuring OAuthSettings
You can now configure OAuthsettings to either enable account-level trust for all token acquisitionrequests or configure one of theDefault Trust Scopes.
See Configuring OAuth Settings.
36
Category Feature Description
REST APIs Enhancements to Oracle IdentityCloud Service REST APIs
The REST APIs for Oracle IdentityCloud Service have been updated.The following endpoints wereadded:
• /IDBridgeConfig - Use thisendpoint to replace or updatean IDBridge configuration. Forexample, replacing or updatinga new feature name and therelease in which the featurewas introduced.
• /TargetAuthenticationTester -Use this endpoint to test targetauthentication.
• /Schemas - The PATCHoperation is now supported.Use this endpoint to maintainthe schema definition ofresource types that aresupported by Oracle IdentityCloud Service . Schemadefinitions contain standardSCIM schema attributes andadditional Oracle Identity CloudService -specific attributes suchas searchable, min/max lengthfor validation, target attrname,and so on.
• /RiskProviderProfile - Use thisendpoint to manage riskprovider configurations forOracle Identity Cloud Service .The risk provider configurationmanages all the fields that arerequired to connect with theprovider and other relevantconfigurations.
• /RiskProviderProfileValdation -Use this endpoint to validate arisk provider profile.
• /ManagedObjectClassTemplates - Use this endpoint to workwith managed object classtemplate configurations for aconnected managed app.
• /ManagedObjectClasses - Usethis endpoint to work withmanaged object classconfigurations for a connectedmanaged app.
37
Category Feature Description
• /Threats - Use this endpoint tomanage adaptive accessthreats and violations.
• /AdaptiveAccessSettings - Usethis endpoint to managetenant-specific adaptive accesssettings. There is a single pre-seeded instance ofAdaptiveAccessSettings inOracle Identity Cloud Service.New instances can't be createdand an existing instance can'tbe removed. But, you canupdate a single instance usingPUT or PATCH.
See REST API for Oracle IdentityCloud Service and Using the OracleIdentity Cloud Service REST APIswith Postman.
Other Noteworthy Changes
Category Feature Description
REST APIs Enhancements to theOracle Identity CloudService POSTMANCollection
The Oracle Identity Cloud ServicePOSTMAN Collection has beenupdated. This release allows you toexplore the relationships betweenUsers, Groups, Clients, Apps, andAppRoles.
Look for new Search requests added forUsers, Groups, Clients, Apps, andAppRoles in the Search folders for each,as well as the Membership folders.
See the Oracle Identity Cloud ServicePOSTMAN Collection.
Release 18.1.2 — February 2018
18.1.2 User Interface ChangesWatch the What’s New in 18.1.2 video to learn about the 18.1.2 user interfacechanges and other enhancements.
The Oracle Identity Cloud Service 18.1.2 release introduces several major interfacechanges to the Identity Cloud Service administrator console:
38
1. In 17.4.6, the user menu displayed the user name. In 18.1.2, the user name isreplaced with the user’s initials. This change is part of an update across all Oraclecloud products. All PaaS products are moving to a new design. The new avatardisplays the logged in user's initials. No options for the menu have changed.
2. In 17.4.6, the Dashboard, Users, and Notifications buttons appeared in theupper-right corner of the administrator console. These buttons are used to returnto Oracle Public Cloud. In 18.1.2, those links are available on the new MyServices page in the Navigation Drawer.
3. In 17.4.6, dashboard navigation consisted of a series of tabs across thedashboard. In 18.1.2, these tabs are replaced with the Navigation Drawer. TheNavigation Drawer maximizes the real estate of the Identity Cloud Serviceconsole. To display the Navigation Drawer, click the Navigation Drawer icon inthe upper-left corner of the console. You'll see a listing of all folders and pagesthat compose the console. Click a folder to see the pages associated with thefolder. Then, click the menu item that represents the page that you want to displayin the Identity Cloud Service console. Click the Navigation Drawer icon again toclose the Navigation Drawer.
18.1.2 User Interface Changes
17.4.6 Navigation (Old)
17.4.6 Navigation (Old) Screenshot
18.1.2 Navigation (New)
39
18.1.2 User Interface Changes
18.1.2 Navigation (New) Screenshot
See Accessing Service Consoles
Other UI Changes
1. There's a new page in the Settings folder: Downloads. Use this page to download Java,Node.js, or Python SDKs or the EBS Asserter to integrate your web applications or OracleE-Business Suite with Oracle Identity Cloud Service. See Downloading Oracle IdentityCloud Service SDKs and Applications.
2. In the Security folder:• The Delegated Administration page has been renamed to Administrators.• There are three new pages: Identity Provider Policies, Sign-On Policies, and
Network Perimeters. Use these pages to define identity provider policies, sign-onpolicies, and network perimeters. See Managing Oracle Identity Cloud Service IdentityProvider Policies, Managing Oracle Identity Cloud Service Sign-On Policies, and Managing Oracle Identity Cloud Service Network Perimeters.
18.1.2 New Features— February 2018
Feature Description
Email as a Second AuthenticationFactor
Support for using email as a second authentication factorhas been added to the Multi-Factor Authenticationoptions. After email settings are configured, when theuser selects Email as the authentication method, OracleIdentity Cloud Service sends a one-time passcode to theuser’s primary email address for use as a secondverification method.
See Configuring Email Settings.
Setting a Default VerificationMethod
A user can now set their default second factor verificationmethod using the 2-Step Verification page of the MyProfile console.
See Setting a Default Verification Method.
40
Feature Description
Enhancements to Oracle IdentityCloud Service REST APIs
The REST APIs for Oracle Identity Cloud Service havebeen updated. The following endpoints have beenadded:• /LatestBinaryFileInfoVersionRetriever - Use this
endpoint to retrieve the latest version of binary fileinformation.
• /SFFCustomApps - Use this endpoint to managetenant-specific Secure Form Fill custom apps.
The X-ORACLE-DMS-ECID and X-ORACLE-DMS-RIDHTTP headers are now included in each REST APIresponse. These headers correspond to the ECID andRID for a REST API request. The caller can use thisinformation to track and correlate requests that originatewith events arising in the Oracle Identity Cloud Serviceserver. The client may also include these values as partof an error message, as it is important to correlate eventson the client side with errors on the server side.
See REST API for Oracle Identity Cloud Service..
41
Feature Description
Manage Policies Policy control, for securing and managing access toresources, is now available. Policy control makes accesscontrol flexible, enabling good policy management withflexible and extendable, contextual capabilities.
In this release, the following policy control features areavailable:
Define Identity Provider Policies. You can use identityprovider policies to specify which identity providers arevisible in the Sign In page when someone is trying tosign in to Oracle Identity Cloud Service, either whenthey're accessing a specific app or attempting to accessresources that are protected by Oracle Identity CloudService, such as the My Profile console or the IdentityCloud Service console. You can also use identityprovider policies to determine whether users authenticateinto Oracle Identity Cloud Service with their localcredentials or by using credentials associated with SAMLor social identity providers. See Managing Oracle IdentityCloud Service Identity Provider Policies.
Define Network Perimeters. You can define networkperimeters in Oracle Identity Cloud Service. A networkperimeter contains a list of IP addresses. After creating anetwork perimeter, you can prevent users from signing into Oracle Identity Cloud Service if they use one of the IPaddresses in the network perimeter. This is known asblacklisting. You can also configure Oracle Identity CloudService so that users can log in, using only IP addressescontained in the network perimeter. This is known aswhite listing. See Managing Oracle Identity CloudService Network Perimeters.
Define Sign-On Policies. You can use sign-on policiesin Oracle Identity Cloud Service to define criteria thatOracle Identity Cloud Service uses to determine whetherto allow a user to sign in to Oracle Identity Cloud Serviceor prevent a user from accessing Oracle Identity CloudService. See Managing Oracle Identity Cloud ServiceSign-On Policies.
App Development SDK You can now enable your Java, Node.js, or Python webapplications to authenticate with Oracle Identity CloudService by using software development kits (SDKs).
Oracle Identity Cloud Service provides you with acentralized location in the Identity Cloud Service consolewhere you can download SDKs or the EBS Asserter tointegrate your web applications or Oracle E-BusinessSuite with Oracle Identity Cloud Service.
See Downloading Oracle Identity Cloud Service SDKsand Applications.
42
Feature Description
EBS Asserter Integrate your Oracle E-Business Suite environment withOracle Identity Cloud Service for authentication andpassword management purposes by using a lightweightJava application known as the Oracle E-Business Suite(EBS) Asserter.
Oracle Identity Cloud Service provides you with acentralized location in the Identity Cloud Service consolewhere you can download SDKs or the EBS Asserter tointegrate your web applications or Oracle E-BusinessSuite with Oracle Identity Cloud Service.
See Downloading Oracle Identity Cloud Service SDKsand Applications.
Create custom secure form fillapplications
If you don't find the secure form fill application that youneed in the app catalog or you simply want to create yourown, you can do so with Oracle Identity Cloud Service.Define your own secure form fill configuration using theESSO Admin Console, export the configuration, and thenimport that configuration into your secure form fill app inOracle Identity Cloud Service.
See Creating a Custom Secure Form Fill App.
Select Display in My Apps checkbox to display the app in My Appspage
In previous releases, when you select Display in MyApps check box, you can also enable SSO to the app.
In this release, when you select the Display in My Appscheck box in applications, the app is then visible in theMy Apps page, but selecting this check box no longerenables or disables SSO to the app.
See• Adding a Trusted Application• Adding a SAML Application• Adding an App Catalog Application
The flag to enable or disable SSO comes from the apptemplate. Use the Oracle Identity Cloud Service RESTAPIs to update this flag. You cannot set the SSO flagfrom the user interface. See REST API for Oracle IdentityCloud Service.
Updates to the Application Catalog • Over 100 Form Fill integrations, including banking,learning, and transportation apps.
• SAML SSO with Workday, Ariba, and other apps.
See Oracle Identity Cloud Service - Application Catalog..
43
Feature Description
OpenID Connect support for Identityproviders
Oracle Identity Cloud Service now supports integrationwith identity providers that are compliant with OpenIDConnect. These identity providers support the OpenIDConnect standard. You use this type of identity providerwhen you want to establish trust between an OpenIDConnect-compatible identity provider, such as Google,Salesforce, and so on, with your Oracle Identity CloudService account. This is useful if you're creating a mobileor web application that requires access to Oracle IdentityCloud Service-protected resources, but you don't want tocreate custom sign-in code or manage your own useridentities.
Release 17.4.6 — December 2017
Feature Description
Activate and deactivate useraccounts for apps
User accounts provisioned/assigned to apps from OracleIdentity Cloud Service can now be individually activatedor deactivated. This allows administrators to manuallyactivate or deactivate user accounts as and whenneeded without impacting other accounts provisioned tothe user. See Assigning Applications to the User Accountand Assigning Users to Custom Applications.
Add tags to applications If you want to create custom attributes for applicationsthat can be used to search for the applications moreeffectively, then add tags to applications. Tags are key-value pairs that are used to organize and identifyapplications.
For example, suppose you're creating three versions ofan application: one for development purposes, one fortesting purposes, and one that will be used in production.You can create the following tags for these versions:Version: Development, Version: Testing; andVersion: Production.
You can create tags for your trusted, mobile, SAML, andApp Catalog applications or add existing tags from otherapplications.
See Adding Applications.
44
Feature Description
Enhancements to Oracle IdentityCloud ServiceREST APIs
The REST APIs for Oracle Identity Cloud Service havebeen updated. The following endpoints have beenadded:
• /AppUpgrader• /CustomAllowedValues• /MappedActions• /MappedActionTemplates• /MyAccesses• /ResourceTypeSchemaAttributes• /SocialAccounts• /Tags
The attributeSets query parameter was added. Usethis query parameter to get a group of attributes back inthe response rather than specifying each attributeindividually. This query parameter accepts comma-separated values from the following parameters:
• all (returns all attributes)• always (returns all attributes marked as always in
the schema)• default (returns all default attributes)• request (returns all attributes marked as request in
the schema)These values are not case-sensitive. If both "attributes"and "attributeSets" are specified in the request, then thevalues from both attribute sets are returned in theresponse.
See REST API for Oracle Identity Cloud Service.
OpenID Connect Support for SocialIdentity Providers
If you need to add a social identity provider that isOpenID Connect compliant, you can now define OpenIDConnect compliant social identity providers as identityproviders in Oracle Identity Cloud Service.
See Adding a Social Identity Provider and Deleting anIdentity Provider.
Deleting Social Accounts Linked toan Identity Provider
When deleting an identity provider and there are socialaccounts referenced to that Identity Provider, you areprompted whether to delete the references as well.
If you do delete the social account references, OracleIdentity Cloud Service asynchronously deletes thereferences and then deletes the identity provider.
If you don't want to delete the social accountsreferences, you can deactivate the identity provider,which results in the identity provider not being used forsocial login. When the identity provider is deactivated,users can see their social accounts in their My Profilepage but can't use the identity provider to login.
See Deleting an Identity Provider.
Release 17.4.2 — November 2017
45
Feature Description
User Interface Change: DelegatedAdministration
You can now access the Delegated Administrationpage from the Security tab of the Identity Cloud Serviceconsole. See Accessing Service Consoles.
User Interface Change: IdentityProviders
You can now access the Identity Providers page fromthe Security tab of the Identity Cloud Service console.See Accessing Service Consoles.
User Import Enhancement The Users.csv import file has been enhanced toinclude Locked, Locked Reason, and Locked Date fields.See Importing User Accounts.
${tenantName} replaced by ${companyName}
${tenantName} has been replaced by ${companyName}for all email templates and SMS templates.See Modifying Notification Templates.
Access Request Notifications Added There are two new notifications added:
• New Access Request submitted: This notification issent to a user after they submit an access request.
• Access Request fulfilled: This notification is sent to auser after their access request has been fulfilled.
See Understanding the Types of Notifications..
Support for Login URL, Cross-OriginResource Sharing (CORS), andAllowed CORS Domain Names
The following new fields have been implemented on theSession Settings page to support this enhancement:• Login URL: You can specify the URL where you
want the user redirected to log in.• Allow Cross-Origin Resource Sharing (CORS): You
can allow client applications that run on one domainto obtain data from another domain.
• Allowed CORS Domain Names: You can now listthe external domain names that are allowed forCORS operations.
See Changing Session Settings.
Trust Scopes The new Trust Scopes feature allows a trustedapplication to access either any resource within adomain or only those services where an explicitassociation between the client and the service exists.
The following new Trust Scopes options are available foronly trusted applications:• All Resources: Select to allow your application to
request an access token for services using thescope urn:opc:resource:consumer::all. Thisoption provides a wide scope.
• Allowed Scope: Leave selected (the default) to allowyour application to acquire an access token withpermissions based on an explicit associationbetween the client and target services.
See Adding a Trusted Application.
46
Feature Description
MFA Pull Notifications Support Pull Notifications support has been added to the Multi-Factor Authentication options. Pull notifications areupdates that are delivered to a mobile device orcomputer in response to a user who is checking for loginrequest notifications. Pull notifications are useful inscenarios where the GCM service (Android), APNSService (iPhone), or WMS service (Windows) does notwork. See Configuring Mobile OTP and Notifications.
Oracle Identity Cloud Service RESTAPIs
The REST APIs for Oracle Identity Cloud Service havebeen updated. The following endpoint has beendeprecated:
/AppAllowedScopesChanger
Previously administrators couldn't edit OPC Appsbecause they were protected and read-only. In order toupdate the "allowedScopes" attribute, administratorswere required to use this special REST endpoint: /AppAllowedScopesChanger. This REST endpoint hasbeen deprecated in this release because OPC Apps arenow editable, which allows administrators to use PATCHwith the /Apps endpoint to add, remove, or replace thevalues of the allowedScopes attribute.
See REST API for Oracle Identity Cloud Service.
New App templates added to theApp Catalog
For the latest additions to the supported list ofapplications in the App Catalog, take a look at OracleIdentity Cloud Service - Application Catalog.
Support for enhanced loginexperience
You can now experience the customized login by hostinga login application and redirecting Oracle Identity CloudService login to the new application. You can specify thecustom login and logout URLs in the Login URL andLogout Page URL fields. These fields are available inthe application, by default. See Adding a TrustedApplication, Adding a SAML Application, and Adding aMobile Application
17.4.2 REST API Changes
Feature Description
Trust Scope Attribute The Trust Scope Attribute has been added to the RESTexamples where applicable. See Account Trust Scope.
17.4.2 User Interface ChangesThe Delegated Administration page and the Identity Providers page have beenmoved from the Settings tab (17.3.6) to the Security tab (17.4.2) of the Identity CloudService console. This following table illustrates those changes.
47
Screen shots of 17.4.2 User Interface Changes
17.3.6 Settings Tab (Old)17.3.6 Settings Tab (Old) Screenshot
17.4.2 Security Tab (New)17.4.2 Security Tab (New) Screenshot
Release 17.3.6 — September 2017
48
Feature Description
Device Grant Flow The new Device Code grant type provides a specificgrant flow in which a device client executes on a devicethat doesn't have an easy data-entry method (forexample, game consoles, streaming media players, anddigital picture frames), and the device client is incapableof receiving incoming requests from the authorizationserver. See Adding a Trusted Application and Adding aMobile Application.
Add/Remove Client Scopes forOracle Applications
You can now add and remove client scopes for OPCapps using the Oracle Identity Cloud Serviceadministration console.
See Adding a Trusted Application.
Icons for OPC Apps Different OPC icons are available for each OPC app inthe Oracle Identity Cloud Service administration console.Also, available app icons are now stored on the UI serverand accessed using a URL, which improves performancefetching and displays the icons more quickly.
Support for Universal Credits Oracle Identity Cloud Service is now part of the newmetered Universal Credit pricing models. These modelsinclude a Pay As You Go, Monthly, and Yearly.
Bridge Performance Improvement Enhancements have been made to increase Bridgeperformance. To take advantage of these improvements,upgrade your Bridge client.
Use new Oracle Identity CloudService REST APIs
The REST APIs for Oracle Identity Cloud Service havebeen updated. The following endpoints are new:• /MappedAttributeTemplates• /MappedAttributes• /oauth2/v1/deviceSee REST API for Oracle Identity Cloud Service.
New App templates added to theApp Catalog
For the latest additions to the supported list ofapplications in the App Catalog, take a look at OracleIdentity Cloud Service - Application Catalog.
Bridge Upgrade Needed After ClientSecret Regeneration
If you're using the 17.2.6 version of the client for thebridge, and you have regenerated the Client Secret, thenyou must upgrade your client to the latest version. See Creating a Bridge to install the updated client for thebridge.
Other Noteworthy Changes
49
Feature Description
Maximum Character Limit Increasefor specific Users and Groups Fields
The maximum character length has been increased forthe following user fields:• Display Name (201)• First Name (100)• Last Name (100)• Formatted Name (354)
In the Groups page, the maximum character length forthe Description field has been increased to 4,000characters.
In the Branding page, the maximum character length forthe Login Text field has been increased to 250characters.
Bare Metal Cloud ServicesRenamed
Bare Metal Cloud Services has been renamed to OracleInfrastructure Cloud Service.
Release 17.3.4 — September 2017
Feature Description
Secure FormFill plug-in:Support forGoogle Chromeand MozillaFirefox
If you are using Google Chrome, you are prompted to go to the Extensions onGoogle Chrome and install the Oracle Secure Form Fill Plugin. Users will beprompted to download the plug-in from the My Apps page the first time thatthey launch a secure form fill app.
If you are using Mozilla Firefox, instead of downloading the Secure Form FillMozilla Firefox plug-in from the Mozilla Store, install the Secure Form FillMozilla Firefox plug-in from the My Apps page. Users will be prompted todownload the plug-in from the My Apps page the first time that they launch asecure form fill app.
Secure Form Fill is included as part of the Oracle Identity Cloud ServiceStandard license.
Public AccessTenant SigningCertificate
Oracle Identity Cloud Service tenant administrators can allow clients toaccess the tenant signing certificate without logging in to Oracle IdentityCloud Service. See Changing Default Settings in Administering OracleIdentity Cloud Service.
AccessRequest
Administrators specify the groups and applications to which a user mayrequest access.
Users can now request group and application access from the Catalog.Users can also view the groups and applications to which they have accessas well as view their access requests. See Managing Group and ApplicationAccess in Administering Oracle Identity Cloud Service.
Use new OracleIdentity CloudService RESTAPIs
The REST APIs for Oracle Identity Cloud Service have been updated. Thefollowing endpoints are new:• /AppAllowedScopesChanger• /MyGroups• /MyRequestableApps• /MyRequestableGroups• /MyRequestsSee REST API for Oracle Identity Cloud Service.
50
Feature Description
New Apptemplatesadded to theApp Catalog
For the latest additions to the App Catalog template list, take a look at OracleIdentity Cloud Service - Application Catalog
Release 17.3.2 — July 2017This release contains mostly bug fixes and performance enhancements.
Oracle® Cloud What’s New for Oracle Identity Cloud Service, Release 19.3.3E81008-41
Copyright © 2016, 2020, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws.Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit,perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law forinteroperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice isapplicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation,delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplementalregulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed onthe hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerousapplications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to takeall appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused byuse of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks ofSPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registeredtrademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliatesare not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicableagreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.
51
