This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• Setting the GCM API Key

  Google is deprecating Legacy FCM APIs and migrating to HTTP v1 APIs. For all new configurations, it is recommended to use HTTP v1 APIs. For steps to migrate to HTTP v1 APIs, see Migrating to service account JSON for Android Push Notifications.

• Automating Rotation of SAML Certificate or Key or Metadata

  You can schedule the retrieval of new partner certificates and metadata via a REST endpoint and seamlessly rotate the updated credentials across all dependent systems and applications without any downtime. For further details, see Automating SAML Certificate or Key or Metadata Rotation.

• Ability to Load the Fusion Page in Visual Builder (VB)

  In the Chrome browser, some OAM cookies were blocking the Fusion page from loading in the Visual Builder (VB) after the third-party cookies were deprecated. With this release, Cookies Having Independent Partitioned State (CHIPS) support is added for OAM/Webgate cookies to overcome this issue. For more details, see OAM Cookies Block the Fusion Page from Loading in Visual Builder after the 3rd Party Cookies are Deprecated.

• Ability to Retrieve an ID Token Through an Authorization Code

  With this release, you can retrieve both access and ID tokens when using the refresh token in the authorization code. For more details, see Getting IDtoken via a Refersh Token Request.

• Best Practices for Oracle Access Manager (OAM) OAuth security

  Added best practices for OAM OAuth security that highlight the possible threats, details the attacker’s capabilities, and strategies to mitigate those risks. For more details, see Best Practices for Oracle Access Manager (OAM) OAuth Security.

• OAA Error Handling Plugins

  The OAA User Preferences URL, protected by OAM, redirects users to OAM for authentication using the OAA Auth Plugin (OAA-MFA-AuthScheme). If a user lacks a valid authentication factor, OAA generates error codes and redirects them to a failure page. When MFA is enabled on the User Preferences page, specific plugins are triggered. These plugins contain rules that assess the error condition and determine whether to override it, allowing users to proceed even if authentication initially fails. For more details, see OAA Error Handling Plugins.

• Ability to Add Partner Signing and Encryption Keys

  With this release, a new Key Configuration group has been added to the OAM console when creating an IdP/SP partner. This group allows you to select the signing and encryption keys for the partner, and is applicable only for SAML 1.1 and 2.0 protocols. For more details, see Use Oracle Access Manager to sign on to Oracle Private Cloud Appliance.

• Ability to Configure Reuse Detection for Refresh Tokens

  Added new property to detect the reuse of the Refresh Tokens. For more details, see Revoking OAuth Tokens by OAuth Clients.

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• Session Management Optimizations

  Session Management Engine has been optimized and tuned to provide improved system performance under load.

  Also see, Database Tuning for Oracle Access Management in the Tuning Performance Guide

• OAuth Refresh Token Management

  OAuth Token Management capabilities have been enhanced with the ability to invalidate Refresh Tokens.

  For details, see Revoking OAuth Tokens

• 12c WebGates for Apache and IIS Web Servers

  WebGates for IIS and Apache Web Servers are made available in this release.

  For details, see Installing and Configuring IIS 12c WebGate for OAM in Installing WebGates for Oracle Access Manager

• Support for TLS 1.3 & FIPS 140-2

  This release is compliant with the latest FIPS and TLS standards and versions.

  For details, see Enabling FIPS Mode on OAM Server and TLS 1.3 and TLS 1.2 Support in Oracle Access Management

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• Checking Authentication Context when OAM is acting as a Service Provider (SP)

  If OAM is acting as a SP, it identifies the Authentication Context of any external SAML Identity Provider (IdP) and proceeds with the SAML authentication based on the authnassurancelevel property. For details, see Checking Authentication Context when OAM is acting as SP.

• Changing Default Consent Acknowledgment Expiry Time

  A new custom attribute consentAcknowledgeExpiryTimeInSeconds allows you to change the default expiry time to acknowledge the consent approval. For details, see Changing Default Consent Acknowledgment Expiry Time.

• Ability to set the expiry time for ID_TOKEN

  You can set an expiry time for ID_TOKEN instead of using the expiry time in the ACCESS_TOKEN settings. For details, see Creating an Identity Domain.

• User Password Change Validation

  Setting the userPasswordChangeCheckEnabled= true property in oam-config.xml, validates the tokens generated before the user password update. For details see Enabling User Password Change Validation.

• Client Secret Expiration and Rotation

  By using the custom attribute oldSecretRetentionTimeInDays, you can configure the time for which the old client secret will continue to work. This custom attribute can be defined both at the domain-level and at the client-level. However, the value defined at the client-level takes precedence. For details, see Table 39-1.

• Ability to Customize Issuer discovery identifier and Iss Token Claim

  With the implementation of this enhancement, we can mask/omit the port from issuer and customize the path component in the OpenID configurations. For details, see Custom Issuer Support.

  Note:

  Perform a GET operation on the /DeployedComponent/Server/NGAMServer/Profile/ssoengine/OAuthConfig endpoint and a PUT operation on the same endpoint to enable Custom Issuer Support feature. It ensures that the configuration that has already been applied continues to be effective.

• Added New Field to View API Key

  With this release a new field API Key is added in the partner details screen. This field allows administrators to share the key details with the relevant partners for secure updates. For details, see Configuring the Signing and Encryption Key.

• Ability to mask SAML Response attribute in OAM Log Messages

  With this release, Oracle Access Management masks SAML Response attributes in OAM log messages. For details, see Masking SAML Attributes in Log Records.

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• New parameter to fetch the authorization grant details

  A new request parameter response_mode that determines how the authorization server returns result parameters from the authorization endpoint is added to fetch the authorization grants to redirect_uri in an appropriate format. For details, see Table 40-7.

• Support for authentication in multiple browser tabs

  OAM supports multi-tab feature when serverReuestCacheType parameter is set to COOKIE. For details, see Supporting Authentication in Multiple Browser Tabs.

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• Federation partners support certificates using RSASSA-PSS signature algorithms
  Includes support for the Signature Algorithm SHA256-RSA-MGF1.

  Note:

  This update is dependent on OWSM patch 34566592.

  For details, see Configuring RSA OAEP Key Transport Digest and MGF Digest.

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• OAM SAML 2.0 Supported Encryption Algorithms

  OAM supports AES-GCM encryption modes.

  For details, see OAM SAML 2.0 Supported Encryption Algorithms and Changing Default Encryption Algorithm

• Two-way SSL for OAP over REST Communication.

  You can enable mutual authentication for OAP over REST between WebGate and OAM Server, therefore ensuring that the Server communicates with authentic clients.

  For details, see Enabling two-way SSL for OAP over REST

• TOTP-based Multi Factor Authentication in OAM

  You can configure MFA using the configureMFA command with config-utility.jar

  For details, see Configuring TOTP-based Multi Factor Authentication in OAM

• Token Signing Using Third-Party Certificates

  Access tokens can be signed using a self-signed key pair generated out-of-the-box. In this release, OAM extends the support to allow signing of access tokens using third-party key pairs.

  For details, see Token Signing Using Third-Party Certificates

• Mutual-TLS (mTLS) Client Authentication in OAM

  In TLS authentication, the server confirms its identity by producing a certificate (public key), which is then verified by the TLS verification process. In mTLS (mutual-TLS), along with the server, the client's identity is also verified. The TLS handshake is utilized to validate the client's possession of the private key corresponding to the public key in the certificate and to validate the corresponding certificate chain.

  For details, see Configuring Client Authentication and Configuring mTLS Client Authentication

• Custom Claims

  OAM extends the ability to define the custom claims using templates that can be configured at client or domain level. The custom claims can be included in all the access tokens, ID tokens and userinfo. You can also perform value transformation as well as value filtering of the custom claim.

  For details, see Custom Claims

• OAuth Access Token Maximum Size

  Default OAuth access token length limit has been increased to 7500. This value can be overridden using the OAuth Identity domain custom parameter: accessTokenMaxLength.

• OAuth Client Update - Support for PATCH Request

  Introduces support for PATCH request during modification of OAuth clients. With PATCH operation, OAM appends existing scopes with values from the request. Similar behavior is provided for redirect_uris, grant types, and custom attributes. The existing PUT operation replaces the contents of OAuth client parameters with the values from the request.

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• Recommendation to Use Embedded Credential Collector (ECC) in OAM 12c

  It is recommended that you use ECC for the new features introduced in OAM 12c. Some of the new features introduced in OAM 12c do not support DCC. For example, OpenIDConnect with DCC is not supported.

  For additional details, see Doc ID 2634863.1 at https://support.oracle.com.

  Also see, Overview of Access Manager Credential Collection and Embedded Credential Collector Versus Detached Credential Collector

• Proof Key for Code Exchange (PKCE) Support in OAM

  Introduces PKCE support in the existing OAM OAuth Authorization Code Grant Flow. It can be used to enhance the security of the existing 3-legged OAuth, mitigating possible authorization code interception attacks. You can enable PKCE at the domain level or just for a specific client.

  Note:

  OAM validates code_challenge for Base64 with padding. To fix this and ensure RFC compliant behavior for the code_challenge (Base64 without padding as described in https://tools.ietf.org/html/rfc7636#appendix-A), you must download and apply the OAM Patch 32406872. For details, see the note How To Enable OAuth Proof Key For Code Exchange (PKCE) in Oracle Access Manager (OAM) 12.2.1.4 (Doc ID 2755209.1) at https://support.oracle.com.

  OAM will support only the RFC compliant behavior in all the subsequent releases.

  For more information, see Proof Key for Code Exchange (PKCE) Support in OAM.

• Keep the OAUTH_TOKEN Response Unset

  OAM provides an option to not set the OAUTH_TOKEN cookie or header when SSO Session Linking is enabled. You must set the challenge parameter IS_OAUTH_TOKEN_RESPONSE_SET to false.

  Note:

  If IS_OAUTH_TOKEN_RESPONSE_SET is not configured, or set to true then the OAUTH_TOKEN cookie/header is set.

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• Support for AWS Role Mapping Attribute in SAML Response

  Introduces a new function that can be configured in SP Attribute Profile for supporting the AWS role mapping attribute in SAML response.

  For details, see AWS Role Mapping Attribute in SAML Response

• Support for Attribute Value Mapping and Filters in OAM Federation

  OAM federation supported Attribute Name Mapping. It extends the support for Attribute Value Mapping and Attribute Filtering features.

  For details, see Using Attribute Value Mapping and Filtering

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• Support for SameSite=None Attribute in OAM Cookies

  OAM adds SameSite=None attribute to all the cookies set by WebGate and OAM Server.

  For details, see Support for SameSite=None Attribute in OAM Cookies

• X.509 Authentication with Extended Key Usage (EKU)

  In X.509 authentication flows, Extended Key Usage (EKU) certification extension check can be added optionally to ensure that the usage of the certificate is allowed.

  For details, see X.509 Authentication Using Extended Key Usage (EKU).

This revision of Oracle® Fusion Middleware Administering Oracle Access Management contains feature updates and addresses bug fixes.

• OAuth Consent Management

  Provides capability for managing user consents, persisting user consents and providing mechanism to revoke them across DataCenters. Consent revocation capability is provided for both Administrators as well as individual users.

  For details, see Enabling Consent Management and Enabling Consent Management on MDC

• OAuth Just-In-Time (JIT) User Linking and Creation

  Provides capability to provision users automatically. The idToken as received from IDP has user attributes. These user attributes can have values like userId, user name, first name, last name, email address, and so on, which could be used for linking users to entries in the local id store or create them, if they do not exist.

  For details, see OAuth Just-In-Time (JIT) User Provisioning

• OAM Snapshot Tool

  Provides tooling to create a snapshot of the OAM Domain with all its configurations, persist it, and use it for creating fully functional OAM Domain clones.

  For details, see Using the OAM Snapshot Tool

Oracle Access Management 12c (12.2.1.4.0) includes the following features:

• Passwordless Login

  Passwordless authentication allows you to bypass the standard web form based authentication when using a mobile device. For details, see Using Passwordless Authentication with OAM.

• Dynamic Client Registration

  Dynamic client Registration (DCR) provides a way for the native mobile apps (Android) to dynamically register as clients with the OAuth Server (OAM). For details, see Dynamic Client Registration.

• OAP over REST

  Oracle Access Protocol (OAP) over REST enables the use of HTTP(S) infrastructure to route and load balance requests. Changing the transport mechanism between WebGate and server has a beneficial impact on reducing operational cost for hybrid deployments where some components are On-Premise and others have moved to cloud. For details, see Securing Communication between OAM Servers and WebGates using OAP over REST

• WebGate using PFS and Approved Cipher Suites for OAP Simple/Cert Mode Communication

  When the Simple/Cert Mode communication occurs, WebGate ensure that valid and approved cipher suites defined by the admin are used. For details, see About WebGate Usage of PFS and Approved Cipher Suites for OAP Simple/Cert Mode Communication in Administering Oracle Access Management

• HealthCheck Framework

  HealthCheck Framework enables health check on servers. These checks can be performed using REST API or by scheduling periodic checks on the server. Each schedule can be associated with a specified set of tests to be run. For details, see Monitoring Server Health with Health Check Framework

• Modified UserInfo Response

  The format of the UserInfo response for OAuth flows is modified with the following changes:

  • Additional new parameters guid and sub are included in the response.
  • The parameters Profile, Email, Address, and Phone are returned directly under the root tag instead of seperate containers for each of the parameters.
  • The parameters email_verified and phone_number_verified are returned as booleans.

  For example,

  {
             "guid": "6C9CF210194A11E99FB45DDD0C60B95A",
             "sub": "weblogic",
             "family_name": "weblogic",
             "preferred_username": "weblogic",
             "updated_at": "1548740667872",
             "email_verified": false,
             "phone_number_verified": false
  }

  To retrieve the user info attributes in the older format (see the following example), set the custom attribute UserInfoScopeCont to true at the domain level.

  Sample UserInfo response format when the custom attribute UserInfoScopeCont is set,

  {
       "profile": {
                  "guid": "6C9CF210194A11E99FB45DDD0C60B95A",
                   "sub": "weblogic",
                   "family_name": "weblogic",
                   "preferred_username": "weblogic",
                  "updated_at": "1548743708100"
       },
       "email": {
                  "email_verified": false
       },
       "address": {},
       "phone": {
                  "phone_number_verified": false
       }
  }

• Policy Cache Resiliency

  Improved resilience of the managed servers with the ability to read, validate and replace policy cache in a small step within the server, and delegation of cache building to the Admin Server. Introduced distribution of policy cache from Admin to manage servers with write once and read many times and reducing contention between multiple OAM server’s policy cache present in a cluster.

  Policy cache can be fine-tuned using parameters. For details, see Configuring Policy Cache Parameters.