Identity Upgrade Overview
Learn how to prepare for and what to expect before and after the upgrade to Oracle Cloud Infrastructure Identity and Access Management (IAM).
If you received an email with the subject line: Announcement: Upcoming Exception Maintenance to upgrade Fusion Apps identity management, your account has been selected for the upgrade to Oracle Cloud Infrastructure Identity and Access Management (IAM).
What Is Happening?
In an upcoming exception maintenance of Fusion Applications, the user identity service associated with your Fusion environments will be upgraded to Oracle Cloud Infrastructure Identity and Access Management (IAM).
The new OCI IAM experience in Oracle Cloud Console provides enhanced capabilities for managing authentication, sign-on policy, single sign-on (SSO), multi-factor authentication (MFA), and identity lifecycle management.
The identity upgrade process requires a downtime. The duration will be specified in the notification when you receive the identity upgrade schedule.
Upon completion of the identity upgrade, you will receive an email notification. If post-upgrade actions for an environment are required, you will be able to acknowledge that the actions are completed in the Oracle Cloud Console under the Fusion Applications environment family page.
Where can I learn more?
For more information regarding identity and access management using IAM, see IAM with Identity Domains.
If you have concerns, reach out to Oracle Support by opening a Support Request (SR). Select these options to describe your issues:
- Service Group: Oracle Cloud Applications
- Service: Any Fusion Product
- Service Category: SaaS Console services (Outage, Provision, P2T/T2T, Resize, Environment and User Management)
- Sub-Category: Fusion Identity Upgrade
Identity Upgrade Cadence
The identity upgrade is scheduled in a non-quarterly update month for your environment family.
Non-production cadence: Identity upgrade of environments on non-production cadence will be performed in the second week of the scheduled month at around the same time as the environment's maintenance slot.
Production cadence: Identity upgrade of environments on production cadence will be performed in the fourth week of the scheduled month at around the same time as the environment's maintenance slot.
The identity upgrade is scheduled to match as closely as possible to the same maintenance slot for the Fusion Applications quarterly update, however, your environments may be scheduled a few hours earlier or later.
Note that the first week of the month is defined as the first week that begins on a Sunday. For example, the first week of March, 2025 is Sunday, March 2, 2025 to March 8, 2025.
Required Actions
No action required: If your Fusion environment is not configured with federated SSO or used as the identity provider for other Oracle application environments, then there are no pre- or post- upgrade required actions. However, we recommend that you review this document to understand and prepare for this upgrade.
Action required before the identity upgrade: If your Fusion Applications environments use federated SSO with an identity provider, you are required to complete the following actions at least 72 hours before the scheduled downtime of the first environment to ensure continued access to your Fusion Applications. Steps for these tasks are detailed in Pre-upgrade tasks for federated SSO environments.
We recommend that you complete the required action as soon as possible, at least 10 days before the scheduled downtime of the first environment, to ensure that you have time for any troubleshooting. If you have not completed the required action 72 hours before the scheduled upgrade, the identity upgrade of the entire environment family will be automatically canceled. You then must open a Support Request (SR) to reschedule the identity upgrade.
Action required after Identity Upgrade: If you have other Oracle applications (such as Taleo, CPQ (Configure, Price, Quota), SelectMidns, etc.) using a Fusion environment as the federated SSO identity provider for users to log in to the applications, you must complete the post-upgrade tasks and test the single sign-on integration to ensure that federated SSO continues to function correctly. Sign on to these other Oracle applications will not function until you have completed the post-upgrade actions.
Notification and Scheduling
You will be notified by email when the identity upgrade is scheduled as follows:
- If you have environments with federated SSO, you will be notified approximately 90 days in advance of the exception maintenance for the environment family.
- If you do not have environments with federated SSO, you will be notified approximately 30 days in advance of the exception maintenance.
After your environments have been scheduled for upgrade, you can go to the Oracle Cloud Console to view the schedule for your Fusion environments, review the details of required actions (if applicable), and confirm completion of the required actions. To view the identity upgrade schedule:
- Sign in to the Oracle Cloud Console and navigate to your environment family: On the Applications Home of the Console, under Subscriptions, select Go to service on the Fusion Applications tile.
- On the Fusion Applications Overview page, select Environment families, and then select the name of your environment family. (If you don't see your resources, ensure that you are in the correct compartment).
- On the environment family details page, under Resources, select Maintenance, and then select the Identity Upgrade tab to view your schedule.
The Identity Upgrade tab is only available after your environments have been scheduled.
Cancellation and Rescheduling
If there are pre-upgrade required actions for any of your Fusion Application environments, and the required actions are not completed 72 hours before the scheduled downtime of the first environment, the identity upgrade for all of your Fusion environments in the environment family will be automatically cancelled 72 hours before the scheduled downtime of the first environment.
Cancelled identity upgrade will be reflected in the Oracle Cloud Console.
Reschedule Identity Upgrade
To reschedule the identity upgrade, open a Support Request (SR) to schedule a downtime.
- You will be offered a selection of downtime window as this is a scheduled maintenance.
- Once reschedule is recorded, it will be shown in the Oracle Cloud Console.
- You will be notified as described in Notification and Scheduling.
What to Expect After the Upgrade
After the Identity upgrade completes successfully, test that sign-on to Fusion environments is working as expected. If you encounter any issue, reach out to Oracle Support by logging a Support Request (SR).
If you have other Oracle applications (such as Taleo, CPQ (Configure, Price, Quota), SelectMidns, etc.) that use the Fusion environment to federate SSO, you must complete the Post-Upgrade Tasks and test the single sign-on integration to ensure that federated SSO continues to function correctly for other Oracle applications. Sign-on to these other Oracle applications will not function until you have completed the post-identity upgrade actions.
Changes to Account Sign-In Page
The account sign-in page will be different for your applications users. Users who selected the Company Sign Sign-On button will see a different option.
Identity Upgrade Checklist
Use this page as a guide to help you complete required and recommend actions before and after the upgrade of your Fusion Applications environments to IAM.
| Completed | Item | Action |
|---|---|---|
| 1 | Review the entire Identity Upgrade Overview document to understand the change and the required and recommended actions for you. | |
| 2 |
Inform your Fusion Applications Service Administrators about this upcoming change and share this information with them. If your organization works with implementation partners to manage your Fusion Applications, share this information with them. Ensure to inform them that many environment lifecycle activities previously handled by Oracle Support (including environment refresh) will be self-service, and no longer processed by Oracle Support. If your organization has Oracle Break Glass for Fusion Cloud Service, inform your approvers that after the conversion they will need to log in to the Oracle Cloud Console to approve break glass requests. If the original approvers are no longer with the organization, file a Support Request to have them removed. If you are not sure who your break glass approvers are, file a Support Request to get the list. |
Pre-Upgrade Tasks
Tasks that are required pre-upgrade depend on whether you have enabled federated SSO in your environments. How do I know if my environments are federated or not federated?
In addition to federated SSO, your environments might also have an Identity Provider-initiated federation flow (an authentication flow that doesn't go through the Fusion Applications sign-on page) that needs to authenticate against a different identity system. The same pre-upgrade tasks also need to be completed.
Pre-upgrade tasks for non-federated SSO environments
If you do not have federated SSO, there are no pre-upgrade tasks for you to complete.
You can monitor the schedule and progress of the upgrade on the details page of the environment family.
Pre-upgrade tasks for federated SSO environments
If your Fusion Applications environment is configured with federated SSO that uses an identity provider to authenticate your users, you must complete the required actions before the identity upgrade. You are required to complete the following actions at least 72 hours before the scheduled downtime of the first environment. If the actions are not completed, the identity upgrade of your Fusion environments will be canceled and must be rescheduled for another time.
The required actions are:
- Configure the Service Provider: Export the SAML metadata file for the environment's associated identity domain from the Oracle Cloud Console to configure the service provider in your corporate identity system.
- Configure and test the Service Provider in your corporate identity system that federate SSO.
- Acknowledge that the Service Provider setup is completed as part of the pre-upgrade required actions on Oracle Cloud Console.
The following sections describes these steps in detail.
Download the SAML Metadata File
When your Fusion environment with federated SSO is scheduled for identity upgrade, Oracle will automatically create the corresponding Identity Providers in OCI IAM based on the Fusion environment's latest configuration. You are not required to create Identity Providers manually.
In this step, export (download) the SAML metadata file for the corresponding Fusion environment from the Oracle Cloud Console. The SAML file contains the necessary information to enter into your corporate identity system.
To download the SAML metadata file for a Fusion environment:
- Log in to the Oracle Cloud Console.
- On the Applications Home of the Console, under Subscriptions, select Go to service on the Fusion Applications tile.
- On the Fusion Applications Overview page, select Environment families, and then select the name of your environment family. (If you don't see your resources, ensure that you are in the correct compartment).
- On the environment family details page, under Resources, select Maintenance, and then select the Identity Upgrade tab to view your schedule.
- Select Action required in the Pre-upgrade actions column of the corresponding Fusion environment.
- Select Download to download the SAML metadata file.
If you have multiple identity providers configured, only download one copy of the SAML metadata file. The file is the same for all of your identity providers for the corresponding Fusion environment.
Configure and Test the Service Provider
After you download the SAML metadata file, use a text editor to view the file. Use the information in the file to configure a new service provider in your corporate identity system.
If you have multiple identity providers, you need to configure a new service provider for each identity provider.
After the service providers are configured, use your valid credentials for each identity provider to test the login page. Follow these steps to test the sign-on process to confirm that integration of federated SSO is working:
- Log in to the Oracle Cloud Console.
- On the Applications Home of the Console, under Subscriptions, select Go to service on the Fusion Applications tile.
- On the Fusion Applications Overview page, select Environment families, and then select the name of your environment family. (If you don't see your resources, ensure that you are in the correct compartment).
- On the environment family details page, under Resources, select Maintenance, and then select the Identity Upgrade tab to view your schedule.
- Select Action required in the Pre-upgrade actions column of the corresponding Fusion environment.
- Select Test login to launch the sign-on page.
- Enter valid credentials (username and password).
- Confirm that the credentials are authenticated by your corporate identity system successfully. If this is not confirmed, make sure that the credential is correct and that the service provider configuration in your corporate identity system is entered correctly.
- Repeat steps 7-9 for any additional identity providers. Proceed to the next step only after you have successfully completed the test login for all of your identity providers.
- Select the checkbox to Confirm Identity Provider readiness and then select Submit.
The environment Pre-upgrade actions column is updated to Confirmed.
Post-Upgrade Tasks
You will be notified when the identity upgrade is completed for each of your environments.
Post-upgrade tasks for non-federated environments
If your Fusion Applications environment is not configured with federated SSO, verify that your users can log in to the Fusion Applications environments successfully.
Post-upgrade tasks for environments configured with federated SSO
If your Fusion Applications environment is configured with federated SSO, verify that your users can log in to the Fusion Applications environments via SSO successfully.
Post-upgrade tasks for environments used as the identity provider for other applications
If you have other Oracle applications (such as Taleo, CPQ (Configure, Price, Quota), SelectMidns, etc.) using a Fusion environment to federate SSO for users to log into the applications, you must complete the post-identity upgrade actions and test the single sign-on integration to ensure that federated SSO continues to function correctly.
- Log in to the Oracle Cloud Console.
- On the Applications Home of the Console, under Subscriptions, select Go to service on the Fusion Applications tile.
- On the Fusion Applications Overview page, select Environment families, and then select the name of your environment family. (If you don't see your resources, ensure that you are in the correct compartment).
- On the environment family details page, under Resources, select Maintenance, and then select the Identity Upgrade tab to view your schedule.
- Select Action required in the Post-upgrade actions column of the corresponding Fusion environment.
- Follow the instructions to configure and activate an identity provider in your other Oracle applications:
- Download the SAML metadata.
- Use the information in the SAML metadata to configure, test and activate a new identity provider in your other Oracle application.
- Acknowledge that the identity provider setup is complete in your other Oracle application.
- Repeat Step 6 for all of your other Oracle applications that use the Fusion Applications environment as an identity provider.
Planning and Considerations for the Identity Upgrade
Be aware of the following potential impacts before, during, and after the upgrade:
Enabling Federated Single Sign-On (SSO) Before the Identity Upgrade
If you need to enable federated single sign-on before your scheduled upgrade date, you can still follow the steps documented in the current version documentation for your application: Oracle Applications Cloud as the Single Sign-On (SSO) Service Provider.
Enabling Federated Single Sign-On (SSO) After the Identity Upgrade
After your environments are upgraded, follow the steps documented in the IAM documentation, Federating with Identity Providers to federate a Fusion Applications environment identity domain. See also How do I find the identity domain for a Fusion Applications environment?
Plan Environment Lifecycle Activities to Avoid Conflicts with the Identity Upgrade
Certain lifecycle activities are impacted during the upgrade process. These are:
Refresh
Refresh can only be performed if the source Fusion environment and the target Fusion environment have the same upgrade status. That is, either both haven't started identity upgrade, or both have completed identity upgrade.
Install Language
When the identity upgrade is in progress, you can't install and activate additional languages in a Fusion Applications environment. You can install languages when the identity upgrade completes and the environment Lifecycle state returns to Active.
FAQs
Get answers to common questions about the identity upgrade.
As part of Oracle's efforts to modernize the technology stack for Fusion Applications, this exception maintenance is to upgrade the identity and access management for your Fusion environments to Oracle Cloud Infrastructure Identity and Access Management (OCI IAM). OCI IAM provides the latest features for managing authentication, sign-on policy, single sign-on (SSO), and multi-factor authentication (MFA). Oracle Cloud Infrastructure Identity and Access Management (IAM
Downtime is required to perform the identity upgrade. Your environment will not be available or accessible during identity upgrade. You will be notified when the identity upgrade completes.
Self-service lifecycle activities cannot be performed starting from 72 hours before the identity upgrade until it completes. The affected activities include: scheduling environment refresh, starting refresh, installing a language pack, setting up customer-managed keys, and so on.
Additionally, refresh between an environment that has completed the identity upgrade and another that has not completed the identity upgrade (and vice versa), cannot be scheduled or performed. Refresh can only be scheduled and performed when both the source and target environments have the same identity upgrade status.
To find the identity domain for a Fusion Applications environment:
- On the Applications Home of the Console, under My applications, select Fusion Applications to list your environments.
- Select the name of the environment.
- On the environment details page, on the Environment information panel at the top, select the Associated identity domain. This opens the details page for the identity domain for the environment.
Identity Upgrade Schedule
- When you sign in to a Fusion Applications environment, if you see the Company Single Sign-On button or your company's sign-in page, then your environment has federated single sign-on.
- If you have other Oracle Applications, for example, Taleo, CPQ (Oracle Configure, Price, Quote), and others, that use a Fusion Applications environment as the identity provider, then the Fusion Applications environment is federated.
- Else, the Fusion Applications environment is not federated.
You will be notified about the downtime schedule in advance. If any of your environments are enabled with federated single sign-on (SSO), we will send a notification 90 days in advance. If none of your environments have federated SSO enabled, we will send a notification 30 days in advance.
Once you receive the notification about the identity upgrade, you can log in to the Oracle Cloud Console and navigate to the Fusion Applications environment family page to view the schedule for your environments:
- Sign in to the Oracle Cloud Console.
- On the Applications Home of the Console, under Subscriptions, select Go to service on the Fusion Applications tile.
- On the environment family details page, under Resources, select Maintenance, and then select the Identity Upgrade tab.
While the upgrade is occurring your environments will not available.
The identity upgrade is expected to take from 1 to 2 hours up to a few hours, if your environments have many users.
- The identity upgrade will not occur in the same month as a quarterly update. To avoid taking multiple downtimes in a month, the identity upgrade will be scheduled in the months after your environments receive a quarterly update.
- In general, we expect to schedule the identity upgrade of your environments in the same maintenance slot (time window) as when the environments receive quarterly update. We may schedule identity upgrade at a time window different from the maintenance slot.
- At least one of your non-production environments must have completed the upgrade before we perform the identity upgrade of your production environment. You will see your environments in the non-production cadence scheduled for identity upgrade before the environments in the production cadence.
- If the schedule does not work for you, contact Oracle Support to reschedule the upgrade for a convenient time. Reach out to Oracle Support by logging a Support Request (SR).
The identity upgrade is expected to take from 1 to 2 hours up to a few hours, if your environments have many users.
- If the schedule does not work for you, contact Oracle Support to reschedule the upgrade for a convenient time. Reach out to Oracle Support by logging a Support Request (SR).
- In the Oracle Cloud Console, use these selections when logging a Support Request (SR):
- Technical Issues
- Service Group: Oracle Cloud Applications
- Service: Any Fusion product
- Service Category: SaaS Console Services (Outage, Provision, P2T/T2T, Resize, Environment and User Management)
- Subcategory: Fusion Identity Upgrade