Identity Upgrade Overview

The identity upgrade is scheduled in a non-quarterly update month for the environment family.

Non-production cadence: Identity upgrade of environments on non-production cadence is performed during the second week of the scheduled month at around the same time as the environment's maintenance slot.

Production cadence: Identity upgrade of environments on production cadence is performed during the fourth week of the scheduled month at around the same time as the environment's maintenance slot.

The Identity upgrade is scheduled to match as closely as possible to the same maintenance slot for the Fusion Applications quarterly update, however, the environments might be scheduled a few hours earlier or later.

Note that the "first week of the month" is the week with the first Friday of a month where the week starts from the prior Sunday. For example, the first week of March, 2025 is the week from Sunday, March 2, 2025 to March 8, 2025.

No action required: If the Fusion environment isn't configured with federated SSO or used as the Identity provider for other Oracle application environments, then there are no pre-upgrade or post-upgrade required actions. However, we recommend that you review this document to understand and prepare for this upgrade.

Action required before the Identity upgrade: If the Fusion Applications environments use federated SSO with an Identity provider, you're required to complete the following actions at least 72 hours before the scheduled downtime of the first environment to ensure continued access to your Fusion Applications. Steps for these tasks are detailed in Pre-upgrade tasks for federated SSO environments.

We recommend that you complete the required action as soon as possible, at least 10 days before the scheduled downtime of the first environment, to ensure that you have time for any troubleshooting. If you haven't completed the required action 72 hours before the scheduled upgrade, the Identity upgrade of the entire environment family is automatically canceled. You must then open a Support Request (SR) to reschedule the upgrade.

Action required after Identity upgrade: If you have other Oracle applications (such as Taleo, CPQ (Configure, Price, Quota), and SelectMinds) using a Fusion environment as the federated SSO Identity provider for users to sign in to the applications, you must complete the post-upgrade tasks and test the single sign-on integration to ensure that federated SSO continues to function correctly. Sign in to these other Oracle applications doesn't function until you have completed the post-upgrade actions.

You're notified by email when the Identity upgrade is scheduled as follows:

• If you have environments with federated SSO, you're notified about 90 days in advance for the environment family.
• If you don't have environments with federated SSO, you're notified about 30 days in advance.

After the environments have been scheduled for the upgrade, you can go to the Oracle Cloud Console to view the schedule for the Fusion environments, review the details of required actions (if applicable), and complete the required actions. To view the Identity upgrade schedule:

The Upgrade status displays one of these values:

• "-" : The environment requires Identity upgrade, however, it hasn't been scheduled.
• Scheduled: The environment upgrade has been scheduled.
• In progress: The environment upgrade is in progress.
• Succeeded: The environment upgrade has completed.
• Canceled: The environment upgrade has been canceled. Identity upgrade is rescheduled. As soon as Identity upgrade has been rescheduled, the status is changed to Scheduled with a new scheduled date.
• Failed: In rare event the environment upgrade has failed. Oracle will keep you updated and resolve the issue.
• Not required: The environment is already on OCI IAM. It doesn't require Identity upgrade.

The Pre-upgrade actions displays one of these values:

• "-" : The environment doesn't have Federated SSO. No action is required.
• Pending: The environment is enabled with Federated SSO. The required actions haven't been completed and acknowledged by administrator.
• Completed: The required actions have been completed and acknowledged by administrator.

The Post-upgrade actions displays one of these values:

• "-" : The environment doesn't have other applications using this Fusion Applications environment as Identity provider. No action is required.
• Pending: The required post-upgrade actions haven't been completed and acknowledged by the administrator.
• Completed: The required post-upgrade actions have been completed and acknowledged by the administrator.

If there are pre-upgrade required actions for any of the Fusion Application environments, and the required actions aren't completed 72 hours before the scheduled downtime of the first environment, the Identity upgrade for all the Fusion environments in the environment family are automatically canceled.

The canceled Identity upgrade is reflected in the Oracle Cloud Console.

Reschedule Identity Upgrade

To reschedule the Identity upgrade, open a Support Request (SR) to schedule a downtime.

• You're offered a selection of downtimes as this is a scheduled maintenance.
• After the reschedule is recorded, it's shown in the Oracle Cloud Console.
• You're notified as described in Notification and Scheduling.

If you don't open a support request, Oracle will schedule the upgrade to a future date.

After the Identity upgrade completes successfully, test sign in to the Fusion environments is working as expected. If you encounter any issues, contact Oracle Support by submitting a Support Request (SR).

If you have other Oracle applications (such as Taleo, CPQ (Configure, Price, Quota), SelectMinds, and so on.) that use the Fusion environment to federate SSO, you must complete the Post-Upgrade Tasks and test the SSO integration to ensure that federated SSO continues to function correctly for other Oracle applications. Sign in to these Oracle applications doesn't function until you complete the post-identity upgrade actions.

Changes to Account Sign-In Page

The account sign-in page is different for your applications users. See Changes in Oracle Fusion Cloud Applications sign in page for more details.

Users who select the Sign-in button don't experience any changes. They continue to see the same SSO sign-in page.

If you don't have federated SSO, there are no pre-upgrade tasks for you to complete.

You can monitor the schedule and progress of the upgrade on the details page of the environment family.

You must complete the required actions before Identity upgrade if the Fusion Application environments has federated SSO that uses an Identity provider to authenticate the users. You're required to complete the following actions 72 hours before the scheduled downtime of the first environment. If the actions aren't completed, the Identity upgrade of the Fusion environments is canceled and must be rescheduled for another time.

The required actions are:

1. Download SAML metadata from the Oracle Cloud Console. You must export the SAML metadata file for the environment's associated Identity domain from the Oracle Cloud Console to configure the service provider in the corporate Identity system.
2. Configure the Service Provider (SP) in the corporate Identity system that federate SSO.
3. Update and test the Identity providers in the Oracle Cloud Console.
4. Acknowledge Identity Provider Readiness in the Oracle Cloud Console.

The following sections describes these steps in detail.

Download the SAML Metadata File

When the Fusion environment with federated SSO is scheduled for Identity upgrade, Oracle will automatically create the corresponding Identity provider based on the federated SSO configuration of the Fusion environments.

In this step, you must export (download) the SAML metadata file for the corresponding Fusion environment from the Oracle Cloud Console. The SAML file contains the necessary information to be entered into the corporate identity system. Each SAML metadata file is different and specific to each Fusion Applications environment. Ensure to label the SAML metadata files so they're not mixed up.

Step 1 - Follow these steps to download the SAML metadata file for a Fusion environment:

1. Sign in to the Oracle Cloud Console and navigate to the Environment family page.
2. On the Environment families page, select the name of the environment family. If you don't see the resources, ensure that you're in the correct compartment.
3. On the Environment family details page, select Maintenance tab, and scroll to Identity upgrade section to view the schedule.
4. Select the Federated SSO environment and select the Pre-upgrade actions button.
5. In the Pre-upgrade actions panel, select the Download button. This downloads the SAML metadata file (Metadata.xml), representing the Identity domain for the federated SSO environment, to the location selected by the browser setting.

Configure and Test the Service Providers

Step 2 - Configure a new service provider for each of the federated Fusion Applications environments in the corporate Identity system. This configuration decides how the Fusion Application environments will federate SSO after the Identity upgrade. Some Identity provider systems use the term Enterprise applications instead of Service provider.

Use a text editor to review the downloaded SAML metadata file to retrieve the data necessary to configure a new service provider.

If you have several Identity providers, you must configure a new service provider for each Identity provider with the information in the downloaded copy of the SAML metadata file. Use the same SAML file for each of the Identity providers for the corresponding Fusion environment.

After the service providers are configured, download the SAML metadata for each of the service providers from the corporate identity system.

Step 3 - Update and test the Identity providers.

To perform step 3 of the pre-upgrade actions, you need:

1. The SAML metadata for the service provider that you configured in the Identity system.
2. You must be an Identity domain administrator and tenancy administrator in Oracle Cloud Console to update Identity provider configuration in IAM.
3. You need the credential to sign in to each of the Identity domain of the Fusion environments.
4. You have signed in to Oracle Cloud Console as Cloud/Tenancy administrator, and as the Domain administrators for each of the Fusion Identity domains.
5. You need a valid credential for each of the Service providers configured in the Identity system to test the sign-in page.

The main goal of step 3 is to update the Identity provider configuration in OCI IAM with the SAML metadata file that you downloaded from step 2. Then test the connectivity and authentication between OCI IAM and the corporate Identity system.

Follow these steps to update the Identity providers and test the sign-in process to confirm that integration of federated SSO from OCI IAM to the Identity provider is working:

1. Sign in to the Oracle Cloud Console and navigate to the Environment family page.
2. On the Environment families page, select the name of the environment family. If you don't see the resources, ensure that you're in the correct compartment.
3. On the Environment family details page, select Maintenance tab, and scroll to Identity upgrade section to view the schedule.
4. Select the Federated SSO environment and select the Pre-upgrade actions button.
5. In the Pre-upgrade actions panel, select the Identity provider and then select the Update button.
6. In the Import SAML panel, select the Drop a file or select one area and then select the SAML metadata of the service provider that you downloaded from step 2.
7. Select Import button. Upon successful import the Success - Import IDP metadata successful message is displayed briefly.
8. Select the Identity provider that you updated and then select the Test button.
9. If you haven't signed in to the Identity domain of the Fusion Applications environment in the current browser session, the Oracle Cloud Console presents a sign-in page to ensure you're authorized to test the Identity provider.

   Enter username and password to sign in to the Identity domain. If you're not a member of "Domain_Administrators" or "IDCS_Administrators" group then you get an error message while trying to sign-in.

10. After successful sign-in to the Identity domain, the Sign In page of the Identity provider appears. Enter the correct credentials to ensure you can be authenticated by the Identity provider. The browser displays "Your connection is successful" if the authentication is successful.
11. Repeat steps 8 to 10 if you have more identity providers.
12. Proceed to the next section (step 4) only when all the identity providers test sign-in are successful.

Acknowledge Identity Provider Readiness

Step 4 - Confirm Identity provider readiness.

Note

You must only acknowledge Confirm identity provider readiness step when all the Identity providers are tested.

Continue from the previous section after you verified all the Identity providers test sign-in are successful.

1. Select the checkbox for I acknowledge and confirm that the task has been completed. Then select the Submit button.
2. Select Confirm button in the Confirm pre-upgrade actions popup window.
3. The pre-upgrade actions status for the Fusion Applications environment in the Identity upgrade section displays Completed.

To revert the confirmation:

1. Clear the checkbox for I acknowledge and confirm that the task has been completed. Then select the Submit button.
2. Select the Revert button in the Confirm pre-upgrade actions popup window.
3. The pre-upgrade actions status for the Fusion Applications environment in the Identity upgrade section displays Pending.

The environment Pre-upgrade actions column is updated to Completed.