If you manage Oracle Fusion Applications — whether that's ERP, HCM, CX, or SCM — your identity and access management layer is getting a significant upgrade. Oracle is migrating all Fusion environments from the legacy identity service to Oracle Cloud Infrastructure Identity and Access Management (OCI IAM), and this change requires your attention before the scheduled downtime window.
1. What Is Actually Changing?
The identity service that handles authentication, sign-on
policy, single sign-on (SSO), multifactor authentication (MFA), and user
lifecycle management for your Fusion Applications environments is being
replaced with OCI IAM — Oracle's modern, cloud-native identity platform.
This is not a minor configuration tweak. It is a one-time mandatory upgrade with downtime. Once complete, your Fusion environments will gain the latest capabilities for enterprise identity management, including improved MFA controls, federated SSO policies managed directly from the OCI Console, and fine-grained identity domain administration.
|
Important If your Fusion Applications
environment family was provisioned after April 6, 2025, you are already
running on OCI IAM. This upgrade does not apply to you. |
2. Who Needs to Act — and When?
The urgency of your required actions depends on whether your Fusion environments are configured with federated SSO. Here is a quick overview:
|
No Federated SSO No pre-upgrade actions
required. Oracle handles everything. Monitor the schedule from the OCI
Console and verify user sign-in after the upgrade. |
Federated SSO Enabled Action required at least 72
hours before each environment's downtime. Missing this deadline breaks SSO
for all users after upgrade. |
Fusion as Identity Provider Apps like Taleo, CPQ, or
SelectMinds using Fusion as IdP require post-upgrade tasks to restore their
sign-in flow. |
3. How You Will Be Notified — Timeline
|
90 days
before |
Email notification sent if
any of your environments have federated SSO configured. |
|
30 days
before |
Email notification sent if
none of your environments have federated SSO. |
|
10+ days
before |
Recommended window to begin
and complete pre-upgrade tasks, leaving time to troubleshoot. |
|
72 hrs
before |
Hard deadline. Pre-upgrade
tasks must be acknowledged for each scheduled environment, including
production. |
|
During
upgrade |
Environments are
unavailable. Expected downtime is up to 3 hours or longer, depending on user
count. |
|
Post-upgrade |
Email confirmation sent.
Post-upgrade tasks required for environments with downstream SSO
dependencies. |
4. Pre-Upgrade Steps for Federated SSO Environments
Oracle automatically creates the required identity providers in your environment's associated identity domain once it is scheduled. You do not need to create them manually — but you must complete and test the configuration.
|
Warning Do not delete the
Oracle-created identity providers from the identity domain. Doing so prevents
you from completing the pre-upgrade tasks. |
Step 1: Download the
SAML metadata file — In the OCI Console,
navigate to your Fusion environment family → Maintenance → Identity upgrade.
Select your federated SSO environment, then choose Pre-upgrade actions and
download the Metadata.xml file. Each file is unique to each environment — label
them carefully if you have multiple.
Step 2: Configure a new
service provider in your corporate IdP — Open
the SAML metadata file and use its contents to create a new service provider in
your corporate identity system (Azure AD, Okta, ADFS, etc.). This does not
affect the existing service provider — your current SSO continues to work
during this step. Download the SAML metadata from the new service provider once
configured.
Step 3: Update and test
identity providers in OCI IAM — Back in the OCI
Console, import the SAML metadata from your corporate IdP into the OCI IAM
identity provider. Then run the test sign-in flow — sign in to the identity
domain first using a local administrator account (not the SSO button), then
authenticate to your corporate IdP. A successful result shows "Your
connection is successful."
Step 4: Acknowledge identity provider readiness — Only after all test sign-ins succeed, check the acknowledgment box in the Pre-upgrade actions panel and submit. The status changes to Completed. Do not add new identity providers in the Security Console after acknowledging — doing so resets your acknowledgment.
|
Tip Oracle estimates about one
hour to complete and test pre-upgrade tasks per federated SSO environment,
assuming administrator permissions are in place. Budget time to obtain Domain
Administrator access to each Fusion identity domain before you start. |
5. What Happens After the Upgrade?
Once Oracle completes the upgrade and notifies you by email, verify that your users can sign in to each Fusion environment. Then complete the following:
✔
Verify user sign-in works for both SSO and non-SSO
flows.
✔
For OIC integrations using OAuth Authorization Code
Credentials with a non-Fusion identity domain, reconfigure the OAuth security
policy to use a Fusion identity domain instead.
✔
For Taleo, CPQ, or SelectMinds using Fusion as SSO IdP,
download new SAML metadata and update identity provider configuration in those
apps.
✔
Test SSO sign-in for all dependent applications before
acknowledging post-upgrade task completion in the OCI Console.
✔
Replace Sign In/Sign Out Audit REST API usage with OCI
Audit reports — the Fusion audit API is not available post-upgrade.
✔
Review and reapply any custom default password
policies. Changes may not survive the upgrade — this is a known issue.
6. Key Things That Are Not Changing
Amid all the change, the following remain exactly the same:
•
Your Fusion Applications sign-in URL remains unchanged.
•
Existing federated SSO configuration is preserved —
same identity providers continue to be used.
•
Password policies managed via the Fusion Security
Console remain intact.
•
The Security Console is not removed — user management,
password resets, and role assignments continue there.
•
Non-SSO (username/password) access for supplier portals
and similar use cases continues to work.
•
There is no cost change or subscription change
associated with the upgrade.
7. Scheduling, Cancellations, and Opt-Outs
The identity upgrade is scheduled separately from quarterly
Fusion updates — it will not appear in the same month as your quarterly patch.
Non-production environments are upgraded in the second week of the scheduled
month; production environments go in the fourth week.
You cannot opt out of the upgrade. If your scheduled window
conflicts with a critical business event, you can submit an Oracle Support
Request to request rescheduling, but approval is not guaranteed. Act early if
you foresee a conflict.
If Oracle cancels a scheduled upgrade for any reason, the
acknowledgment of pre-upgrade tasks is reset. You will need to redo and
re-acknowledge those tasks once a new date is confirmed.
8. Practical Recommendations
Check your schedule now
Log into the OCI Console → Environment families → Maintenance
→ Identity upgrade to see your current upgrade status and scheduled timeline
for each environment.
Get admin access early
Ensure you have Domain Administrator access to each Fusion
identity domain before starting pre-upgrade tasks. Password resets and role
assignments can take time and may require coordination with other teams.
Map your dependencies
Identify all apps using Fusion as their SSO identity provider.
Check the Integrated Applications section in the identity domain once your
upgrade is scheduled in the Console.
Start 10 days early
Oracle recommends completing pre-upgrade tasks at least 10
days before the first environment's scheduled downtime — not just 72 hours — to
allow adequate time for troubleshooting.
Don't touch SSO config after acknowledging
Once you've acknowledged pre-upgrade readiness for a Fusion
environment, do not add or modify identity providers in the Security Console.
Any such changes reset the acknowledgment and require you to complete and
re-acknowledge all pre-upgrade tasks.
|
Summary This upgrade is mandatory
for all Fusion Applications environments provisioned before April 6, 2025.
Federated SSO customers must complete pre-upgrade tasks at least 72 hours
(ideally 10 days) before each scheduled environment's downtime. The upgrade
window is up to 3 hours. There is no cost impact, and most existing
configurations are preserved. |
•
Oracle Docs: Identity Upgrade Overview —
docs.oracle.com/en-us/iaas/Content/fusion-applications/identity-migration-overview.htm
•
Oracle Docs: IAM with Identity Domains —
docs.oracle.com/iaas/Content/Identity/home.htm
•
Oracle Docs: Federating with Identity Providers —docs.oracle.com/iaas/Content/Identity/federating/federating_section.htm
•
Oracle Docs: Identity Upgrade Checklist —
docs.oracle.com/en-us/iaas/Content/fusion-applications/identity-migration-checklist.htm
•
Oracle Support: Submit a Support Request for
rescheduling — docs.oracle.com/iaas/Content/GSG/Tasks/contactingsupport.htm