Oracle is modernizing the security backbone of Fusion Applications through a one-time Oracle Fusion Identity Upgrade. This transition moves Fusion environments from Oracle Identity Cloud Service (IDCS) to Oracle’s modern, cloud-native Oracle IAM Identity Domain.

In a recent Oracle Go / Cloud Customer Connect webinar, Oracle product leaders clarified what changes, what remains the same, and how customers—especially those using SSO and federation—should prepare.

This article breaks down the upgrade in practical terms and outlines how organizations can ensure a smooth transition.

Why Oracle Is Moving Fusion from IDCS to Oracle IAM

The Oracle Fusion Identity Upgrade is not just a technical migration—it is a foundational security modernization.

By moving Fusion Applications to Oracle IAM Identity Domains, Oracle enables:

A modern, cloud-native identity foundation
Built-in Oracle Fusion MFA (opt-in today)
Roadmap support for passwordless authentication
Improved federation capabilities
Enhanced audit and logging visibility
Stronger tenancy guardrails
Oracle’s design priority was business continuity. The goal is to modernize the identity infrastructure while ensuring that existing Fusion workflows, roles, and security policies continue to function without disruption.

What Stays the Same After the Identity Upgrade

One of Oracle’s clearest messages: most day-to-day Fusion security operations remain unchanged.

Role Management and Data Security

Customers will continue using the Oracle Fusion Security Console for:

Role management
Role provisioning rules
Data security policies
Role hierarchies
There are no changes to Fusion roles, data security models, or authorization structures. The identity upgrade affects authentication infrastructure—not application-level security logic.

User Lifecycle Management

The Oracle Fusion user lifecycle process remains intact.

Organizations can continue to:

Provision users via UI, REST APIs, or file loaders
Manage hires, transfers, and terminations
Reset passwords through the Security Console
User provisioning continues to be driven by Fusion Applications—not Oracle IAM.

This separation ensures that business authorization processes remain stable during the transition.

What Changes: SSO and Federation Move to Oracle IAM

The most visible change affects SSO and federation configuration.

After the upgrade:

SSO configuration moves from the Fusion Security Console to Oracle IAM
Federation setup is managed within the Oracle IAM Identity Domain Console
Federated customers must reconfigure SSO as part of the upgrade
This enables Oracle to leverage advanced IAM capabilities, including modern federation logging, enhanced audit trails, and integrated MFA controls.

Oracle Fusion MFA: A Major Security Enhancement

For the first time, Oracle Fusion includes native Multi-Factor Authentication (MFA) as a built-in capability.

Key highlights:

MFA is opt-in (not mandatory at this time)
Users can self-enroll
No additional licensing or external configuration required
Future roadmap includes passwordless login
This enhancement significantly strengthens Oracle Fusion cloud security while giving customers flexibility in rollout timing.

Identity Upgrade Timeline and Downtime

The identity upgrade is:

A one-time exception maintenance event
Not tied to quarterly patching cycles
Typically ~3 hours of downtime (may vary by environment size)

Upgrade Cadence

Stage environments: Second week of the scheduled month
Production environments: Fourth week of the same month
Customers can view upgrade schedules in the Oracle Cloud Console under the Identity Upgrade tab.

This stage-first approach allows validation before production transition.

Federated vs Non-Federated Customers: Key Differences

Non-Federated Customers

Organizations not using SSO:

Receive 30-day advance notification
No required configuration changes
Simply validate login functionality post-upgrade
For these customers, the upgrade is largely transparent.

Federated (SSO-Enabled) Customers

Organizations using SAML-based federation must take action.

They will:

Receive 90-day advance notification
Download new SAML metadata
Update the corporate Identity Provider (IdP)
Perform SP-initiated SSO testing
Acknowledge completion at least 72 hours before downtime
Each Fusion environment (stage and production) requires separate metadata files.

This step is critical to ensure uninterrupted authentication during and after the transition.

Downloading and Testing SAML Metadata

Federated customers must:

Download SAML metadata from Fusion / Oracle IAM
Upload metadata into the corporate IdP (e.g., Azure Entra ID)
Validate login using SP-initiated SSO testing
Confirm completion in the Oracle Cloud Console

Testing is mandatory before upgrade acknowledgment. This reduces post-upgrade login risk.

Login Experience and UI Changes

Users may notice:

A modernized Fusion cloud login page
Slightly updated UI elements
Retained URL structure
Continued “chooser” experience
Functionally, behavior remains consistent—authentication flows remain familiar.

Guardrails and Governance in Oracle IAM

The Oracle IAM Identity Domain provided for Fusion:

Includes tenancy-level guardrails
Is not designed to replace corporate IdPs
Contains seeded policies Oracle may update
Applies guardrails across UI, REST APIs, and automation
These controls ensure Fusion identity remains stable and governed within Oracle’s managed framework.

Audit, Logging, and Troubleshooting Enhancements

Post-upgrade, customers gain enhanced visibility through:

Improved Fusion apps audit logging
Federation event tracking
IAM-native query and audit tools
If issues arise, Oracle recommends opening Service Requests under the correct Fusion Identity service category to ensure prompt support.

Why This Upgrade Matters

The Oracle Fusion Identity Upgrade prepares Fusion Applications for:

Stronger authentication security
Modern federation architecture
Native MFA and future passwordless access
Improved auditability
Long-term cloud-native scalability
This is a strategic modernization initiative—not just a backend change.

Organizations that prepare early—especially federated environments—can complete the upgrade with minimal disruption while strengthening security posture.

Why Choose NexInfo for Oracle Fusion Identity & Security?

Successfully navigating the Fusion identity upgrade requires careful planning—particularly for federated environments.

NexInfo brings deep expertise across:

Oracle Fusion Security Console
Oracle IAM Identity Domains
SAML federation configuration
Azure Entra ID integrations
MFA enablement strategies
IDCS-to-IAM migration readiness
We provide structured readiness assessments, SSO configuration validation, stage and production testing support, and post-upgrade verification.

NexInfo ensures:

Zero impact to roles and data security
Accurate SAML metadata configuration
Thorough SP-initiated SSO validation
Controlled MFA rollout planning
Clear user communication and change management
Beyond technical configuration, we help organizations leverage enhanced audit logging and federation monitoring capabilities introduced by Oracle IAM.

As a trusted Oracle Cloud security partner, NexInfo delivers secure, compliant, and roadmap-aligned identity modernization.

FAQ

What is the Oracle Fusion Identity Upgrade?
It is a one-time transition moving Fusion Applications from Oracle IDCS to Oracle IAM Identity Domains, modernizing authentication and federation while preserving roles and user lifecycle processes.
Will roles or data security change?
No. Roles, role hierarchies, data security policies, and provisioning processes remain unchanged.
Do SSO-enabled customers need to act?
Yes. Federated customers must reconfigure SSO in Oracle IAM, update SAML metadata in their corporate IdP, and complete SP-initiated SSO testing before upgrade.
Is Oracle Fusion MFA mandatory?
No. MFA is currently opt-in. Customers control when and how to enable it.
How much downtime is expected?
Typically around three hours during a scheduled exception maintenance window, with stage upgraded before production.

Conclusion

The Oracle Fusion Identity Upgrade represents a critical modernization of Fusion’s security infrastructure. By moving from IDCS to Oracle IAM Identity Domains, Oracle is enabling stronger authentication, enhanced federation, built-in MFA, and improved audit visibility—all while preserving business continuity.

For federated customers, early preparation is essential. For all customers, the upgrade provides a stronger, future-ready security foundation.

Modernize Fusion security without disrupting user access.
Work with NexInfo to enable Oracle IAM, MFA, and federation the right way—securely, efficiently, and with confidence.

Business Process Design

Assessment and Governance

Managed Services

Software Implementations

Staff Augmentation

ERP Software Solutions

Industry Solutions

SaaS Solutions

Cloud Connectors

Generative AI in Oracle Cloud HCM: Delivering Intelligent End-to-End HR Transformation

AI Recruiting in Oracle Cloud HCM: Automation, Candidate Matching & Smarter Hiring

Oracle Grow in Oracle Cloud HCM: Skills Intelligence, AI, and Workforce Development Explained

Unlocking Embedded AI in Recruitment with Oracle Cloud HCM: From Automation to Measurable Impact

Oracle AI Capabilities Across Enterprise Applications: How NexInfo Enables End-to-End AI Transformation Across Oracle Cloud

Oracle Cloud EPM AI: A Complete Guide to Predictive Planning, IPM Insights, AI Feature enablement, AI Agents, and How NexInfo Enables Enterprise-Scale Finance Transformation

Accelerate Business Operations

Upcoming Events

Ascend Conference 2026

Oracle AI World 2026

Connect with us

Get in Touch

Join our newsletter:

Search

Oracle Fusion Identity Upgrade Explained: What Customers Need to Know About MFA, SSO, and the Move from IDCS to IAM