Oracle IAM Upgrade Lessons Learned: Fixing RelayState URL & Access Issues -Navigating Oracle IAM Issues? Let’s Connect
- Pratheek Talla - NZOUG
- 2 days ago
- 2 min read
Upgrading Oracle Identity Cloud Service (IDCS / IAM) is usually seamless until it isn’t.

Recently, during an IAM upgrade, we encountered post-upgrade access issues tied to RelayState URLs, impacting user login flows into Oracle applications like Oracle Fusion Cloud Applications and custom integrations.
Here’s a breakdown of the issue, root cause, and how we fixed it 👇
Azure AD (Entra ID) Enterprise Applications – Critical Checks During IAM Upgrade
In our case, a big part of the issue wasn’t just within Oracle Identity Cloud Service, but also how Microsoft Entra ID (Azure AD) handled SAML requests post-upgrade.
When Oracle IAM changes anything around endpoints, certificates, or redirect handling Azure AD Enterprise Applications must be revalidated.
Why This Matters
Azure AD acts as the Identity Provider (IdP)Â in many federated setups.Even a small mismatch can break:
RelayState handling
SSO redirection
Token validation
User login experience
What Went Wrong?
After the IAM upgrade:
Users were able to authenticate successfully
BUT… they were not redirected correctly
Landing pages failed or defaulted incorrectly
Deep links (bookmarked URLs) stopped working
The culprit? RelayState URL misconfigurations
Understanding RelayState (Quick Refresher)
RelayState is:
A parameter used in SAML authentication
Helps redirect users to the intended destination after login
If this breaks, users land in the wrong place or nowhere.
Step-by-Step Fix
✅ Step 1: Validate SAML Configuration
Navigate to:
IAM Console → Applications → Your App → SSO Settings
Check:
Default RelayState URL
Assertion Consumer Service (ACS) URL
Ensure URLs are:
Correct
HTTPS
Not deprecated
Step 2: Verify Identity Provider (IdP) Settings
📸 [Insert Screenshot: Identity Provider Configuration]
Confirm:
RelayState passthrough is enabled
No hardcoded/old URLs exist
If federated (Azure AD / ADFS):
Validate reply URLs match exactly
Step 3: Test Deep Links
Use a known working deep link:
Validate:
Redirect behavior post-login
Session persistence
Step 4: Check Load Balancer / DNS Changes
Post-upgrade, sometimes:
Domains change
Traffic routing changes
👉 Ensure:
No old endpoints are cached
DNS propagation is complete
SSL certificates are valid
Key Azure AD Enterprise App Tasks
✅ 1. Validate Basic SAML Configuration

Go to:
Azure Portal → Enterprise Applications → Your Oracle App
Check:
Identifier (Entity ID)Â matches Oracle IAM
Reply URL (ACS URL)Â is updated
Sign-on URLÂ aligns with new RelayState logic
👉 Even a trailing slash mismatch can break SSO.
Claims & Attributes Mapping:
Verify:
UPN / Email mapping
NameID format (often emailAddress)
Common issue:
Post-upgrade defaults reset or mismatch with Oracle expectations
Pro Tips
Always document pre-upgrade SSO configs
Use tools like:
SAML Tracer (Firefox/Chrome)
Maintain a test checklist for IAM upgrades
Validate with real business users, not just admins
Final Thought
The biggest learning?
IAM upgrades are not isolated.They are ecosystem upgrades involving:
Oracle IAM
Azure AD / Entra ID
Applications
Network layers
Pro Tip (From Real Experience)
During upgrades:
Treat Azure AD Enterprise App config as part of your IAM stack not external
✔ Always include Azure validation in your:
Upgrade checklist
Regression testing
Business user validation
Let’s Connect
I’m always keen to exchange insights with the Oracle community especially around:
Oracle IAM / IDCS
OCI integrations
Fusion applications
If you’ve faced similar challenges or want to collaborate via New Zealand Oracle Users Group, feel free to reach out!

