midPoint is an identity management and governance system. It is a comprehensive system that synchronizes several identity repositories and databases, manages them, makes them available in a unified form, manager roles, authorizations, entitlements and implements almost every aspect of identity management and governance. It belongs to the "management" part of Identity and Access Management (IAM) field.
The most important features of midPoint are:
- User provisioning and deprovisioning: midPoint can automatically create and manage user accounts, groups, organizational units and so on
- Identity synchronization and reconciliation: midPoint can seamlessly synchronize several databases. It can make sure that the data are always up to date.
- Identity management process automation: midPoint has a built-in workflow engine that can drive approval of access requests.
- Role-based access control (RBAC): midPoint can automatically compute user privileges based on his membership in roles. MidPoint RBAC model is one of the best in the entire IDM field.
- Management of identity-related parts of the enterprise security policy: midPoint can check password quality, maintain segregation of duties, and so on
- Support for security auditing and reporting: midPoint keeps an audit trail of all changes to user privileges. It has a built-in reporting engine to generate reports for identities collected from all the connected systems.
- Non-intrusive integration using connectors: midPoint connectors are simple pieces of code that allows it to connect to other system and manage identity data. The connectors are non-intrusive: the connected system does not need to be changed.
- Management of organizational structure and its synchronization to other systems.
- Many identity governance features
How Does It Work?
MidPoint is something like a robot. It continually watches the information sources such as HR system. If something changes in the information source the provisioning system pulls the new information, recomputes it, applies policies and then pushes that information to other systems. Let's explain that using an example:
rules and scripts that is used to process the data. E.g. the rules may take the field "organization unit" from the HR record and used that to determine which business roles should this user have. It also usually applies some roles to all the ordinary users such as a role that gives each employee an access to e-mail service. This logic is different in each organization and midPoint is built to be easily customizable.New employee is hired. The HR staff enters employee data into an HR as they normally do. HR system has a process that exports the list of all the employees to a text file every day. MidPoint is using a connector to continually monitor the file for changes. Therefore it finds a new line describing the new employee and reads the data from the file. MidPoint can be configured with a set of
Once midPoint determines what the new user is and what roles he should have then the really interesting bit starts. MidPoint will compute what accounts the user should have. This is usually computed from the roles that the user has. Account attributes and entitlements are computed as well, e.g. the list of groups that user should belong to. Once midPoint knows how the accounts should look like it can use connectors to automatically create them. Connectors are simple pieces of code that communicate to the target systems. The connector knows how to read, create, modify and delete an account. Therefore midPoint can automatically create all the accounts that a user needs. Automatically. In a couple of seconds.
The connectors usually communicate using a protocol that is native to the target system. Therefore it talks to Active Directory using ADSI interface, modifies the database using SQL, invoke a SOAP web service or provision to the cloud service by using REST. This means that midPoint is non-intrusive: the target applications do not need to be modified. They stay exactly as they are. This is crucial feature that makes midPoint such efficient and practical tools. It is much easier to adapt a couple of simple connectors than to modify dozens of information systems (especially if too many of them still remember 20th century).
What Makes MidPoint Unique?
There is a long list of features that make midPoint really a unique system. But there are basically three aspects that are the most interesting:
- MidPoint saves money. Identity provisioning systems had a reputation of being extremely expensive to deploy and maintain. But midPoint has changed that completely. MidPoint is design to be cost-efficient. The open-source character means that the licensing cost is zero. The support cost is reduced by a network of excellent technology partners. But the most significant saving is in the deployment cost. MidPoint is built on more than a decade on IDM experience. It is built by people who deployed IDM solutions. We know very well what an IDM engineers needs "in the field". Therefore we have implemented that directly in midPoint code. It can be expected that 80% of the things that your IDM solution needs can be implemented in midPoint by simply flipping a configuration switch. MidPoint can make a huge effect with a very little implementation effort.
- MidPoint goes beyond user management. MidPoint is real identity management. Of course it can manage users and accounts. But it can also manage groups, organizational units, services, devices or any other concept that can be technically reached by the connector. MidPoint can bind all these concepts to the identities therefore it can easily manage user membership in organizational units or groups. It can also manage organizational subscription to services or device ownership. And all of that is done by simply reusing the principles of identity management and applying them to much broader category of objects.
- MidPoint is open source. Yes, this means that the licensing cost is zero. But there is much more in this. It also means that midPoint code can be modified. Other vendors will void your support agreement if you modify product code. But we in fact encourage partners to modify midPoint code. This is the best way to make really extreme customizations. But it is also a way how to bring new ideas into midPoint. How to allow partners to participate on product development. How to maintain a very creative community. This allows midPoint to be great and to remain great.
midPoint is essentially a Java application. Its internal structure is "wired" together using a Spring framework. It is quite strictly divided into internal components separated by interfaces, which provides fair assurance of reusability and maintainability. The structure itself is lightweight. Heavyweight components such as Java Enterprise Java Beans (EJB) or Enterprise Service Bus (ESB) are not used (although integration with them is possible).
The system can adapt to several data store mechanisms. The only supported mechanism is relational database (supporting all major databases), however there was an experimental implementation of repository using a BaseX XML database as a proof of concept. Therefore we are confident that other storage schemes (such as LDAP) could be implemented in the future.
The system is using an Identity Connector Framework (ICF) as a mechanism to interact with other systems (resources). ICF is also used by other identity management systems and a community builds up around the current ICF code. Therefore ICF a good match for an initial connector framework used by midPoint. In the long run we plan to either radically extend the ICF or create an alternative framework that will improve the most severe problems of ICF and provide features required for practical IDM solution. However, the compatibility with ICF (and potentially with other legacy connector framework) will be maintained to protect investments in the legacy connectors.
The unique feature of midPoint is the method of dealing with data changes and consistency. Most identity management systems work with absolute state, e.g. the complete copy of new user or account data. Such approach is very problematic in case of concurrent changes that are much more common in the IDM field as one would expect. The midPoint solution is to use model based on relative changes instead of on absolute changes. Several concurrent changes can be executed in parallel without the need to lock the entire data record. This approach significantly improves usability of the system and also supports better data consistency.
If you are new to midPoint, there are two "tracks" to start exploring it:
- MidPoint Book is an excellent starting point for any midPoint-related activity.
- Features section will provide a detailed explanation of midPoint functionality.
- Architecture and Design will provide theoretical overview of what midPoint is and how it works.
- First Steps provides a guidance how to quickly install midPoint and configure it.
- Documentation section provides a lot of in-depth information about system configuration, customization and maintenance.