Release 3.3 is a fourteenth midPoint Identity and Access Management release code-named Lincoln. The 3.3 release brings major GUI look&feel improvements and miscellaneous new features that improve practical usability of midPoint.
Release date: 1st December 2015
Majority of the work on the Lincoln release was done by the Evolveum team. However, this release would not be possible without the help of our partners, customers, contributors, friends and families. We would like to express a great gratitude to all the people that contributed to the midPoint project.
We would also like to thank:
- AMI Praha for their support and numerous contributions to the midPoint project.
- WWK for ideas that made midPoint a better project, contributions and support.
- EEA for their support and contributions.
- Cogito Group for their support.
- PosAm and Biznet Bilisim for their continuous support to midPoint project.
- VNET-Services for their support.
- Adriana Stanikova, Sveto Krchnavy, László Péntek, Jason Everling, Andreas Küstner, Roman Pudil and others that contributed to midPoint translations.
- ... and many others that we regrettably cannot mention yet.
midPoint 3.3 provides following features:
- Common user data model suitable for easy integration
- Numerous built-in properties based on IDM de-facto standards (LDAP inetOrgPerson, FOAF, ...) and experience
- Extensibility by custom properties
- Off-the-shelf support for user password credentials
- Off-the-shelf support for user activation
- Enabled/disabled states (extensible in the future)
- Support for user validity time constraints (valid from, valid to)
- Object template to define policies, default values, etc.
- Ability to use conditional mappings (e.g. to create RB-RBAC setup)
- Ability to include other object templates
- Global and resource-specific template setup
- Sequences for reliable allocation of unique identifiers
- Account provisioning (create, read, update, delete accounts)
- Enabling and disabling accounts
- Support for mapping and expressions to determine account attributes
- Support of multi-value attributes
- Processing and computation fully based on relative changes
- Multi-layer attribute access limitations
- Provisioning dependencies
- Higher-order dependencies (enables partial support for circular provisioning dependencies)
- Provisioning robustness - ability to provision to non-accessible (offline) resources
- Provisioning consistency - ability to handle provisioning errors and compensate for inconsistencies
- Support for tolerant attributes
- Ability to select tolerant and non-tolerant values using a pattern (regexp)
- Matching rules to support case insensitive attributes (extensible)
- Ability to execute scripts before/after provisioning operations
- Advanced support for account activation (enabled/disabled states)
- Standardized account activation that matches user activation schema for easy integration
- Ability to simulate activation capability if the connector does not provide it
- Support for account lock-out
- Support for account validity time constrains (valid from, valid to)
- Support easy activation existence mappings (e.g. easy configuration of "disables instead of delete" feature)
- Support for mapping time constraints in activation mappings that allow configuring time-related provisioning features such as deferred account delete or pre-provisioning.
- Ability to specify set of protected accounts that will not be affected by IDM system
- Integration of Identity Connector Framework (ConnId)
- Support for Evolveum Polygon connectors
- Support for ConnId connectors
- Support for OpenICF connectors
- Unified Connector Framework (UCF) layer to allow more provisioning frameworks in the future
- Automatic generation and caching of resource schema from the connector
- Local connector discovery
- Support for connector hosts and remote connectors, identity connector and connectors host type
- Remote connector discovery
- Integration of Identity Connector Framework (ConnId)
- Web-based administration GUI
- Ability to execute identity management operations on users and accounts
- User-centric views
- Account-centric views (browse and search accounts directly)
- Resource wizard
- Layout automatically adapts to screen size (e.g. for mobile devices)
- Easily customizable look & feel
- Built-in XML editor for identity and configuration objects
- Flexible identity repository implementations and SQL repository implementation
- Live synchronization
- Ability to execute scripts before/after reconciliation
- Correlation and confirmation expressions
- Conditional correlation expressions
- Concept of channel that can be used to adjust synchronization behaviour in some situations
- Generic Synchronization allows synchronization of roles to groups to organizational units to ... anything
- Advanced RBAC support and flexible account assignments
- Entitlements and entitlement associations
- Advanced internal security mechanisms
- Fine-grained authorization model
- Delegated administration
- Several assignment enforcement modes
- Ability to specify global or resource-specific enforcement mode
- Ability to "legalize" assignment that violates the enforcement mode
- Customization expressions
- PolyString support allows automatic conversion of strings in national alphabets
- Mechanism to iteratively determine unique usernames and other identifiers
- Reporting based on Jasper Reports
- Comprehensive logging designed to aid troubleshooting
- Multi-node task manager component with HA support
- Rule-based RBAC (RB-RBAC) ability by using conditional mappings in user template
- Password policies
- Partial multi-tenancy support
- Lightweight deployment structure
- Support for Apache Tomcat web container
- Import from file and resource
- Self-healing consistency mechanism
- Protected accounts (accounts that will not be affected by midPoint)
- Segregation of Duties (SoD)
- Export objects to XML
- Enterprise class scalability (hundreds of thousands of users)
- API accessible using a web service, REST and local JAVA calls
- Workflow support (based on Activiti engine)
- Administration documentation publicly available in the wiki
- Architectural documentation publicly available in the wiki
- Schema documentation automatically generated from the definition (schemadoc)
Changes with respect to version 3.2
- Significant GUI look&feel improvements
- New self-service GUI pages
- End-user home page (end-user dashboard)
- End-user profile page
- End-user credentials change page
- Improvement of associationTargetSearch expression
- Aligned default value for user activation
- Aligned default value for allowEmptyValues in expressions (see "Upgrade" section)
- LDAP-based connector for Active Directory (experimental)
- Run-time support for Java 8 environment
- Options for interpretation of expression empty values in queries
- Option to force legacy object class names in connectors
- Displaying role members on role details page
- Expanded audit record table for easier search in deltas
- Support for storing old values and object names in audit records
- Improved audit report
- Localization files switched to UTF-8 and single-file format
- Using transifex.com to support community localization
- Support for provisioning of user photo (jpeg binary data)
- Indirect role membership index (roleMembershipRef)
- Consistency mechanism improvements (self-healing)
- Improved reliability of strong mappings
XPath2 scripting is deprecated and it is not supported in Java8 environment.
Release 3.3 (Lincoln) is intended for full production use in enterprise environments. All features are stable and well tested.
- MidPoint 3.3 comes with a bundled LDAP-based eDirectory connector. This connector is stable, however it is not included in the normal midPoint support. Support for this connector has to be purchased separately.
- MidPoint 3.3 comes with a bundled LDAP-based Active Directory connector. This connector is considered experimental and it is not supported for production use.
MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested this release. The version numbers in parentheses are the actual version numbers used for the tests. However it is very likely that midPoint will also work in similar environments. Also note that this list is not closed. MidPoint can be supported in almost any reasonably recent platform (please contact Evolveum for more details).
- Sun/Oracle Java SE Runtime Environment 8 (1.8.0_45, 1.8.0_65) - runtime only
- OpenJDK 7 (1.7.0_65, 1.7.0_75, 1.7.0_80)
- Sun/Oracle Java SE Runtime Environment 7 (1.7.0_45, 1.7.0_40, 1.7.0_67, 1.7.0_72, 1.7.0_75, 1.7.0_80)
Java 8 environment is supported for running midPoint. It is not supported for building yet. To build midPoint from source code Java 7 is still required.
Java 6 environment is no longer supported.
- Apache Tomcat 6 (6.0.32, 6.0.33, 6.0.36)
- Apache Tomcat 7 (7.0.29, 7.0.30, 7.0.32, 7.0.47, 7.0.50)
- Apache Tomcat 8 (8.0.14, 8.0.20)
- Sun/Oracle Glassfish 3 (3.1)
- BEA/Oracle WebLogic (12c)
- H2 (embedded, only recommended for demo deployments)
- PostgreSQL (8.4.14, 9.1, 9.2, 9.3, 9.4)
- MySQL (5.6.26)
Supported MySQL version is 5.6.10 and above (with MySQL JDBC ConnectorJ 5.1.23 and above).
MySQL in previous versions didn't support dates/timestamps with more accurate than second fraction precision.
- Oracle 11g (220.127.116.11.0)
- Microsoft SQL Server (2008, 2008 R2, 2012, 2014)
Following list contains platforms that midPoint is known not to work due to various issues. As these platforms are obsolete and/or marginal we have no plans to support midPoint for these platforms.
- Java 6
- Sun/Oracle GlassFish 2
Download and Install
|Installing midPoint from Binary Distribution v3.3|
Upgrade from midPoint 2.x
Upgrade from version 2.x is possible but it is not publicly supported. It requires several manual steps. Evolveum provides this upgrade as part of the subscription or professional services.
Upgrade from midPoint 3.0, 3.1 and 3.1.1
Upgrade path from MidPoint 3.0 goes through midPoint 3.1 and 3.1.1. Upgrade to midPoint 3.1 first (refer to the midPoint 3.1 release notes). Then upgrade from midPoint 3.1 to 3.1.1, from 3.1.1 to 3.2 and then to 3.3.
Upgrade from midPoint 3.2
MidPoint 3.3 data model is essentially backwards compatible with midPoint 3.2. However as the data model was extended in 3.3 the database schema needs to be upgraded using the usual mechanism.
MidPoint 3.3 is a release that fixes some issues of previous versions. Therefore there are some changes that are not strictly backward compatible.
- The default value for user activation has been changed. In midPoint 3.2 and earlier the user that has no clear activation specification (missing activation section or administrative status and validity timestamps that haven't defined any specific state) was considered to be inactive (disabled). In midPoint 3.3 such user is considered active (enabled). This change was made to align the mechanism used to compute activation of users and other focal objects (roles, orgs).
- The default value for expression
allowEmptyValuessetting has been unified. In the previous versions the non-scripting expressions assumed the value of
true, while the scripting expresions assumed the value of
false. The default value was changed to
falsefor all expression types. The setting of
allowEmptyValuesin the scrip expression is now deprecated in favor of
allowEmptyValuesproperty in the expression (
ExpressionType) which has the same meaning. This change should only affect scripts that return empty values (empty strings). In case of such expressions the setting has to be explicitly set to false to maintain compatible behavior. This change does not affect the processing of null values, it only changes the processing of empty strings and polystrings.
- XPath2 scripting is deprecated and it is not supported in Java8 environment.
Changes in initial objects since 3.2
MidPoint has a built-in set of "initial objects" that it will automatically create in the database if they are not present. This includes vital objects for the system to be configured (e.g. role
superuser and user
administrator). These objects may change in some midPoint releases. But to be conservative and to avoid configuration overwrite midPoint does not overwrite existing objects when they are already in the database. This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version. Therefore the following list contains a summary of changes to the initial objects in this midPoint release. The complete new set of initial objects is in the
config/initial-objects directory in both the source and binary distributions. Although any problems caused by the change in initial objects is unlikely to occur, the implementors are advised to review the following list and assess the impact on case-by-case basis:
- 020-system-configuration.xml: added configuration for userDashboardLinks
- 040-role-enduser.xml: self-service authorizations, password change authorizations
- 090-report-audit.xml: significantly improved report
- 100-report-reconciliation.xml: improved report, interpretation of null values
- 110-report-user-list.xml: improved report, interpretation of null values, misc fixes
- 111-report-reconciliation-shadow-owner.xml: removed
Background and History
midPoint is roughly based on OpenIDM version 1. When compared to OpenIDM v1, midPoint code was made significantly "lighter" and provides much more sophisticated features. Although the architectural outline of OpenIDM v1 is still guiding the development of midPoint almost all the OpenIDM v1 code was rewritten. MidPoint is now based on relative changes and contains advanced identity management mechanisms such as advanced RBAC, provisioning consistency and other advanced IDM features. MidPoint development is independent for more than two years. The development pace is very rapid. Development team is small, flexible and very efficient. Contributions are welcome.
For the full project background see the midPoint History page.
- midPoint History
- Installing midPoint from Binary Distribution v3.3
- Installing midPoint from Source Code v3.3