Skip to end of metadata
Go to start of metadata

In Progress

This release is planned. Therefore the information presented here is incomplete and inaccurate.
For information regarding the latest stable release please see Release 3.6


Release 3.7 is a twenty third midPoint release code-named TODO. The 3.7 release brings new deployment model and numerous gradual improvements. There are improvements of identity governance features, improvements of user interface and internal improvements.

Planned release date: December 2017

John Amos Comenius




Majority of the work on the Comenius release was done by the Evolveum team. However, this release would not be possible without the help of our partners, customers, contributors, friends and families. We would like to express a great gratitude to all the people that contributed to the midPoint project.

Special thanks: TODO


We would also like to thank:

  • TODO


midPoint 3.6 provides following features:

Changes with respect to version 3.6

  • Standalone deployment based on Spring Boot
  • User interface improvements
    • New assignment list tab
    • Improvement for human-readable error messages
    • Improved approval messages and screens
    • Improved policy violation messages
    • Support for associations in role editor
    • User interface support for policy rules
    • Customization improvements
    • Visualization of approval process
  • Password policy improvements to enforce different persona passwords.
  • Governance improvements
    • Improved assignment metadata
    • Policy rules for attribute values
    • Dependency policy rules
  • Security improvements
  • Task improvements
  • Miscellaneous improvements
    • Post report script
    • Improved provisioning script error handling
    • Improved JSON/YAML support
    • Import validation improvements

Java 7 environment is no longer supported.
XPath2 scripting is no longer supported.
Old CSVFile Connector is deprecated and it is no longer bundled with midPoint.


Release 3.6 (Comenius) is intended for full production use in enterprise environments. All features are stable and well tested - except the features that are explicitly marked as experimental or partially implemented. Those features are supported only with special subscription and/or professional services contract.


  • MidPoint 3.6 comes with a bundled LDAP-based eDirectory connector. This connector is stable, however it is not included in the normal midPoint support. Support for this connector has to be purchased separately.


MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested this release. The version numbers in parentheses are the actual version numbers used for the tests. However it is very likely that midPoint will also work in similar environments. Also note that this list is not closed. MidPoint can be supported in almost any reasonably recent platform (please contact Evolveum for more details).


  • OpenJDK 8 (1.8.0_91, 1.8.0_111)
  • Sun/Oracle Java SE Runtime Environment 8 (1.8.0_45, 1.8.0_65, 1.8.0_74)


Java 8 only

MidPoint 3.6 is supported only on Java 8 platforms. MidPoint supported both Java 7 and Java 8 for several years. The support for Java 7 was deprecated in midPoint 3.4.1 and it was removed in midPoint 3.5. It is finally the time to abandon obsolete technology and to move on.

Web Containers

  • Apache Tomcat 8 (8.0.14, 8.0.20, 8.0.28, 8.0.30, 8.0.33, 8.5.4)
  • Apache Tomcat 7 (7.0.29, 7.0.30, 7.0.32, 7.0.47, 7.0.50, 7.0.69)
  • Sun/Oracle Glassfish 3 (3.1)
  • BEA/Oracle WebLogic (12c)


  • H2 (embedded, only recommended for demo deployments)
  • PostgreSQL (8.4.14, 9.1, 9.2, 9.3, 9.4, 9.4.5, 9.5, 9.5.1)
  • MariaDB (10.0.28)
  • MySQL (5.6.26, 5.7)
    Supported MySQL version is 5.6.10 and above (with MySQL JDBC ConnectorJ 5.1.23 and above).
    MySQL in previous versions didn't support dates/timestamps with more accurate than second fraction precision.
  • Oracle 11g (
  • Microsoft SQL Server (2008, 2008 R2, 2012, 2014)

Unsupported Platforms

Following list contains platforms that midPoint is known not to work due to various issues. As these platforms are obsolete and/or marginal we have no plans to support midPoint for these platforms.

  • Java 6
  • Java 7
  • Sun/Oracle GlassFish 2
  • Apache Tomcat 6

Supported Browsers

  • Firefox (any recent version)
  • Safari (any recent version)
  • Chrome (any recent version)
  • Opera (any recent version)
  • Microsoft Internet Explorer (version 9 or later)

Recent version of browser as mentioned above means any stable stock version of the browser released in the last two years. We formally support only stock, non-customized versions of the browsers without any extensions or other add-ons. According to the experience most extensions should work fine with midPoint. However, it is not possible to test midPoint with all of them and support all of them. Therefore, if you chose to use extensions or customize the browser in any non-standard way you are doing that on your own risk. We reserve the right not to support customized web browsers.

Microsoft Internet Explorer compatibility mode is not supported.

Important Bundled Components

ConnId1.4.3.0ConnId Connector Framework
LDAP connector bundle1.4.5LDAP, Active Directory and eDirectory connector
CSV connector2.0Connector for CSV files
DatabaseTable connector1.4.2.0Connector for simple database tables

Download and Install


MidPoint is software that is designed for easy upgradeability. We do our best to maintain strong backward compatibility of midPoint data model, configuration and system behavior. However, midPoint is also very flexible and comprehensive software system with a very rich data model. It is not humanly possible to test all the potential upgrade paths and scenarios. Also some changes in midPoint behavior are inevitable to maintain midPoint development pace. Therefore we can assure reliable midPoint upgrades only for midPoint subscribers. This section provides overall overview of the changes and upgrade procedures. Although we try to our best it is not possible to foresee all possible uses of midPoint. Therefore the information provided in this section are for information purposes only without any guarantees of completeness. In case of any doubts about upgrade or behavior changes please use services associated with midPoint subscription or purchase professional services.

Upgrade from midPoint 3.0, 3.1, 3.1.1, 3.2, 3.3, 3.3.1, 3.4 and 3.4.1

Upgrade path from MidPoint 3.0 goes through midPoint 3.1, 3.1.1, 3.2, 3.3, 3.4.1 and 3.5.1. Upgrade to midPoint 3.1 first (refer to the midPoint 3.1 release notes). Then upgrade from midPoint 3.1 to 3.1.1, from 3.1.1 to 3.2 then to 3.3, then to 3.4.1, 3.5.1 and finally to 3.6.

Upgrade from midPoint 3.5 and 3.5.1

MidPoint 3.6 data model is essentially backwards compatible with both midPoint 3.5 and midPoint 3.5.1. However as the data model was extended in 3.6 the database schema needs to be upgraded using the usual mechanism.

MidPoint 3.6 is a release that fixes some issues of previous versions. Therefore there are some changes that are not strictly backward compatible.

  • Java 7 environment is no longer supported. Please upgrade to Java 8 before upgrading midPoint.
  • XPath2 scripting is no longer supported. Please migrate your XPath2 scripts to Groovy, JavaScript or Python.
  • Version numbers of some bundled connectors have changed. Therefore connector references from the resource definitions that are using the bundled connectors need to be updated.
  • New 'schema" capability was introduced. This resource capability indicated the ability of a connector to provide a schema (this capability was implied in midPoint 3.5.x and earlier). Existing (pre-3.6) resource configurations do not have this capability in the resource configuration. And even if the new connector adaptation code presents this capability, the resource configuration will not be updated automatically. It needs to be manually refreshed. The solution is to delete resource native capabilities and refresh the resource (test connection). Then the resource should work as expected.

Upgrade from midPoint 3.6 and 3.6.1

  • Quartz database structure was changed, upgrade scripts are provided.
  • taskIdentifier has now a uniqueness constraint: it is possible that database migration script would fail when it tries to introduce the constraint. In such cases it is necessary to delete conflicting tasks and then continue with updating the database.
  • The assignment.trigger item (of EvaluatedPolicyRuleTriggerType) is now deprecated and partially replaced by assignment.triggeredPolicyRule. That item was automatically computed and took a considerable amount of storage space. So, in 3.7, after each model operation on a focal object, the assignment.trigger is automatically erased. Therefore these values will be gradually removed. If you want to remove them at once, you can either execute e.g. recomputation of all affected object or write a custom bulk action to do the task.

Changes in initial objects since 3.5 and 3.5.1

MidPoint has a built-in set of "initial objects" that it will automatically create in the database if they are not present. This includes vital objects for the system to be configured (e.g. role superuser and user administrator). These objects may change in some midPoint releases. But to be conservative and to avoid configuration overwrite midPoint does not overwrite existing objects when they are already in the database. This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version. Therefore the following list contains a summary of changes to the initial objects in this midPoint release. The complete new set of initial objects is in the config/initial-objects directory in both the source and binary distributions. Although any problems caused by the change in initial objects is unlikely to occur, the implementors are advised to review the following list and assess the impact on case-by-case basis: 

  • TODO
  • TODO: system config: logging appender!!!
  • 015-security-policy.xml: switched password policy configuration from the deprecated way to a security policy method. File renamed from 120-security-policy.xml.
  • 020-system-configuration.xml: switched password policy configuration from the deprecated way to a security policy method. Default logging setting update.
  • 040-role-enduser.xml: task-related authorizations, persona read authorization, workflow-related authorizations.
  • 041-role-approver.xml: workflow-related authorizations.
  • 043-role-delegator.xml: delegator read authorization update.
  • 090-report-audit.xml: updated and fixed report.
  • 100-report-reconciliation.xml: updated and fixed report.
  • 140-report-certification-campaigns.xml: updated and fixed report.
  • 150-report-certification-cases.xml: updated and fixed report.
  • 160-report-certification-decisions.xml: fixed report.
  • 200-lookup-languages.xml: new supported languages
  • 210-lookup-locales.xml: new supported locales

Bundled connector changes since 3.6 and 3.6.1

  • The LDAP connector and AD Connector were upgraded to the latest available version. 

Behavior changes since 3.6 and 3.6.1

  • TODO: spring boot is now the default form
    • Default URL is changed from http://host:8080/midpoint/self to just  http://host:8080/self
  • TODO: Logging:
    • default to midpoint home now (do not forget to update appender in system config!)
    • Spring resource bundle logger logs unsuccessful attempt to locate a resource bundle on warning level. MidPoint tries to locate several resource bundles for extensibility and those bundles normally does not exist. Therefore there may be a lot of warnings in the logs. The workaround is to set the logger to error level. This solution has been applied to midPoint initial objects. However older midPoint deployment may need to set this logger manually.
  • TODO: Structure of the distribution package has changed
  • TODO: inbound mappings
  • There were subtle fixes in the way how outbound mappings are processed. Several issues that seem to be present in midPoint for quite some time were fixed. Those mostly affect seldom used and corner cases. For example if a value produced by mapping matched intolerant pattern such value was ignored in midPoint 3.6 and earlier. The values is not correctly set to target. Values dictated by removed assignment were removed, even if that assignment was invalid (e.g. disabled). Those issues were fixed in midPoint 3.7. However, the deployments that relied on incorrect behavior might be affected during upgrade.
  • MidPoint 3.7 improved behavior of inbound mappings. Inbound mappings can be used to map resource attributes directly to assignments. This change may influence some corner cases for inbound mappings, such as mapping tolerance. MidPoint 3.7 improvements tried to maintain the prior behavior of inbound mapping tolerance. However the behavior may be different is some corner cases. Careful testing of inbound mappings with non-default tolerance is recommended. Note: The schema documentation of midPoint 3.6.1 and earlier container wrong specification of mapping tolerance behavior. MidPoint 3.6.1 and earlier was behaving in a way that was not consistent with documentation. MidPoint 3.7 documentation was corrected to describe the implemented behavior. However, the behavior of was not changed to maintain compatibility.
  • In approval-related expressions (e.g. stage auto-completion conditions), do not use midpoint.getChannel() to obtain the channel for the original request. It is not present when evaluating approval process preview ( MID-4071 - Approval process preview Closed ). Use new channel variable instead.
  • Default for task/executionConstraints/groupTaskLimit was changed from "1" to "unlimited". Properties "allowedNode" and "disallowedNode" are now deprecated (and disabled). They are replaced by node/taskExecutionLimitations item.
  • If you want to use execution groups other than default (null), make sure their execution is allowed on individual nodes. Before this release, the default behavior was not limiting execution of these groups.
  • Default policy situation ...#assigned is no longer available. Replace by ...#modified + evaluationTarget=assignment. (TODO)
  • Policy situations and triggers are not stored by default. Use "record" action. Also, rules are stored as such, not as triggers. (TODO)
  • TODO: rawOperation and partialExecution authorizations
  • Change of LDAP auth module (spring boot). No CAS auth module (community)


Public interface changes since 3.6 and 3.6.1

  • thisObject is deprecated, use assignment path instead
  • TODO

Important internal changes since 3.6 and 3.6.1

These changes should not influence anyone using the midPoint. These changes should also not influence the XML-based customizations or scripting expressions that rely just on the provided library classes. These changes will influence midPoint forks and deployments that are heavily customized using the Java components.

  • Security component structure has been redesigned.
  • Many internal components were refactored, restrucutured and cleaned up. This may have severe impact midPoint customizations that go beyond public interfaces, but it should not affect public interfaces. Therefore moderate customizations should be unaffected.
  • MappingType data type has been changed from property to container. Code that is changing mappings (e.g. deltas) needs to be updates.

Known Issues and Limitations

There is a support to set up storage of credentials in either encrypted or hashed form. There is also unsupported and undocumented option to turn off credential storage. This option partially works, but there may be side effects and interactions. This option is not fully supported yet. Do not use it or use it only on your own risk. It is not included in any midPoint support agreement.

Native attribute with the name of 'id' cannot be currently used in midPoint ( MID-3872 - Attribute 'id' Open ). If the attribute name in the resource cannot be changed then the workaround is to force the use of legacy schema. In that case midPoint will use the legacy ConnId attribute names (icfs:name and icfs:uid).

JavaDoc is temporarily not available due to the issue in Java platform. This issue is fixed in (unreleased) Java 9 platform, but backport of this fix to Java 8 is (quite surprisingly) not planned.

As all real-world software midPoint 3.6 has some known issues. Full list of the issues is maintained in jira. As far as we know at the time of the release there was no known critical or security issue.

There is currently no plan to fix the known issues of midPoint 3.6 en masse. These issues will be fixed in future maintenance versions of midPoint only if the fix is requested by midPoint subscriber. No other issues will be fixed - except for severe security issues that may be found in the future.

The known issues of midPoint 3.6 may or may not be fixed in midPoint 3.7. This depends on the available time, issue severity and many variables that are currently difficult to predict. The only reliable way how to make sure that an issue is fixed is to purchase midPoint subscription. Or you can fix the bug yourself. MidPoint is always open to contributions.

This may seem a little bit harsh at a first sight. But there are very good reasons for this policy. And in fact it is no worse than what you get with most commercial software. We are just saying that with plain language instead of scrambling it into a legal mumbo-jumbo.

See Also

  • No labels