Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

This page is work in progress. Some information presented on this page may not be correct or fully applicable yet.


FeatureSun IDMmidPoint
LicenseProprietaryApache License 2.0
EOL AnnouncedYesNo
Provisioning / synchronization ToolYesYes
SSO ToolNoNo
Software DependenciesLightweightLightweight
Provisioning ComponentsJava Connectors (ICF), Java AdaptersJava Connectors (ICF), Java Adapters (planned)
Invasive / Non-invasiveNon-invasiveNon-invasive
GUIWeb-based (JSP, JavaScript)Web-based (Wicket, JavaScript, AJAX)
Data InterfaceWeb servicesWeb services
Data RepresentationXMLPrism objects, XML, JSON (implementation in progress), (more formats planned)
Data Change ModelAbsoluteRelative
FormsGenerated ("MissingFields"), CustomizableGenerated (based on schema) (Customizable forms implementation in progress)
RolesStatic, Dynamic (rules), HierarchicalStatic, Dynamic (expressions), Hierarchical
Workflows / ApprovalsYesYes
Expression LanguageXPRESS (Proprietary)Groovy, JavaScript, XPath2
NotificationsE-mail, File redirectionE-mail, SMS, File redirection (extensible for more transports)
CommunicationDiscussion forum (public and restricted to partners)Mailing lists (public)
DocumentationOnline (PDF)Online (Wiki)
Product TrainingsYesYes
Upgradable from Sun IDMN/AYes (with limitations and concept issues)

Implementation Tips

This section contains tips for Sun IDM engineers that helps then to use midPoint efficiently. It describes especially the "hacks" that were often used in Sun IDM and the correct equivalent used in midPoint deployments.

Identity Template

MidPoint does not have a special identity template. Account identifier is considered to be very like an ordinary account attribute. Use outbound mapping to set the value of account identifier instead of identity template.

Login Roles

Sun IDM deployments often used "login roles" or "default roles" to set resource-global policies. Such roles had only one resource and used the ability of Sun IDM role to set account attributes. Other roles then haven't included the resource directly but included the "login role" instead.

Do not use this approach in midPoint. MidPoint has an elegant mechanism of outbound mappings that can be used to set resource-global attribute values. The ability of a login role to "hold" the account in a disabled state can be done in a much easier way by using activation existence mapping.