This release is planned. Therefore the information presented here is incomplete and inaccurate.
Release 4.1 is a TODO midPoint release code-named TODO. The 4.1 release ... TODO
Johannes Gutenberg (c.1400 - 1468) was German blacksmith, goldsmith, printer and publisher who introduced printing to Europe with the printing press. Information sharing that was enabled by printing caused a cultural and scientific revolution. Modern period of human history was born. The effect of Gutenberg's inventions can hardly be overstated. However, it was not just the printing press itself that made a difference. Gutenberg created entire printing system: the press, adjustable molds, oil-based ink, mechanical movable type and the alloy for casting the type. Those simple elements combined together to create an efficient and economically feasible system for producing books.
Similarly to Gutenberg's printing system, midPoint 4.0 is a revolutionary release. It bring a couple of long-awaited features. However what really matters is a huge amount of improvements and smaller features. Those are designed to work together with existing midPoint features to create a comprehensive and consistent system for identity management and governance. There are also numerous internal improvements and cleanups that enable a long-term maintenance of midPoint 4.0.
|Table of Contents|
Majority of the work on the Watt release was done by the Evolveum team. However, this release would not be possible without the help of our partners, customers, contributors, friends and families. We would like to express our thanks to all the people that contributed to the midPoint project both by providing financial support, their own time or those that maintain a pleasant and creative environment for midPoint team. However, midPoint project would not exist without proper funding. Therefore we would like to express our deepest gratitude to all midPoint subscribers that made midPoint project possible.
There are too many features in midPoint 4.0 to list them in details. The Features page lists the features of most recent midPoint release.
Changes with respect to version 3.9
New Features and Improvements
- Major features
- User interface improvements
- Object Collections and Views
- Sections (virtual containers) in object details
- Dashboards and status reports (experimental)
- Shopping cart improvements
- Reworked "projections" tab
- Ability to set custom name for midPoint
- Case management improvements (experimental)
- Session management page
- Minor user experience improvements
- Support for PolyStrings all the way to the connector (experimental)
- Asynchronous (messaging) connector options (prototype)
- Improved shadow consistency with
Support for seach hierarchy scope
- Miscellaneous improvements
- Mapping range pre-defined sets
- Mapping state properties
- Support for populate expressions in autoassignments
- Task management in cluster is using REST
- Autogenerated node identifier in a cluster
- Support for attachments in mail notifications
- Whitelists for notifications
- Support for expression in mapping time constraints
- Partial support for polystring "lang" and translations (experimental)
- Miscellaneous clustering improvements
- Many improvements in reconciliation and synchronization tasks
- Improved Prism API and code structure
- Improved GUI interfaces and code structure
- Long-term support stabilization
- Java 11 support
- New internal engine for policy-based approvals (replaces Activiti BPM)
- Cluster management is using REST instead of JMX
- Numerous performance and scalability improvements
Deprecation, Feature Removal And Incompatible Changes
- Support for Java 8 is deprecated. Running midPoint on OpenJDK 8 is supported for midPoint 4.0 and the preliminary plan is to support for the usual lifetime of ordinary support of midPoint 4.0.x line (which means 3 years). But Java 8 support may be shortened, e.g. in case that Oracle or OpenJDK project will stop providing updates to Java 8 platform. It is strongly recommended to upgrade to Java 11 as soon as possible.
- Support for Oracle Java builds is limited (see below).
Support for PostgreSQL 9.5 (9.5, 9.5.1) is deprecated.
Support for Microsoft SQL Server 2014 is deprecated.
- SOAP-based IDM Model Web Service Interface is deprecated. It will no longer be maintained and it will be completely removed in future versions. Please use RESTful interface instead.
- As SOAP interface is deprecated, the example SOAP client (
model-clientcomponent) was removed from midPoint source code. It will no longer be maintained.
- There are many schema changes, including many incompatible schema changes. Please see the upgrade section below for the details.
- Activiti BPM that was used as "workflow engine" was removed from midPoint.
- Support for BEA/Oracle WebLogic (12c) is deprecated and it is no longer available as a public feature. Artifacts for weblogic support will be removed as soon as such action is confirmed with the affected subscribers.
Releases Of Other Components
- New versions of LDAP Connector and Active Directory Connector were released during the course of midPoint 4.0 development. There were major improvements and fixes in those connectors. See the connector pages for the details. MidPoint 4.0 contains most recent versions of those connectors.
- New versions of CSV Connector and DatabaseTable Connector were released during the course of midPoint 4.0 development. There were minor improvements and fixes in those connectors. See the connector pages for the details. MidPoint 4.0 contains most recent versions of those connectors.
- MidPoint plug-in for Eclipse IDE was updated and released during the course of midPoint 4.0 development. The correct version of the plugin to use with midPoint 4.0 is 0.10.8.
- Official release of Java REST client is planned shortly after midPoint 4.0 release.
- Release of overlay projects and other associated artifacts is planned after 4.0 release.
Other Major Changes And Limitations
- There was a change in MidPoint 4.0 licensing. MidPoint 4.0 is dual-licensing under Apache License and EUPL. Which means that the users of midPoint may choose any of those licenses. Therefore there is almost no change for existing midPoint users that used midPoint under the terms of Apache License. The only effect of this change is the change in code contribution process that requires signing of CLA. Some parts of midPoint such as samples and localizations that are more intense in contributions are still single-licensed under the terms of Apache License to simplify contribution process. Those parts have been separated into their own projects.
- The structure of midPoint reporting service was changed during the course of midPoint 4.0 development. Those changes were motivated mostly by security concerns. There are incompatible changes, therefore existing versions of midPoint plugin for JasperSoft studio will not work with midPoint 4.0. The future of JasperSoft studio integration with midPoint is currently being debated internally in midPoint teams. Platform subscribers that currently use or plan to use JasperSoft studio are invited to provide their feedback and opinions. The result will be either new release of the integration component or deprecation of JasperSoft studio integration.
MidPoint 4.0 is a major release. There are changes that are not strictly compatible with midPoint 3.x. Those incompatible changes are mostly removal of schema elements that are deprecated for a long time or elements that were never really used. Therefore major release should not significantly affect midPoint deployments that are maintained properly. However there are also some behavioral changes and changes in internal implementation. There are also changes in support routines, limitations and other non-technical aspects that can affect midPoint deployments.
It is strongly recommended to read those release notes very carefully.
Release 4.0 (Gutenberg) is intended for full production use in enterprise environments. All features are stable and well tested - except the features that are explicitly marked as experimental or partially implemented. Those features are supported only with special subscription contract.
Release 4.0 is also a long-term support (LTS) release that has a prolonged support lifetime. MidPoint 4.0 and subsequent maintenance updates are recommended as a base for deployments that prefer stability over new features.
- Functionality that is marked as EXPERIMENTAL is not supported for general use (yet). Such features are not covered by midPoint support. They are supported only for those subscribers that funded the development of this feature by the means of platform subscription or for those that explicitly negotiated such support in their support contracts.
- MidPoint comes with bundled LDAP Connector. Support for LDAP connector is included in standard midPoint support service, but there are limitations. This "bundled" support only includes operations of LDAP connector that 100% compliant with LDAP standards. Any non-standard functionality is explicitly excluded from the bundled support. We strongly recommend to explicitly negotiate support for a specific LDAP server in your midPoint support contract. Otherwise only standard LDAP functionality is covered by the support. See LDAP Connector page for more details.
- MidPoint comes with bundled Active Directory Connector (LDAP). Support for AD connector is included in standard midPoint support service, but there are limitations. Only some versions of Active Directory deployments are supported. Basic AD operations are supported, but advanced operations may not be supported at all. The connector does not claim to be feature-complete. See Active Directory Connector (LDAP) page for more details.
- MidPoint comes with bundled Active Directory Connector (LDAP), which includes support for PowerShell scripting. This scripting is supposed to be used to supplement creation of Active Directory (windows) accounts by using simple scripts. It is not supposed to be used to manage Microsoft Exchange accounts. Management of Exchange accounts can be quite a complex matter, requiring complicated PowerShell scripts. Support for the use of this connector to manage Exchange accounts has to be purchased separately.
- The PowerShell capability of Active Directory Connector (LDAP) will be migrated to a dedicated connector in midPoint 4.1 or later. Once this capability is migrated, PowerShell scripting will no longer be supported as part of bundled midPoint connectors. There will be special connector for that purpose and support for such connector will be sold separately. Therefore, if you need support for PowerShell scripting, we recommend explicitly negotiating such support in your midPoint support contract. MidPoint subscribers that purchased their full subscription before the release date of midPoint 4.0 should not be affected by this change. However we recommend to check status of your subscription coverage by contacting Evolveum.
- MidPoint comes with a bundled LDAP-based eDirectory connector. This connector is stable, however it is not included in the normal midPoint support. Support for this connector has to be purchased separately.
- There is an option to modify midPoint to support LDAP and CAS authentication by using Spring Security modules. This method is used in several midPoint deployments. However, such authentication modules are not officially supported as part of usual midPoint subscriptions. Only community-level support is provided for those modules. Commercial-grade support for this authentication method is available, but it has to be explicitly negotiated in a subscription contract.
- MidPoint user interface has flexible (fluid) design and it is able to adapt to various screen sizes, including screen sizes used by some mobile devices. However, midPoint administration interface is also quite complex and it would be very difficult to correctly support all midPoint functionality on very small screens. Therefore midPoint often works well on larger mobile devices (tablets) it is very likely to be problematic on small screens (mobile phones). Even though midPoint may work well on mobile devices, the support for small screens is not included in standard midPoint subscription. Partial support for small screens (e.g. only for self-service purposes) may be provided, but it has to be explicitly negotiated in a subscription contract.
- There are several add-ons and extensions for midPoint that are not explicitly distributed with midPoint. This includes midPoint plug-in for Eclipse IDE, extension of Jasper studio, Java client library, various samples, scripts, connectors and other non-bundled items. Support for these non-bundled items is limited. Generally speaking those non-bundled items are supported only for platform subscribers and those that explicitly negotiated the support in their contract. For other cases there is only community support available. For those that are interested in official support for IDE add-ons there is a possibility to use subscription to help us develop midPoint studio (
Jira server Evolveum Jira serverId 701b45f2-090c-3276-8ac9-f45eedf731bc key MID-4701
- The integration of Jaspersoft Studio for midPoint (a.k.a. "Jasper plugin") will not work with midPoint 4.0. The reporting web service was changed and the plugin was not yet adapted to that change. This work is planned for later. The priorities will be determined by platform subscribers.
- MidPoint contains a basic case management user interface. This part of midPoint user interface is not finished. The only supported part of this user interface is the part that is used to process requests and approvals. Other parts of case management user interface are considered to be experimental, especially the parts dealing with manual provisioning cases.
MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested with this release. The version numbers in parentheses are the actual version numbers used for the tests.
Support for some platforms is marked as "deprecated". Support for such deprecated versions can be removed in any midPoint release. Please migrate from deprecated platforms as soon as possible.
- OpenJDK 11 (11.0.4). This is a recommended platform.
- OpenJDK 8 (1.8.0_221) DEPRECATED
Support for Oracle builds of JDK is provided only for the period in which Oracle provides public support (free updates) for their builds. End of free updates for Oracle JDK 11 were planned for March 2019, and the current status is not known. Which means that Oracle JDK 11 may not be supported at all for MidPoint 4.0. MidPoint is an open source project, and as such it relies on open source components. We cannot provide support for platform that do not have public updates as we would not have access to those updates and therefore we cannot reproduce and fix issues. Use of open source OpenJDK builds with public support is recommended instead of proprietary builds.
MidPoint is bundled with an embedded web container. This is the default and recommended deployment option. See Stand-Alone Deployment for more details.
Apache Tomcat 8.0.x is no longer supported as its support life is over (EOL).
MidPoint supports several databases. However, performance characteristics and even some implementation details can change from database to database. Since midPoint 4.0, PostgreSQL is the recommended database for midPoint deployments.
Our strategy is to officially support the latest stable version of each database (to the practically possible extent). It may be possible to support also older database versions. But as that means additional testing and support effort, we provide such service only with special support contracts. Contact Evolveum sales for the details.
- Firefox (any recent version)
- Safari (any recent version)
- Chrome (any recent version)
- Opera (any recent version)
- Microsoft Internet Explorer (version 9 or later)
Microsoft Internet Explorer compatibility mode is not supported.
Important Bundled Components
|ConnId||126.96.36.199||ConnId Connector Framework|
|LDAP connector bundle||2.3||LDAP, Active Directory and eDirectory connector|
|CSV connector||2.3||Connector for CSV files|
|DatabaseTable connector||188.8.131.52||Connector for simple database tables|
Download and Install
|Installing midPoint v4.0|
MidPoint is software that is designed for easy upgradeability. We do our best to maintain strong backward compatibility of midPoint data model, configuration and system behavior. However, midPoint is also very flexible and comprehensive software system with a very rich data model. It is not humanly possible to test all the potential upgrade paths and scenarios. Also some changes in midPoint behavior are inevitable to maintain midPoint development pace. Therefore we can assure reliable midPoint upgrades only for midPoint subscribers. This section provides overall overview of the changes and upgrade procedures. Although we try to our best it is not possible to foresee all possible uses of midPoint. Therefore the information provided in this section are for information purposes only without any guarantees of completeness. In case of any doubts about upgrade or behavior changes please use services associated with midPoint subscription or purchase professional services.
Major Release 4.0
Even though midPoint minor releases are managed with almost complete compatibility in mind, midPoint 4.0 is different. MidPoint 4.0 is a major release. This is a point in midPoint development lifecycle when we remove obsolete functionality and when we make major updates to midPoint schema, database data structures and functionality. Every experienced software engineers know that it is rarely feasible to make such changes while keeping compatibility as the same time. Therefore midPoint 4.0 is not backwards-compatible with midPoint 3.x. But the situation is not as bad as it might seem. We have tried to avoid changes that were not necessary. Therefore vast majority of midPoint data schema is still compatible. It is just those little places where it is not. Those places are the cause that we cannot declare complete compatibility. And that is also the reason that there is no automatic upgrade path from midPoint 3.x that is 100% reliable.
The changes in midPoint schema and functionality is mostly limited to data items that were already deprecated for a long time, some of them going back even to midPoint 2.x. Those elements were removed or significantly changed. All such changes were marked as "planned removal in 4.0" in midPoint 3.9 schema. This plan was documented in midPoint 3.9 release notes therefore the users had sufficient time to prepare. You should be able to upgrade without any major issues if you haven't used any deprecated properties or if you have avoided the use of removed elements at the very least. But even in that case there may be some updates that need to be done manually. Please refer to the section that deals with midPoint schema for details. Please be especially careful about the
iterationSpecification element described below.
Upgrade from midPoint 3.x
Upgrade path from MidPoint 3.x goes through midPoint 3.9. Upgrade to midPoint 3.9 first by using the documented upgrade techniques. Then upgrade from midPoint 3.9 to 4.0.
Upgrade from midPoint 3.9
MidPoint 3.9 data model is not completely backwards compatible with previous midPoint versions. However, vast majority of data items is compatible. Therefore the usual upgrade mechanism can be used. The usual SQL scripts for database schema upgrade are provided. There are some important changes to keep in mind:
- There were numerous schema changes that are described below.
- Version numbers of some bundled connectors have changed. Therefore connector references from the resource definitions that are using the bundled connectors need to be updated.
Schema changes since 3.9
MidPoint schema was significantly changed since midPoint 3.9. There are many elements that are removed. Those were marked "for removal" in midPoint 3.9. Our Ninja tool can be used to detect the use of those elements even in midPoint 3.9. The "ninja" should be used to audit your use of deprecated data items before attempting to upgrade to midPoint 4.0.
Even though this is midPoint 4.0, the numbers in the schema namespaces are still referring to version 3, e.g.
. This might seems strange and this decision was given a significant amount of consideration. Version number was introduces to the namespaces in early days of midPoint when such a practice was quite common in the XML world. However, the current consensus of midPoint architects is that the schema versioning mechanism in the XML namespace is far from being ideal. A better versioning mechanism will be needed in the future. The preliminary design is to remove version number from the namespace entirely and use explicit schema versioning that could reflect semantic versioning principles. The preliminary plan is to address this in midPoint 5.0. Which would mean that the namespaces will need to change now and there will be another change in few years when midPoint 5.0 is released. We have decided that the current change from "common-3" to "common-4" would not bring any significant advantage. However, it would significantly complicate the upgrade from midPoint 3.x to midPoint 4.0. Therefore the decision was to keep the "common-3" namespaces. Even though it might look strange, we are doing a very pragmatic decision here that makes midPoint migration much easier for everybody.
Flowing steps are an outline of an upgrade process:
Those steps are just a rough outline. Actual steps needed to upgrade to midPoint 4.0 may be different as the upgrade procedure depends on midPoint customizations, environment and other deployment details.
Changes in initial objects since 3.9
MidPoint has a built-in set of "initial objects" that it will automatically create in the database if they are not present. This includes vital objects for the system to be configured (e.g. role
superuser and user
administrator). These objects may change in some midPoint releases. But to be conservative and to avoid configuration overwrite midPoint does not overwrite existing objects when they are already in the database. This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version. Therefore the following list contains a summary of changes to the initial objects in this midPoint release. The complete new set of initial objects is in the
config/initial-objects directory in both the source and binary distributions. Although any problems caused by the change in initial objects is unlikely to occur, the implementors are advised to review the following list and assess the impact on case-by-case basis:
- 000-system-configuration.xml: Case and workitem views, expression profile, misc logging/tracing changes
- 010-value-policy.xml, 015-security-policy.xml: Removing deprecated elements
- 040-role-enduser.xml, 041-role-approver.xml: updates requires for new approval mechanisms
- 020-archetype-system-user.xml, 021-archetype-system-role.xml, 022-archetype-business-role.xml, 023-archetype-manual-provisioning-case.xml, 024-archetype-operation-request.xml, 025-archetype-approval-case.xml, 026-archetype-trace.xml: default archetype definitions
- 070-task-validity.xml: Update to current (non-deprecated) schema
- 090-report-audit.xml, 100-report-reconciliation.xml, 110-report-user-list.xml, 130-report-certification-definitions.xml, 140-report-certification-campaigns.xml, 150-report-certification-cases.xml, 160-report-certification-decisions.xml: Corrected encoding of Jasper report definition (it was base64-encoded twice), updating the definition to current schema (non-deprecated elements), updated report definition to reflect changes in Prism API
- 250-object-collection-resource-all.xml, 260-object-collection-task-all.xml, 270-object-collection-task-active.xml, 280-object-collection-resource-up.xml, 290-object-collection-audit-errors.xml, 300-object-collection-audit-modifications.xml, 330-object-collection-my-cases.xml: default object collections
- 310-dashboard-admin.xml: default system administration dashboard (experimental)
Bundled connector changes since 3.9
- All bundled connectors were upgraded to the latest available version.
- AD Connector was improved in several ways, including better support for userAccountControl attribute. It is recommended to refresh resource schema to take full advantage of those features.
Behavior changes since 3.9
- Following expression variables are deprecated: user, account, shadow
- Inbound mappings are evaluated together from all the resources, as they should. But do not rely on that (yet). Some resources may not be loaded.
- Default range for inbound mappings has changed. Default range for single value items is "all", default range for multivalue items is "none". See Inbound Mapping page for the details.
- Special authorization is needed to run reports (authorization-model-3#runReport). Access to report web service requires this authorization as well (e.g. needed for access by Jaspersoft Studio).
- Change of
subtypeis not supported in midPoint 4.0. This functionality was never fully supported in midPoint 3.x either, even though some use-cases worked. As
subtypeis now deprecated, this functionality will not longer be supported.
Public interface changes since 3.9
- There were numerous changes to the IDM Model Interface (Java). Please see source code history for details. As this is a major release, there might be incompatible changes.
- Prism interface was changes in many places. There is now a separate prism-api. However, this is not yet stable public interface. Changes to this API are expected in future midPoint versions. Although we will try to keep the changes compatible at least until the next LTS release, incompatible changes may happen occasionally.
- IDM Model Web Service Interface (SOAP) is deprecated. The plan is to remove support for SOAP soon.
Important internal changes since 3.9
These changes should not influence people that use midPoint "as is". These changes should also not influence the XML/JSON/YAML-based customizations or scripting expressions that rely just on the provided library classes. These changes will influence midPoint forks and deployments that are heavily customized using the Java components.
- Report API is changed, including the remote reporting inteface.
- Variable typing and more strict checks. Which means that midPoint 4.0 is slightly less tolerant configuration errors.
- There were numerous changes in internal code structure, most notably changes in Prism and GUI. Heavy customizations of midPoint 3.x are likely to break in midPoint 4.0.
Known Issues and Limitations
As all real-world software midPoint 4.0 has some known issues. Full list of the issues is maintained in jira. As far as we know at the time of the release there was no known critical or security issue.
- There is a support to set up storage of credentials in either encrypted or hashed form. There is also unsupported and undocumented option to turn off credential storage. This option partially works, but there may be side effects and interactions. This option is not fully supported yet. Do not use it or use it only at your own risk. It is not included in any midPoint support agreement.
- Native attribute with the name of 'id' cannot be currently used in midPoint (
). If the attribute name in the resource cannot be changed then the workaround is to force the use of legacy schema. In that case midPoint will use the legacy ConnId attribute names (icfs:name and icfs:uid).
Jira server Evolveum Jira serverId 701b45f2-090c-3276-8ac9-f45eedf731bc key MID-3872
Planned release dates are just that: they are planned. We do not promise or guarantee release dates. Software development is a creative activity that includes a lot of inherent risk. We are trying really hard to provide the best estimates. We are not able to provide precise dates for releases or deliveries. Do not rely on midPoint release dates. Plan your project properly to address the risk of delayed midPoint releases.
We do not make any claims that midPoint is perfect. Quite the contrary. MidPoint is a practical software, developed by living and breathing developers and deployed in a real world. There are both known and unknown issues in midPoint. Also, midPoint is not feature-complete. New features are introduced in midPoint all the time. But not all of them are completed. There are always some limitations. As the license states, midPoint is provided "AS IS". Please do not rely on midPoint functionality that you have not tested to make sure that it works. MidPoint support and subscription programs are a way how to handle those issues. But even with support service, do not rely on functionality that is not documented. If you plan to use undocumented or non-existing functionality, platform subscription is the right service for you.