Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


This feature is experimental. It means that it is not intended for production use. The feature is not finished. It is not stable. The implementation may contain bugs, the configuration may change at any moment without any warning and it may not work at all. Use at your own risk.

titleMidPoint 4.1 and later

Table of Contents


WORK IN PROGRESS. This functionality is in development. This page can change any time during feature development.


  • Configuration schema for flexible authentication is designed to be mostly complete. However, not all configuration options are currently supported.
  • Flexible authentication is currently supported only for midPoint administration GUI. Only internal password authentication and SAML2 is officially supported. The rest of the functionality is considered to be experimental.
  • OpenID Connect protocol is not supported yet.
  • Social login functionality is not supported yet.
  • It is unlikely that midPoint could be used as a member of identity federation directly. Identity proxy or a similar technology may be needed.
  • Authentication configuration is global. Only global security policy can be used to configure the authentication (i.e. security policy referenced directly from system configuration object). Per-organization security policies or any other security policies cannot be used.
  • Support for authentication module necessity is limited. We support only SUFFICIENT modules in 4.1.
  • Authentication modules for SOAP web services are not supported because SOAP is deprecated and it will be removed soon.
  • REST service supports HTTP basic authentication only. Distributed authetntication protocols (OpenID Connect, SAML) are not supported yet. REST support for flexible authentication is experimental.
  • Even though the authentication configuration often suggests that there may be more than one instances of credentials (password, nonce), midPoint currently supports only a single password, single nonce and a single set of security questions. Multiple credentials are not supported. The reason for mentioning credential names the configuration schema is to have ability to extend midPoint functionality in the future.