midPoint is a tool that synchronizes several identity repositories, manages them and makes them available in a unified form. It belongs to the user provisioning category of the enterprise identity management field. The most important features of midPoint are:
- User provisioning and deprovisioning
- Identity synchronization and reconciliation
- Identity management process automation
- Role-based access control (RBAC)
- Management of identity-related parts of the enterprise security policy
- Identity life-cycle management including identity-related workflows
- Support for security auditing and reporting
The development of midPoint is not governed by the technology, but rather by a set of principles. These principles reflect our solution to the business needs in the identity management field. The technological implementation adapts to the real needs of IDM deployments. We know that any technology has its limits and we go only as far as the solution is efficiently applicable and practically usable. We are looking for a solution to existing problems, not for a problem that would fit existing solution. Following principles govern the development of midPoint:
Open system: midPoint is open in all aspects. It is completely developed in the public. The source code is publicly available (including the most recent development version) under the OSI-approved Apache 2.0 open-source license. The design is openly discussed with the community. The development team is open to contributions from the public. Only open protocols and platforms are used. System interfaces are well documented and open for reuse. But, most importantly, midPoint is open to use by anyone and for any purpose at no charge (as long as it complies with Apache license).
Efficient common case: midPoint supports common provisioning scenarios as efficiently as possible. For example setup of simple directory-to-directory replication should be a matter of minutes or hours. Most data transformations can be implemented using one-line expressions. Connecting a new system with all the common provisioning features should be a matter of few clicks. User interface dynamically adapts to the situation, therefore it automatically provides an auto-generated form for the end system. Common scenarios require just a configuration and simple expressions, not coding. This approach allows engineer to focus on specifics of a deployment instead of re-doing the same thing again and again for each deployment.
Extensible as needed: The less common scenarios can be supported by extending the system using a code. This may be a Java code, executing a process, calling external web services and so on. This is necessary to satisfy some of the customer requirements, but may be quite difficult to develop and maintain. We do not force engineers to a single programming language. Although Java is a natural choice and is naturally supported, there are plans for Groovy, BPEL or any other practical language that the engineers need.
Data unification: The most significant obstacle in enterprise identity management is integration. Each system has its own variant of identity data model, its own flavor of operations on identities, its own security model, data types, etc. midPoint is trying to reduce the integration overhead by providing and evolving a common data model for enterprise identity, the model that can be used as lingua franca to easily communicate common identity data across systems. Customizations and exceptions are still possible - and usually even necessary. But the overall integration process is much easier.
Focus on Identity Management: The time when a provisioning system has to come bundled with a kitchen sink and a lawn mower is getting to an end. It makes little sense for a customer to maintain one business process management suite for identity management, yet another for document lifecycle management, yet another for support processes, etc. Similar situation is also in the domains of issue tracking, auditing, data warehousing, reporting, and so on. The focus of midPoint is identity management technology, the technical problems of provisioning and identity data synchronization. We are aware that the business side of the IDM is as important as the technical side. We just expect that the business side will be managed by the generic business systems - a place where business tasks can be handled efficiently.
Business first: It is the same in all the enterprises, small or huge. Identity management solution must not interrupt the usual business. While some inconveniences cannot be avoided, the overall impact on normal operation of organization during IDM deployment must be very low. Therefore midPoint is designed with a final deployment in mind. The deployment is expected to happen in phases, small steps, while each step has to provide value. We understand the Pareto 80-20 principle. Each step of IDM deployment should provide 80% value with 20% of effort, executing the steps until they are still efficient. First step is usually short analysis and deployment of IDM as an admin tool. That speeds up processes, allow for easier auditing and provides data to plan further steps. midPoint is well suited for this purpose, as well as for the next steps in the IDM project.
midPoint is now in the state of stable product used in real-world deployments. Although the time of midPoint development may seem quite short is has quite a complex history. It is based on earlier projects, well-established frameworks and most importantly it is based on almost a decade of IDM solution experience.
The project follows open-source mantra release early, release often. There are two-to-three product releases each year. Each release brings a gradual improvement to existing features in a handful of new features. The development process is evolutionary rather than revolutionary. Product roadmap is mostly governed by demand and customer requirements. As the development process is significantly inspired by agile software development methodologies the product roadmap is quite easy to influence to suit the needs of midPoint users.
Common Data Model: Combining all user and account data into a unified (and extensible) model. Administrator can see and modify the users' data.
Provisioning: Managing accounts on many systems from a single point: midPoint. Provisioning simplifies account management by removing the tedious task of identity management from overloaded system administrators, moving the task to a dedicated staff and gradually automating it. Provisioning also means deprovisioning - the ability to deactivate all accounts of a particular user. This feature is one of the most important building blocks of enterprise security.
Connectors: Connecting to a set of commonly-used systems, such as LDAP or Active Directory. The connector interface is based on pluggable Identity Connector Framework. The connectors allow to automatic management of accounts on resources, fetching of up-to-data data for displaying it to system administrators, etc.
Advanced Role-Based Access Control (RBAC): Assign users to roles, which triggers trigger provisioning of accounts on resources. Ability to control organization-wide RBAC definition from IDM. The structure of the roles will be quite "technical" and dynamic, e.g. with an ability to define account attributes and to use dynamically evaluated expressions. There is also ability for parametric roles and multiple assignment of the same role wich makes the midPoint RBAC model very flexible and efficient.
Live Synchronization: Keeping data in several identity repositories continually consistent. This feature allows to manage users based on one or more authoritative sources such as human resources (HR) system or Active Directory. The Live Sync is an almost-real-time process, the delay between making a change in the source system and its propagation to the target system is usually just few seconds.
Reconciliation: Process to compare actual state of the identities with the desired state. Reconciliation detects inconsistencies such as illegal accounts, missing or excessive privileges, dormant accounts, etc.
Discovery: Opportunistically react to changes and inconsistencies discovered during normal operation. Examples of such situations are when data fetched during regular display of account data are found to be inconsistent with the policy, when creation of new account fails because an unknown account with the same name already exists, etc.
Reporting: Display reports based on current system state and audit records. The reporting ability in the midPoint "core" may seem quite minimal, limited to common cases. Our strategy is to reuse existing full-featured reporting packages rather than reinvent the wheel. Currently midPoint is integrated with Jasper reports. The "reporting" feature is focused on exposing the IDM and resource data in a form usable by reporting frameworks.
Repository: The identity data are stored in the relational database. All major database products are supported.
Extensibility: Introducing custom attributes to the data model, using them in expressions, pass them to and from resources, etc.
Auditing: Record a structured, machine processable audit trail for all important system activities. Current implementation is recording the data to files, relational auditing store is planned soon. The auditing subsystem is conceptually compatible with XDAS specification.
Segregation of Duties: Enforcement of security policies that prohibit cumulation of dangerous access rights to a single user. Currently midPoint support role exclusion and more sophisticated SoD policies are planned for the future.
Organizational Structure: Support for organizational structure as a part of the common identity data model. The organizational structure inside IDM brings an ability to bind roles (or role assignment) to organizational units, to evaluate organizational structure expressions (e.g. "who is his boss?") and so on. The ability to synchronize and reconcile organizational structure using mechanisms, which are similar to mechanisms used for processing identity data is further explored.
Administration GUI: midPoint contains integrated administration and configuration GUI. The GUI is rich web-based application that allows to manage identities, monitor them, configure and customize the system. The GUI is continually evolving to provide access to new midPoint features.
Web Service: The system may be used in non-interactive way as a "pure" integration component. MidPoint provides a web service that can be used to control almost all aspects and features that midPoint provides. Currently there is a SOAP/HTTP web service with full WSDL/XSD schemas. RESTful service is planned in a near future.
Lightweight Deployment: midPoint is a simple Java web application that can run in any reasonable Java web container (e.g. Apache Tomcat). The internal structure is "wired" using Spring framework.
Migration: Import initial data from files or target systems, transforming them as necessary.
Features Planned in a Near Future
Entitlements: Ability to detect and efficiently use resource entitlement in IDM. Entitlements are structured objects that can be assigned to accounts such as groups, privileges, access rights, access profiles, and so on.
More Connectors: New connectors will be added to a set of connectors, most likely as a result of community cooperation over Identity Connector Framework.
Business Processes: Ability to define, execute and control execution of simple identity-related business processes such as requesting and approving of access to a specific system. MidPoint is currently integrated with Activiti business process suite, yet it is still an experimental feature. MidPoint provides better integration with this engine as is usual in the IDM field. Note: Although we have quite a good workflow support, midPoint is not a full-featured workflow system. The use of a workflow is focused mostly to identity-related tasks. Even though we have integrated workflow engine, an integration with existing comprehensive business process suite is a preferred way of midPoint deployment (if such solution already exists within an organization).
midPoint is essentially a Java application. Its internal structure is "wired" together using a Spring framework. It is quite strictly divided into internal components separated by interfaces, which provides fair assurance of reusability and maintainability. The structure itself is lightweight. Heavyweight components such as Java Enterprise Java Beans (EJB) or Enterprise Sevice Bus (ESB) are not used (although integration with them is possible).
The system can adapt to several data store mechanisms. The only supported mechanism is relational database (supporting all major databases), however there was an experimental implementation of repository using a BaseX XML database as a proof of concept. Therefore we are confident that other storage schemes (such as LDAP) could be implemented in the future.
The system is using an Identity Connector Framework (ICF) as a mechanism to interact with other systems (resources). ICF is also used by other identity management systems and a community builds up around the current ICF code. Therefore ICF a good match for an initial connector framework used by midPoint. In the long run we plan to either radically extend the ICF or create an alternative framework that will improve the most severe problems of ICF and provide features required for practical IDM solution. However, the compatibility with ICF (and potentially with other legacy connector framework) will be maintained to protect investments in the legacy connectors.
The unique feature of midPoint is the method of dealing with data changes and consistency. Most identity management systems work with absolute state, e.g. the complete copy of new user or account data. Such approach is very problematic in case of concurrent changes that are much more common in the IDM field as one would expect. The midPoint solution is to use model based on relative changes instead of on absolute changes. Several concurrent changes can be executed in parallel without the need to lock the entire data record. This approach significantly improves usability of the system and also supports better data consistency.
midPoint is a next-generation tool. It is built using current technologies, as opposed to most existing provisioning tools that originated in early 2000s. The internal construction is lightweight and flexible. We focus on sustainable development, investing in code readability and understandability. We include technologies that bring real value and we try to avoid technology hypes and false promises of "the newest big thing" technologies.
The team developing midPoint has a long experience in delivering IDM solutions. Solutions that work when deployed. We know that, because we have been deploying them. Unlike other IDM product teams, our team has both software development skills and the IDM deployment experience. We have been facing the real problems that end customers had. We know where are the weak points of existing IDM solutions and we try hard to improve them.
midPoint must be a practical tool. Usability is the most important goal and pragmatism is our primary development approach. We try to prototype, test and validate the usability of any technology before we start using it. Our goal it to make a tool that works, not a tool that looks attractive and is polluted by buzzwords.
midPoint development is iterative and incremental. We go from a working code to a working code in cycles that take few months. The development itself is guided by the architecture, that is always at least one step ahead of the development. But we do not take the architecture as a dogma, as we know that even the best architecture does not survive a contact with reality without any change. Even though we are architecture-driven in design, the development itself is considerably agile.
See Also: Roadmap
It may be seen as a next-generation enterprise provisioning system, but in fact it is focused to do more than that. First few versions of the system focused on provisioning, as inconsistency of user management is one of the major pains for many enterprises (even SMEs). Now we are working on advanced identity management functionality. Yet, we plan to expand even beyond traditional enterprise identity management functionality. When the enterprise creates a unified view of its identity repository, the repository can be used to efficiently communicate with other enterprises, customers, partners and so on. We know quite well that it is not "identity management" that is the goal of this technology. It is cooperation of people, efficiency of processes, support for creativity and unforeseen business opportunities that is the ultimate goal.
If you are new to midPoint, there are two "tracks" to start exploring it:
- Features section will provide a detailed explanation of midPoint functionality.
- Architecture and Design will provide theoretical overview of what midPoint is and how it works.
- First Steps provides a guidance how to quickly install midPoint and configure it.
- Documentation section provides a lot of in-depth information about system configuration, customization and maintenance.
- What is midPoint Open Source Identity & Access Management
- Evolveum - Team of IAM professionals who developed midPoint