This release is planned. Therefore the information presented here is incomplete and inaccurate.
For information regarding the latest stable release please see Release 3.9
Release 4.0 is a twenty eight midPoint release code-named Gutenberg. The 4.0 release brings ....
Planned release date: June-July 2019
Majority of the work on the Watt release was done by the Evolveum team. However, this release would not be possible without the help of our partners, customers, contributors, friends and families. We would like to express our thanks to all the people that contributed to the midPoint project both by providing financial support, their own time or those that maintain a pleasant and creative environment for midPoint team. However, midPoint project would not exist without proper funding. Therefore we would like to express our deepest gratitude to all midPoint subscribers that made midPoint project possible.
midPoint 4.0 provides following features:
- Common identity management data model
- Extensible object types:
- Numerous built-in properties
- Extensibility by custom properties
- Completely schema-aware system
- Dynamic schema automatically retrieved from resource
- Support for primitive data types
- Native support of multi-value attributes
- Limited support for complex data types
- Processing and computation fully based on relative changes
- Off-the-shelf support for user password credentials
- Off-the-shelf support for activation (users, roles, orgs, services)
- Enabled/disabled states (extensible in the future)
- Support for user validity time constraints (valid from, valid to)
- Object template to define policies, default values, etc.
- Ability to use conditional mappings (e.g. to create RB-RBAC setup)
- Ability to include other object templates
- Global and resource-specific template setup
- Representation of all configuration and data objects in XML, JSON and YAML
- Annotation support (such as "experimental" and "deprecated" annotation to control data model evolution)
- Customizable PolyString normalization
- Extensible object types:
- Identity management
- Enabling and disabling accounts
- Support for mapping and expressions to determine account attributes
- Multi-layer attribute access limitations
- Provisioning dependencies
- Higher-order dependencies (enables partial support for circular provisioning dependencies)
- Provisioning robustness - ability to provision to non-accessible (offline) resources
- Provisioning consistency - ability to handle provisioning errors and compensate for inconsistencies
- Provisioning Propagation
- Support for tolerant attributes
- Ability to select tolerant and non-tolerant values using a pattern (regexp)
- Support for volatile attributes (attributes changed by the resource)
- Matching Rules
- Matching rules to support case insensitive attributes, DN and UUID attributes, XML attributes, etc. (extensible)
- Automatic matching rule discovery
- Provisioning scripts
- Ability to execute scripts before/after provisioning operations
- Ad-hoc provisioning script execution
- Advanced support for account activation (enabled/disabled states)
- Standardized account activation that matches user activation schema for easy integration
- Ability to simulate activation capability if the connector does not provide it
- Support for account lock-out
- Support for account validity time constrains (valid from, valid to)
- Support easy activation existence mappings (e.g. easy configuration of "disables instead of delete" feature)
- Support for mapping time constraints in activation mappings that allow configuring time-related provisioning features such as deferred account delete or pre-provisioning.
- Ability to specify set of protected accounts that will not be affected by IDM system
- Support for base context searches for connectors that support object hierarchies (such as LDAP)
- Bulk actions
- Passive Attribute Caching (EXPERIMENTAL)
- Partial multi-tenancy support
- Live synchronization
- Ability to execute scripts before/after reconciliation
- Correlation and confirmation expressions
- Conditional correlation expressions
- Concept of channel that can be used to adjust synchronization behaviour in some situations
- Generic Synchronization allows synchronization of roles to groups to organizational units to ... anything
- Self-healing consistency mechanism
- Advanced RBAC
- Expressions in the roles
- Hierarchical roles
- Conditional roles and assignments/inducements
- Parametric roles (including ability to assign the same role several times with different parameters)
- Temporal constraints (validity dates: valid from, valid to)
- Role catalog
- Role request based on shopping cart paradigm
- Several assignment enforcement modes
- Ability to specify global or resource-specific enforcement mode
- Ability to "legalize" assignment that violates the enforcement mode
- Rule-based RBAC (RB-RBAC) ability by using conditional mappings in user template and role autoassignment
- Entitlements and entitlement associations
- GUI support for entitlement listing, membership and editing
- Entitlement approval
- User-friendly entitlement association management
- Identity governance
- Powerful organizational structure management
- Workflow support (based on Activiti engine)
- Declarative policy-based multi-level approval process
- Visualization of approval process
- Object lifecycle property
- Object history (time machine)
- Policy Rules as a unified mechanism to define identity management, governance and compliance policies
- Segregation of Duties (SoD)
- Many options to define role exclusions
- SoD approvals
- SoD certification
- Assignment constraints for roles and organizational structure
- Access certification
- Ad-hoc recertificaiton
- Basic role lifecycle management (role approvals)
- User-friendly policy selection
- Deputy (ad-hoc privilege delegation)
- Escalation in approval and certification processes
- Rich assignment meta-data
- Expressions, mappings and other dynamic features
- Sequences for reliable allocation of unique identifiers
- Customization expressions
- PolyString support allows automatic conversion of strings in national alphabets
- Mechanism to iteratively determine unique usernames and other identifier
- Function libraries
- User profile page
- Password management page
- Role selection and request dialog
- Email-based password reset
- Flexible identity repository implementations and SQL repository implementation
- Fine-grained authorization model
- Organizational structure and RBAC integration
- Delegated administration
- Password management
- Password distribution
- Password policies
- Password retention policy
- Password metadata
- Self-service password management
- Password storage options (encryption, hashing)
- Mail-based initialization of passwords for new accounts
- CSRF protection
- Scheduled reports
- Lightweight reporting (CSV export) built into user interface
- Comprehensive reporting based on Jasper Reports
- Post report script
- Administration documentation publicly available in the wiki
- Architectural documentation publicly available in the wiki
- Schema documentation automatically generated from the definition (schemadoc)
Changes with respect to version 3.9
New Features and Improvements
- Major features
- User interface improvements
- Object Collections and Views
- Sections (virtual containers) in object details
- Status dashboards and reports (experimental)
- Shopping cart improvements
- Minor user experience improvements
- Ability to set custom name for midPoint
- Support for PolyStrings all the way to the connector (experimental)
- Asynchronous (messaging) connector options (prototype)
- Miscellaneous improvements
- Mapping range pre-defined sets
- Mapping state properties
- Support for populate expressions in autoassignments
- Task management in cluster is using REST
- Autogenerated node identifier in a cluster
- Support for attachments in mail notifications
- Improved Prism API and code structure
- Improved GUI interfaces and code structure
- Long-term support stabilization
- Java 11 support
- TODO: activiti
Deprecation, Feature Removal And Incompatible Changes
Support for PostgreSQL 9.5 (9.5, 9.5.1) is deprecated.
Support for Microsoft SQL Server 2014 is deprecated.
- SOAP-based IDM Model Web Service Interface is deprecated. It will no longer be maintained and it will be completely removed in future versions. Please use RESTful interface instead.
- TODO: incompatible schema changes (e.g. iterators)
- TODO: Activiti
Releases Of Other Components
- TODO: eclipse plugin
- TODO: LDAP/AD Connector
- TODO: Java REST client?
Other Major Changes And Limitations
- TODO: reporting service and Eclipse plugin
See upgrade instructions below for more details.
Next version: 4.0
Next planned midPoint version is version 4.0. This means that a major release is planned after the 3.9 release. Major release 4.0 is likely to introduce changes, that are not strictly compatible with midPoint 3.x. We mostly plan removal of schema elements that are deprecated for a long time or elements that were never really used. Therefore this move should not affect midPoint deployments that are maintained properly. MidPoint 3.9 includes a tool to check whether your deployment is likely to be affected by midPoint 4.0, which may give you sufficient time to prepare for 4.0 release. You can use new
verify command for Ninja command-line tool to check your deployment.
Release 4.0 (Gutenberg) is intended for full production use in enterprise environments. All features are stable and well tested - except the features that are explicitly marked as experimental or partially implemented. Those features are supported only with special subscription and/or professional services contract.
- Functionality that is marked as EXPERIMENTAL is not supported for general use (yet). Such features are not covered by midPoint support. They are supported only for those subscribers that funded the development of this feature by the means of platform subscription or for those that explicitly negotiated such support in their support contracts.
- MidPoint comes with bundled LDAP Connector. Support for LDAP connector is included in standard midPoint support service, but there are limitations. This "bundled" support only includes operations of LDAP connector that 100% compliant with LDAP standards. Any non-standard functionality is explicitly excluded from the bundled support. We strongly recommend to explicitly negotiate support for a specific LDAP server in your midPoint support contract. Otherwise only standard LDAP functionality is covered by the support. See LDAP Connector page for more details.
- MidPoint comes with bundled Active Directory Connector (LDAP). Support for AD connector is included in standard midPoint support service, but there are limitations. Only some versions of Active Directory deployments are supported. Basic AD operations are supported, but advanced operations may not be supported at all. The connector does not claim to be feature-complete. See Active Directory Connector (LDAP) page for more details.
- MidPoint comes with bundled Active Directory Connector (LDAP), which includes support for PowerShell scripting. This scripting is supposed to be used to supplement creation of Active Directory (windows) accounts by using simple scripts. It is not supposed to be used to manage Microsoft Exchange accounts. Management of Exchange accounts can be quite a complex matter, requiring complicated PowerShell scripts. Support for the use of this connector to manage Exchange accounts has to be purchased separately.
- The PowerShell capability of Active Directory Connector (LDAP) will be migrated to a dedicated connector in midPoint 4.1 or later. Once this capability is migrated, PowerShell scripting will no longer be supported as part of bundled midPoint connectors. There will be special connector for that purpose and support for such connector will be sold separately. Therefore, if you need support for PowerShell scripting, we recommend explicitly negotiating such support in your midPoint support contract. MidPoint subscribers that purchased their full subscription before the release date of midPoint 4.0 should not be affected by this change. However we recommend to check status of your subscription coverage by contacting Evolveum.
- MidPoint comes with a bundled LDAP-based eDirectory connector. This connector is stable, however it is not included in the normal midPoint support. Support for this connector has to be purchased separately.
- There is an option to modify midPoint to support LDAP and CAS authentication by using Spring Security modules. This method is used in several midPoint deployments. However, such authentication modules are not officially supported as part of usual midPoint subscriptions. Only community-level support is provided for those modules. Commercial-grade support for this authentication method is available, but it has to be explicitly negotiated in a subscription contract.
- MidPoint user interface has flexible (fluid) design and it is able to adapt to various screen sizes, including screen sizes used by some mobile devices. However, midPoint administration interface is also quite complex and it would be very difficult to correctly support all midPoint functionality on very small screens. Therefore midPoint often works well on larger mobile devices (tablets) it is very likely to be problematic on small screens (mobile phones). Even though midPoint may work well on mobile devices, the support for small screens is not included in standard midPoint subscription. Partial support for small screens (e.g. only for self-service purposes) may be provided, but it has to be explicitly negotiated in a subscription contract.
- There are several add-ons and extensions for midPoint that are not explicitly distributed with midPoint. This includes midPoint plug-in for Eclipse IDE, extension of Jasper studio, Java client library, various samples, scripts, connectors and other non-bundled items. Support for these non-bundled items is limited. Generally speaking those non-bundled items are supported only for platform subscribers and those that explicitly negotiated the support in their contract. For other cases there is only community support available. For those that are interested in official support for IDE add-ons there is a possibility to use subscription to help us develop midPoint studio ( - MID-4701Getting issue details... STATUS ).
- The integration of Jaspersoft Studio for midPoint (a.k.a. "Jasper plugin") will not work with midPoint 4.0. The reporting web service was changed and the plugin was not yet adapted to that change. This work is planned for later. The priorities will be determined by platform subscribers.
MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested with this release. The version numbers in parentheses are the actual version numbers used for the tests.
It is very likely that midPoint will also work in similar environments. But only the versions specified below are supported as part of midPoint subscription and support programs - unless a different version is explicitly agreed in the contract.
Support for some platforms is marked as "deprecated". Support for such deprecated versions can be removed in any midPoint release. Please migrate from deprecated platforms as soon as possible.
- OpenJDK 8 (1.8.0_91, 1.8.0_111, 1.8.0_151, 1.8.0_181)
- Sun/Oracle Java SE Runtime Environment 8 (1.8.0_45, 1.8.0_65, 1.8.0_74, 1.8.0_131)
MidPoint is bundled with an embedded web container. This is the default and recommended deployment option. See Stand-Alone Deployment for more details.
In addition to that following we containers are supported:
- Apache Tomcat 8.5 (8.5.4). Tomcat 8.0.x is no longer supported as its support life is over (EOL).
- BEA/Oracle WebLogic (12c) - special subscription required
MidPoint supports several databases. However, performance characteristics and even some implementation details can change from database to database. Since midPoint 4.0, PostgreSQL is the recommended database for midPoint deployments.
- H2 (embedded). Supported only in embedded mode. Not supported for production deployments. Only the version specifically bundled with midPoint is supported.
H2 is intended only for development, demo and similar use cases. It is not supported for any production use. Also, upgrade of deployments based on H2 database are not supported.
- PostgreSQL 10. This is the recommended option. Support for PostgreSQL 9.5 (9.5, 9.5.1) is deprecated.
- MariaDB (10.0.28)
- MySQL 5.7 (5.7)
- Oracle 12c
- Microsoft SQL Server 2016 SP1. Support for SQL Server 2014 is deprecated.
Our strategy is to officially support the latest stable version of each database (to the practically possible extent). It may be possible to support also older database versions. But as that means additional testing and support effort, we provide such service only with special support contracts. Contact Evolveum sales for the details.
- Firefox (any recent version)
- Safari (any recent version)
- Chrome (any recent version)
- Opera (any recent version)
- Microsoft Internet Explorer (version 9 or later)
Recent version of browser as mentioned above means any stable stock version of the browser released in the last two years. We formally support only stock, non-customized versions of the browsers without any extensions or other add-ons. According to the experience most extensions should work fine with midPoint. However, it is not possible to test midPoint with all of them and support all of them. Therefore, if you chose to use extensions or customize the browser in any non-standard way you are doing that on your own risk. We reserve the right not to support customized web browsers.
Microsoft Internet Explorer compatibility mode is not supported.
Important Bundled Components
|ConnId||126.96.36.199||ConnId Connector Framework|
|LDAP connector bundle||2.0||LDAP, Active Directory and eDirectory connector|
|CSV connector||2.2||Connector for CSV files|
|DatabaseTable connector||188.8.131.52||Connector for simple database tables|
Download and Install
Stand-alone deployment model
MidPoint deployment method has changed in midPoint release 3.7. Stand-alone deployment is now the default deployment method. MidPoint default configuration, scripts and almost everything else was adapted for this method.
- New midPoint users and new deployments should simply follow the installation manual.
- Existing deployments prior to version 3.7 may keep using exactly the same configuration as before. Deployment of midPoint as Web Application is still supported as an alternative. However, stand-alone deployment is now the primary option. It is recommended to migrate the deployment based on application server to a stand-alone deployment in the future. See our brief migration guide.
|Installing midPoint 3.9|
MidPoint is software that is designed for easy upgradeability. We do our best to maintain strong backward compatibility of midPoint data model, configuration and system behavior. However, midPoint is also very flexible and comprehensive software system with a very rich data model. It is not humanly possible to test all the potential upgrade paths and scenarios. Also some changes in midPoint behavior are inevitable to maintain midPoint development pace. Therefore we can assure reliable midPoint upgrades only for midPoint subscribers. This section provides overall overview of the changes and upgrade procedures. Although we try to our best it is not possible to foresee all possible uses of midPoint. Therefore the information provided in this section are for information purposes only without any guarantees of completeness. In case of any doubts about upgrade or behavior changes please use services associated with midPoint subscription or purchase professional services.
Upgrade from midPoint 3.x
Upgrade path from MidPoint 3.x goes through midPoint 3.9. Upgrade to midPoint 3.9 first by using the documented upgrade techniques. Then upgrade from midPoint 3.9 to 4.0.
Upgrade from midPoint 3.9
MidPoint 3.9 data model is essentially backwards compatible with previous midPoint versions. However, there were changes that may affect some deployments:
- Consistency mechanism in midPoint was update and aligned with manual connectors, taking into account possible future extension for asynchronous provisioning operations. Old shadow "consistency" properties (
failedOperationType) are no longer used. Their content is ignored. All operations that are not completed immediately are now recorded in
- Version numbers of some bundled connectors have changed. Therefore connector references from the resource definitions that are using the bundled connectors need to be updated.
- New resource capability (delta update) was introduced. Therefore please make sure that native resource capabilities are refreshed for resources that support delta update capability (most notably LDAP and AD connectors).
- TODO: primaryIdentifierValue
Changes in initial objects since 3.8
MidPoint has a built-in set of "initial objects" that it will automatically create in the database if they are not present. This includes vital objects for the system to be configured (e.g. role
superuser and user
administrator). These objects may change in some midPoint releases. But to be conservative and to avoid configuration overwrite midPoint does not overwrite existing objects when they are already in the database. This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version. Therefore the following list contains a summary of changes to the initial objects in this midPoint release. The complete new set of initial objects is in the
config/initial-objects directory in both the source and binary distributions. Although any problems caused by the change in initial objects is unlikely to occur, the implementors are advised to review the following list and assess the impact on case-by-case basis:
- 000-system-configuration.xml: logging appender configuration updated
- 010-value-policy.xml: removed deprecated minOccurs
- 015-security-policy.xml: removed deprecated minOccurs
- 040-role-enduser.xml: reducing authorizations (get instead of read)
- 140-report-certification-campaigns.xml: report definition fixed
- 150-report-certification-cases.xml: report definition fixed
- 160-report-certification-decisions.xml: report definition fixed
- 200-lookup-languages.xml: new language: japanese, lithuanian
- 210-lookup-locales.xml: new language: japanese, lithuanian
Bundled connector changes since 3.8 and 3.8.1
- The LDAP connector and AD Connector were upgraded to the latest available version. This version brings major changes that take advantage of ConnId framework development. There is support for native timestamps. But there is one important internal change. LDAP and AD connectors now support "update delta" operation instead of legacy update operations. Delta-based updates are superior to legacy method and this change resolves a lot of subtle problems of complex changes on resources. However, the connector has to let midPoint know that it supports delta-based update operations. This is done by the means of resource capabilities. This happens automatically for new midPoint deployments. Older midPoint deployments simply need to refresh (native) resource capabilities.
Behavior changes since 3.9
- Following expression variables are deprecated: user, account, shadow
- Inbound mappings are evaluated together from all the resources, as they should. But do not rely on that (yet). Some resources may not be loaded.
- Default range for inbound mappings has changed. TODO: single vs multivalue. See Inbound Mapping page for the details.
- Special authorization is needed to run reports (authorization-model-3#runReport). Access to report web service requires this authorization as well (e.g. needed for access by Jaspersoft Studio).
Public interface changes since 3.8
- IDM Model Java API: TODO
Important internal changes since 3.8
These changes should not influence people that use midPoint "as is". These changes should also not influence the XML/JSON/YAML-based customizations or scripting expressions that rely just on the provided library classes. These changes will influence midPoint forks and deployments that are heavily customized using the Java components.
- Report API is changed, including the remote reporting inteface: TODO
- Variable typing and more strict checks. Which means that midPoint 4.0 is slightly less tolerant configuration errors.
Known Issues and Limitations
There is a support to set up storage of credentials in either encrypted or hashed form. There is also unsupported and undocumented option to turn off credential storage. This option partially works, but there may be side effects and interactions. This option is not fully supported yet. Do not use it or use it only at your own risk. It is not included in any midPoint support agreement.
Native attribute with the name of 'id' cannot be currently used in midPoint ( - MID-3872Getting issue details... STATUS ). If the attribute name in the resource cannot be changed then the workaround is to force the use of legacy schema. In that case midPoint will use the legacy ConnId attribute names (icfs:name and icfs:uid).
JavaDoc is temporarily not available due to the issue in Java platform. This issue is fixed in Java 9 platform, but backport of this fix to Java 8 is (quite surprisingly) not planned. This should be fixed in midPoint 4.0 with Java 11 support.
As all real-world software midPoint 3.9 has some known issues. Full list of the issues is maintained in jira. As far as we know at the time of the release there was no known critical or security issue.
There is currently no plan to fix the known issues of midPoint 3.9 en masse. These issues will be fixed in future maintenance versions of midPoint only if the fix is requested by midPoint subscriber. No other issues will be fixed - except for severe security issues that may be found in the future.
The known issues of midPoint 3.9 may or may not be fixed in midPoint 4.0. This depends on the available time, issue severity and many variables that are currently difficult to predict. The only reliable way how to make sure that an issue is fixed is to purchase midPoint subscription. Or you can fix the bug yourself. MidPoint is always open to contributions.
This may seem a little bit harsh at a first sight. But there are very good reasons for this policy. And in fact it is no worse than what you get with most commercial software. We are just saying that with plain language instead of scrambling it into a legal mumbo-jumbo.