midPoint is an identity management and governance system. It is a comprehensive system that synchronizes several identity repositories and databases, manages them, makes them available in a unified form, manage roles, authorizations, entitlements and implements almost every aspect of identity management and governance. It belongs to the "management" part of Identity and Access Management (IAM) field.

The most important features of midPoint are:

How Does It Work?

MidPoint is something like a sophisticated robot for identity data synchronization and maintenance. MidPoint continually watches the information sources such as HR system. If something changes in the information source the provisioning system pulls the new information, recomputes it, applies policies and then pushes that information to other systems. Let's explain that using an example:

New employee is hired. The HR staff enters employee data into an HR as they normally do. HR system has a process that exports the list of all the employees to a text file every day. MidPoint is using a connector to continually monitor the file for changes. Therefore it finds a new line describing the new employee and reads the data from the file. MidPoint can be configured with a set of rules and scripts that is used to process the data. E.g. the rules may take the field "organization unit" from the HR record and used that to determine which organizational unit the user belongs to and which business roles should this user have. This logic is different in each organization and midPoint is built to be easily customizable.

Once midPoint determines what the new user is and what roles he should have then the really interesting bit starts. MidPoint will compute what accounts the user should have. This is usually computed from the roles that the user has. Account attributes and entitlements are computed as well, e.g. the list of groups that user should belong to. Once midPoint knows how the accounts should look like it can use connectors to automatically create them. Connectors are simple pieces of code that communicate to the target systems. The connector knows how to read, create, modify and delete an account. Therefore midPoint can automatically create all the accounts that a user needs. Automatically. In a couple of seconds.

The connectors usually communicate using a protocol that is native to the target system. Therefore connectors talk to Active Directory using LDAP interface, they modify the database using SQL or provision to the cloud service by using RESTful services. This means that midPoint is non-intrusive: the target applications do not need to be modified. They stay exactly as they are. This is crucial feature that makes midPoint such efficient and practical tools. It is much easier to adapt a couple of simple connectors than to modify dozens of information systems (especially if too many of them still remember 20th century).

What Makes MidPoint Unique?

There is a long list of features that make midPoint really a unique system. But there are basically three aspects that are the most interesting:

 

Technology

midPoint is essentially a Java application. Its internal structure is "wired" together using a Spring framework. It is quite strictly divided into internal components separated by interfaces, which provides fair assurance of reusability and maintainability. The structure itself is lightweight. Heavyweight components such as Java Enterprise Java Beans (EJB) or Enterprise Service Bus (ESB) are not used (although integration with them is possible).

The system can adapt to several data store mechanisms. The only supported mechanism is relational database (supporting all major databases), however there was an experimental implementation of repository using a noSQL database as a proof of concept. Therefore we are confident that other storage schemes could be implemented in the future as long as the underlying data store is powerful enough to support midPoint data model.

The system is using an ConnId framework as a mechanism to interact with other systems (resources). ConnId is also used by other identity management systems and we are working closely with other vendors to maintain and develop ConnId framework.

The unique feature of midPoint is the method of dealing with data changes and consistency. Most identity management systems work with absolute state, e.g. the complete copy of new user or account data. Such approach is very problematic in case of concurrent changes that are much more common in the IDM field as one would expect. The midPoint solution is to use model based on relative changes instead of on absolute changes. Several concurrent changes can be executed in parallel without the need to lock the entire data record. This approach significantly improves usability of the system and also supports better data consistency.

See Also: Architecture and Design, Unique Features

Quick Start

If you are new to midPoint, there are two "tracks" to start exploring it:

See Also

External links