Shadow

Last modified 02 Oct 2025 13:37 +02:00
Table of Contents

Discover what shadows in midPoint are, why they are important for seamless resource account provisioning and synchronization, what is their purpose and structure, and how they help keep the management of identities fast regardless their amount.

What is a shadow in midPoint

A shadow in midPoint is a repository object that represents an object on an external resource, such as an account on an LDAP server or a group of users in a cloud service. Resource object shadows are stored in the midPoint repository, meaning the information they contain is accessible without contacting the resource itself. They use fixed predetermined schema and usually contain only basic information about the resource object. Shadows serve as lightweight projections or pointers to their corresponding resource objects.

Diagram of relations between objects related to shadows
Figure 1. Simplified diagram of relations between objects related to shadows
Why call it a shadow

We chose the term shadow to make sure that the shadow objects are not confused with the real resource objects. At the same time, we wanted to avoid replica, copy, proxy or similar heavily-overloaded words to make the term easy to recognize in the context of midPoint.

Why midPoint needs shadows

Shadows exist to bridge midPoint’s internal identity model and external resource identifiers. They provide a stable repository representation that links subjects (for example, users) to their remote resource-side counterparts that use identifiers native to the particular resource (LDAP DNs, UUIDs, database keys). As such, shadows enable reliable correlation of identities across various resources.

By representing resource objects in the repository, shadows decouple internal processing from repeated reads of external systems. Changes discovered on resources are recorded in shadows and changes to shadows can be translated into provisioning operations.

What is the structure of shadows

Structurally, a shadow combines fixed schema fields, an extensible attributes element, linkage references, lifecycle classification data, and optional caching metadata.

  • Fixed elements include repository-managed identification and metadata.

  • The attributes element holds resource-specific attribute values when attribute caching is enabled.

  • Linkage information records owners and associations that connect shadows to subjects and related shadows (e.g., when one user has multiple accounts across various resources).

  • Lifecycle and classification fields record status markers (e.g., managed vs. unmanaged, production vs. simulated, dead flags) that affect synchronization and processing.

How caching in shadows improves performance

MidPoint usually works with fresh data it fetches from connected resources in an on-demand manner. This means that if it needs data from the resource, it connects to the resource and gets the data.

However, there may be cases when such an operation is too expensive to be performed too often. It may be that the resource is too slow, often down and impossible to reach, or rate-limited.

To reduce the traffic between midPoint and resources, midPoint can cache resource-side data in its internal repository database. The caching method is always passive; only the data needed for an activity are fetched and cached by midPoint.

MidPoint stores the data it uses in the shadow of the resource object the data relate to. When midPoint is to execute an activity that needs the same resource data, it uses the cached data instead of connecting to the resource.

The cache is built gradually as midPoint reads the resource objects. If you need to pre-populate the cache, use an operation that searches all the objects, such as reconciliation. See how to refresh the cache.

See also

Was this page helpful?
YES NO
Thanks for your feedback