MidPoint 2.0 "Rhea"

Last modified 26 Oct 2021 10:24 +02:00

Release 2.0 is a fifth midPoint release code-named Rhea.

Release date20 June 2012
Release type Production release


midPoint 2.0 provides following features:

  • Account provisioning (create, read, update, delete accounts)

    • Support for expressions to determine account attributes

    • Processing fully based on relative changes

  • Integration of Identity Connector Framework (OpenICF)

    • Unified Connector Framework (UCF) layer to allow more provisioning frameworks in the future

    • Automatic generation and caching of resource schema from the connector

    • Local connector discovery

    • Support for connector hosts and remote connectors

  • Improved administration GUI

  • Flexible identity repository implementations

    • Identity repository based on relational databases

    • Identity repository based on BaseX XML database (experimental)

  • Live synchronization

  • Reconciliation

  • Advanced RBAC support and flexible account assignments

    • Expressions in the roles

    • Hierarchical roles

    • Parametric roles (including ability to assign the same role several times with different parameters)

  • Customization expressions

    • XPath version 2

    • Groovy

    • JavaScript (ECMAScript)

  • PolyString support allows automatic conversion of strings in national alphabets

  • Custom schema extensibility

  • Enhanced logging and error reporting

  • Multi-node task manager component with HA support

  • Basic auditing

  • Lightweight deployment structure

  • Support for Apache Tomcat web container

  • Import from file and resource

    • Object schema validation during import (can be switched off)

    • Smart references between objects based on search filters

  • Provisioning robustness - ability to provision to non-accessible resources

  • Simple handling of provisioning errors

  • Protected accounts (accounts that will not be affected by midPoint)

  • Segregation of Duties (SoD)

    • Role exclusions

  • Enterprise class scalability (hundreds of thousands of users)


When compared to the previous version, Phoebe is introducing following changes:

  • Identity repository in the relational database

  • Improved administration GUI

  • Groovy expressions

  • ECMAScript (JavaScript) expressions

  • Protected accounts

  • Basic Segregation of Duties (SoD): Role exclusions

  • Underlying platform based entirely on Prism Objects

  • Schema stabilization, move to "version 2" schemas, backward compatibility of the schema

  • PolyString support allows automatic conversion of strings in national alphabets

  • Custom schema extensibility

  • API cleanup

  • Further testing and codebase stabilization

  • Provisioning robustness and simple provisioning failures handling

  • Enterprise class scalability (hundreds of thousands of users)


Release 2.0 (Rhea) is intended for full production use in enterprise environments. All features are stable and well tested.


midPoint is roughly based on OpenIDM version 1. When compared to OpenIDM v1, midPoint code was made significantly "lighter", removing some of the "dead meat" that accumulated over the year of hectic OpenIDM development. The code was also stabilized, the tests were fixed and the complete development process was brought back to a reasonable shape. The most significant changes are with regard to OpenIDM trunk in early 2011:

  • Removed OpenESB: OpenESB is a dead project and the hope of reviving it is very low. OpenESB was slowing down OpenIDM development from the very beginning. This does not mean that midPoint cannot be used in "ESB" environment. Just the approach was changed to decouple these technologies. midPoint is provided in a for of simple Java web application (WAR) based on Spring.

  • Removed Glassfish dependency: midPoint is no longer dependent on a specific application server. The primary development and testing platform is now Apache Tomcat.

  • Simplified build: The build system was completely revamped. The new build system is much simpler and based on a "pure" maven without any hacks.

  • Fixed unit tests: The unit tests were reviewed, deprecated unit tests were removed and the tests that are still needed were fixed. The tests would deserve better cleanup, but they are all passing now. And that’s how it shall remain from this point on.

  • Architecture update: New wiki was created with an up-to-date information on current midPoint implementation and also the design. The UML models were updated as well, removing unnecessary components exactly as it happened in the code.

  • Refactoring of vital components: IDM Model, provisioning and repository were significantly refactored for a better code structure and improved readability.

  • Improved GUI: The GUI has been improved for usability.

  • Error reporting: Errors are displayed more sophisticated composite result GUI.

  • Logging: Logging subsystem was switched to logback, has support for MDC-based subsystem marking, the log messages were cleaned up.

  • Resource Schema: Resource schema is automatically generated.

  • Connector and Connector Host: Connectors are described by repository objects, including generated connector schema. Connector hosts are supported.

  • Relative change model

  • Auditing

  • RBAC

  • RDB repository: Support for efficient identity repository based on relational database

  • Improved administration GUI

For the full project background see the midPoint History page.

Known Issues

  1. GUI does not support account assignments (https://jira.evolveum.com/browse/MID-736)

  2. Automatic re-creation of accidentally deleted account does not work yet (https://jira.evolveum.com/browse/MID-783)

  3. Combining direct account management with assignments may cause problems on resource that do not tolerate duplicate attribute values (https://jira.evolveum.com/browse/MID-784)

  4. Removing a role that is assigned multiple times does too much (https://jira.evolveum.com/browse/MID-785)

  5. Protected accounts seems not to work in reconciliation (https://jira.evolveum.com/browse/MID-786)

  6. "Name" field in user form is not shown as mandatory (https://jira.evolveum.com/browse/MID-789)

Change secret key in keystore

To generate new secret key (with different key size), you have to proceed through this steps:

  1. shudtown midpoint

  2. find JCEKS keystore in midpoint.home (by default it’s keystore.jceks, but file name can be different)

  3. generate new key
    keytool -genseckey -alias <SOME_ALIAS> -keystore <KEYSTORE_FILENAME> -storetype jceks -keyalg AES -keysize <KEY_SIZE>

Supported key sizes are: 128 (doesn’t require JCE), 192 and 256 (JCE required)

  1. change configuration in config.xml in midpoint.home
    <encryptionKeyAlias>default</encryptionKeyAlias> change 'default' to <SOME_ALIAS>

  2. add/edit <xmlCipher></xmlCipher> in <keystore> element. You can use smaller cipher key size for encryption. For:

AES_128 use "http://www.w3.org/2001/04/xmlenc#aes128-cbc"

AES_256 use "http://www.w3.org/2001/04/xmlenc#aes256-cbc"

AES_192 use "http://www.w3.org/2001/04/xmlenc#aes192-cbc"

without quotation. This element is optional, if it doesn’t exist AES_128 is used.

  1. From now every encryption operation uses new key, for decryption old key is used.