MidPoint 2.2 "Crius"
Release 2.2 is an eighth midPoint release code-named Crius. The 2.2 release brings numerous new features and many improvements.
Release date | 01 September 2013 |
---|---|
Release type | Production release |
Features
midPoint 2.2 provides following features:
-
Basic user data model suitable for easy integration
-
Numerous built-in properties based on IDM de-facto standards (LDAP inetOrgPerson, FOAF, …) and experience
-
Extensibility by custom properties
-
Off-the-shelf support for user password credentials
-
Off-the-shelf support for user activation
-
Enabled/disabled states (extensible in the future)
-
Support for user validity time constraints (valid from, valid to)
-
-
Object template to define policies, default values, etc.
-
Ability to use conditional mappings (e.g. to create RB-RBAC setup)
-
Ability to include other object templates
-
Global and resource-specific template setup
-
-
-
Account provisioning (create, read, update, delete accounts)
-
Support for mapping and expressions to determine account attributes
-
Support of multi-value attributes
-
Processing and computation fully based on relative changes
-
-
Higher-order dependencies (enables partial support for circular provisioning dependencies)
-
-
Provisioning robustness - ability to provision to non-accessible (offline) resources
-
Provisioning consistency - ability to handle provisioning errors and compensate for inconsistencies
-
Support for tolerant attributes
-
Ability to select tolerant and non-tolerant values using a pattern (regexp)
-
-
Matching rules to support case insensitive attributes (extensible)
-
Ability to execute scripts before/after provisioning operations
-
Advanced support for account activation (enabled/disabled states)
-
Standardized account activation that matches user activation schema for easy integration
-
Ability to simulate activation capability if the connector does not provide it
-
Support for account validity time constrains (valid from, valid to)
-
Support easy activation existence mappings (e.g. easy configuration of "disables instead of delete" feature)
-
Support for mapping time constraints in activation mappings that allow configuring time-related provisioning features such as deferred account delete or pre-provisioning.
-
-
Ability to specify set of protected accounts that will not be affected by IDM system
-
Integration of Identity Connector Framework (OpenICF)
-
Unified Connector Framework (UCF) layer to allow more provisioning frameworks in the future
-
Automatic generation and caching of resource schema from the connector
-
Support for connector hosts and remote connectors, identity connector and connectors host type
-
Remote connector discovery
-
-
Web-based administration GUI (AJAX)
-
Ability to execute basic identity management operations on users and accounts
-
Basic account-centered views (browse and search accounts directly)
-
Built-in XML editor for identity and configuration objects
-
-
Flexible identity repository implementations and SQL repository implementation
-
Keeping metadata for all objects (creation, modification, approvals)
-
Automatic repository cleanup to keep the data store size sustainable
-
Synchronization
-
-
Ability to execute scripts before/after reconciliation
-
-
Correlation and confirmation expressions
-
Conditional correlation expressions
-
-
Concept of channel that can be used to adjust synchronization behaviour in some situations
-
Advanced RBAC support and flexible account assignments
-
Hierarchical roles
-
Parametric roles (including ability to assign the same role several times with different parameters)
-
Several assignment enforcement modes
-
Ability to specify global or resource-specific enforcement mode
-
Ability to "legalize" assignment that violates the enforcement mode
-
-
-
Built-in libraries with a convenient set of functions
-
PolyString support allows automatic conversion of strings in national alphabets
-
Rule-based RBAC (RB-RBAC) ability by using conditional mappings in user template
-
Basic auditing
-
Auditing to file (logging)
-
Auditing to SQL table
-
-
Lightweight deployment structure
-
Support for Apache Tomcat web container
-
Import from file and resource
-
Protected accounts (accounts that will not be affected by midPoint)
-
Segregation of Duties (SoD)
-
Export objects to XML
-
Enterprise class scalability (hundreds of thousands of users)
-
API accessible using a web service and local JAVA calls
-
Workflow support (based on Activiti)
Disabled Features
-
Preview changes page
Changes With Respect to Version 2.1.x
-
Change to Apache License version 2.0
-
Production-quality workflow integration (using Activiti)
-
Authorizations for GUI and web service integrated into RBAC mechanism
-
Support for rename operations
-
Fetch strategy in schema handling to support attributes that are not returned from connector by default
-
Numerous activation enhancements
-
Redesigned activation support with richer set of activation states and mappings
-
Support for user validity time constraints (valid from, valid to)
-
Support for account validity time constrains (valid from, valid to)
-
Support easy activation existence mappings (e.g. easy configuration of "disables instead of delete" feature)
-
Support for mapping time constraints in activation mappings that allow configuring time-related provisioning features such as deferred account delete or pre-provisioning.
-
-
Introducing concept of inducement as a generalization of the user-account assignment concept
-
Keeping metadata for all objects (creation, modification, approvals)
-
More expression variables to support complex RBAC assignment/inducement structures and dynamic roles
-
Improved internal resource caching
-
Improved import overwrite operation
-
Ability to use dynamic expression in provisioning script arguments
-
Reconciliation provisioning scripts
-
Introducing matching rules which means a better support for case-insensitive resource attributes (especially identifiers)
-
Option not to ignore the source attribute when using simulated activation
-
Improved handling of protected accounts
-
Improved handling of tolerant attribute values using patterns (regexp)
-
Ability to limit inbound mappings to a specific channel
-
XML-based synchronization context serialization to support seamless upgrades of running processes
-
Built-in object migration capability for easier system upgrades and data model migrations
-
Cleanup task to automatically clean up old data from the system and make the data store sustainable
-
Numerous schema improvements and generalizations
-
Auditing login and logout events
-
Improved internal consistency mechanism to handle more failure cases
-
More built-in functions available to scripting expressions
-
Resource-specific object templates
-
Include mechanism for object templates
-
Resource-specific assignment enforcement policies
-
New relative
-
Configurable legalization of accounts that are violating assignment policy
-
Improved correlation expression to support more cases
-
Improved handling of task results and readability of the information
-
Additional report types
-
Ability to invoke reconciliation of a specific user from GUI
-
Higher-order dependencies (enables partial support for circular provisioning dependencies)
-
Conditional correlation expressions
-
Performance and scalability improvements
-
Improved documentation
Quality
Release 2.2 (Crius) is intended for full production use in enterprise environments. All features are stable and well tested.
Platforms
MidPoint is known to work well in the following deployment environments. The following list is list of tested platforms, i.e. platforms on which midPoint team or reliable partners personally tested this release. The version numbers in parentheses are the actual version numbers used for the tests. However it is very likely that midPoint will also work in similar environments. Also note that this list is not closed. MidPoint can be supported on almost any reasonably recent platform (please contact Evolveum for more details).
Java
-
Sun/Oracle Java SE Runtime Environment 7 (1.7.0_25)
Please note that Java 6 environment is no longer supported (although it might work in some situations).
Web Containers
-
Apache Tomcat 6 (6.0.32, 6.0.33)
-
Apache Tomcat 7 (7.0.30, 7.0.32)
-
Sun/Oracle GlassFish 3 (3.1)
Databases
-
H2 (embedded, only recommended for demo deployments)
-
PostgreSQL (8.4.14, 9.1, 9.2)
-
MySQL
Supported MySQL version is 5.6.10 and above (with MySQL JDBC ConnectorJ 5.1.23 and above).
MySQL in previous versions didn’t support dates/timestamps with more accurate than second fraction precision. -
Oracle 11g (11.2.0.2.0)
-
Microsoft SQL Server (2008, 2008 R2, 2012)
Unsupported Platforms
Following list contains platforms that midPoint is known not to work due to various issues. As these platforms are obsolete and/or marginal we have no plans to support midPoint for these platforms.
-
Java 6
-
Sun/Oracle GlassFish 2
Download and Install
Release Form | Download | Install Instructions |
---|---|---|
Binary |
https://evolveum.com/downloads/midpoint/2.2/midpoint-2.2-dist.zip |
|
Source |
||
Java API JavaDoc |
https://evolveum.com/downloads/midpoint/2.2/midpoint-api-2.2-javadoc/ |
|
SchemaDoc |
https://evolveum.com/downloads/midpoint/2.2/midpoint-2.2-schemadoc/ |
Background and History
midPoint is roughly based on OpenIDM version 1. When compared to OpenIDM v1, midPoint code was made significantly "lighter" and provides much more sophisticated features. Although the architectural outline of OpenIDM v1 is still guiding the development of midPoint almost all the OpenIDM v1 code was rewritten. MidPoint is now based on relative changes and contains advanced identity management mechanisms such as advanced RBAC, provisioning consistency and other advanced IDM features. MidPoint development is independent for more than two years. The development pace is very rapid. Development team is small, flexible and very efficient. Contributions are welcome.
For the full project background see the midPoint History page.
Known Issues
-
Extra values in tolerant multi-value attributes with high-order dependencies MID-1561. Workaround: set the attribute to non-tolerant.
-
AD connector does not distinguish error types (MID-1562) therefore the applicability of consistency mechanism on AD is limited (MID-1556). Workaround: use liveSync or frequent reconciliation.
-
Slow shadow listing on debug page from MySQL when there is >500k shadows in database (MID-1586). MySQL does not choose correct index during ordering.
-
Under certain circumstances account links disappear (MID-1575).
-
Search filters are not resolved when using Roles→Edit role as well as in debug pages (MID-1571). Workaround: Maintain roles configurations in XML files outside midPoint. When you need to upload updated version of a role to midPoint, use "import from file" function.
-
When importing large number of accounts from LDAP server (import from resource), be sure to suspend LDAP live sync task as it may cause severe performance problems (MID-1549) - this is basically caused by live sync task trying to process LDAP changelogs, which have already been processed by import itself. If you forgot to suspend live sync task during initial LDAP import, there is another workaround. Simply suspend LDAP live sync task, then edit this task on debug pages and delete <token> element in <extension> element. Then resume LDAP live sync task and issue is fixed.
-
Linux/Solaris connector can’t fetch users - account attributes invalid names (MID-1547).
-
Midpoint incorrectly detects Script capability for resources (MID-1511).