MidPoint 3.0 "Newton"
Release 3.0 is a tenth midPoint release code-named Newton. The 3.0 release brings new major features such as entitlements, delegated administration, generic synchronization and RESTful interface.
Release date | 01 June 2014 |
---|---|
Release type | Production release |
End of support | 01 June 2016 |
This release starts a new era of midPoint development. The Newton release is introducing features that are quite unique in the identity management field. It goes beyond traditional identity management. This midPoint version joins together provisioning-based identity management (IDM), privileged identity management (PIM) and organizational structure management into a single, unified model. The features can be combined into a powerful configurations that are still simple and easy to maintain. As usual we are following our development principles and we are reusing existing mechanisms, generalizing them and making the much more powerful.
Newton goes beyond traditional identity management. It is much more than just synchronization of accounts and users. The support for entitlements allows to extend the capabilities to groups, teams, privileges, resource-side roles and similar concepts which is moving midPoint in the direction of privileged identity management (PIM). MidPoint now allows seamless synchronization of these objects, therefore groups can be easily synchronized with midpoint roles which in turn can be synchronized with groups on other resources or even complex technical roles defined on the resource side. MidPoint goes beyond the tradition even in this aspect. As midPoint really understands the entitlements it can do very smart tricks. E.g. if a role is a representation of a group on resource and a user is assigned to that role user’s account can be automatically assigned to this group. All of that with just a handful of configuration statements. This is all considerably generic therefore similar principle can be applied to synchronization of organizational structure as well. And (as expected) all the midPoint principles can be applied to these new features. Therefore RBAC roles can be applied to simplify synchronization of organizational unit. Or even the roles itself. Which naturally creates the very powerful concept of meta-roles. And all of that is achieved mostly by reusing existing midPoint features. This is what we had in mind during last few midPoint releases. We have been slowly (you wound say "evolutionarily") introducing small changes to the code, one bit in each release. Now it all culminates with midPoint 3.0. We strongly believe that "Newton" is a very suitable name for this release.
Isaac Newton (1642-1727) was an English physicist and mathematician. He is widely regarded as one of the greatest scientists of all time. He is perhaps best known for his work on theories that revolutionized our understanding of gravity and motion of the planets. His other works also provided significant contributions to our knowledge of mechanics, nature of light, calculus and numerous other fields. Newton's contribution to science can hardly be exaggerated. However it has to be noted that many of his works were based on discoveries of his predecessors. Even though Newton's work was a turning point in science as we know it today it was also a culmination of numerous smaller discoveries, observations and theories. That's one the reasons why we have chosen the name of Sir Isaac Newton for this particular midPoint release. Version 3.0 is a major turning point in midPoint development. It brings models and features that have the potential to change the field of identity management forever. MidPoint 3.0 is a culmination of works done in previous midPoint versions. This slow and evolutionary footwork done over a couple of years finally appeared in a form of integral product features. As a powerful model, a unifying theory - but with a very practical implementation. |
MidPoint version 3.0 is named after one of the greatest English scientists. By doing so we would like to thank our English partner Salford Software for their contribution to the midPoint project.
Features
midPoint 3.0 provides following features:
-
Basic user data model suitable for easy integration
-
Numerous built-in properties based on IDM de-facto standards (LDAP inetOrgPerson, FOAF, …) and experience
-
Extensible by custom properties
-
Off-the-shelf support for user password credentials
-
Off-the-shelf support for user activation
-
Enabled/disabled states (extensible in the future)
-
Support for user validity time constraints (valid from, valid to)
-
-
Object template to define policies, default values, etc.
-
Ability to use conditional mappings (e.g. to create RB-RBAC setup)
-
Ability to include other object templates
-
Global and resource-specific template setup
-
-
-
Account provisioning (create, read, update, delete accounts)
-
Support for mapping and expressions to determine account attributes
-
Support of multi-value attributes
-
Processing and computation fully based on relative changes
-
-
Higher-order dependencies (enables partial support for circular provisioning dependencies)
-
-
Provisioning robustness - ability to provision to non-accessible (offline) resources
-
Provisioning consistency - ability to handle provisioning errors and compensate for inconsistencies
-
Support for tolerant attributes
-
Ability to select tolerant and non-tolerant values using a pattern (regexp)
-
-
Matching rules to support case insensitive attributes (extensible)
-
Ability to execute scripts before/after provisioning operations
-
Advanced support for account activation (enabled/disabled states)
-
Standardized account activation that matches user activation schema for easy integration
-
Ability to simulate activation capability if the connector does not provide it
-
Support for account validity time constrains (valid from, valid to)
-
Support easy activation existence mappings (e.g. easy configuration of "disables instead of delete" feature)
-
Support for mapping time constraints in activation mappings that allow configuring time-related provisioning features such as deferred account delete or pre-provisioning.
-
-
Ability to specify set of protected accounts that will not be affected by IDM system
-
Connectors
-
Integration of Identity Connector Framework (ConnId)
-
Support for Evolveum Polygon connectors
-
Support for ConnId connectors
-
Support for OpenICF connectors
-
Unified Connector Framework (UCF) layer to allow more provisioning frameworks in the future
-
Automatic generation and caching of resource schema from the connector
-
Support for connector hosts and remote connectors, identity connector and connectors host type
-
Remote connector discovery
-
-
Web-based administration GUI (AJAX)
-
Ability to execute identity management operations on users and accounts
-
User-centric views
-
Account-centered views (browse and search accounts directly)
-
Layout automatically adapts to screen size (e.g. for mobile devices)
-
Easily customizable look & feel
-
Built-in XML editor for identity and configuration objects
-
-
Flexible identity repository implementations and SQL repository implementation
-
Keeping metadata for all objects (creation, modification, approvals)
-
Automatic repository cleanup to keep the data store size sustainable
-
Synchronization
-
-
Ability to execute scripts before/after reconciliation
-
-
Correlation and confirmation expressions
-
Conditional correlation expressions
-
-
Concept of channel that can be used to adjust synchronization behaviour in some situations
-
Generic Synchronization allows synchronization of roles to groups to organizational units to … anything
-
Advanced RBAC support and flexible account assignments
-
Hierarchical roles
-
Parametric roles (including ability to assign the same role several times with different parameters)
-
Temporal constraints (validity dates: valid from, valid to)
-
Higher-order inducements
-
Advanced internal security mechanisms
-
Fine-grained authorization model
-
Delegated administration
-
-
Several assignment enforcement modes
-
Ability to specify global or resource-specific enforcement mode
-
Ability to "legalize" assignment that violates the enforcement mode
-
-
-
Built-in libraries with a convenient set of functions
-
PolyString support allows automatic conversion of strings in national alphabets
-
Mechanism to iteratively determine unique usernames and other identifiers
-
Extensibility
-
Reporting based on Jasper Reports
-
Comprehensive logging designed to aid troubleshooting
-
Rule-based RBAC (RB-RBAC) ability by using conditional mappings in user template
-
-
Auditing to file (logging)
-
Auditing to SQL table
-
-
Partial multi-tenancy support
-
Lightweight deployment structure
-
Support for Apache Tomcat web container
-
Import from file and resource
-
Protected accounts (accounts that will not be affected by midPoint)
-
Segregation of Duties (SoD)
-
Export objects to XML
-
Enterprise class scalability (hundreds of thousands of users)
-
API accessible using a web service, REST and local JAVA calls
-
Workflow support (based on Activiti)
-
Documentation
-
Schema documentation automatically generated from the definition (schemadoc)
Changes With Respect to Version 2.2.x
-
Schema documentation automatically generated from the definition (schemadoc)
-
Java Interfaces cleaned up and made available for public use
-
Higher-order inducements
-
New expression evaluators for assignments and entitlement associations
-
Connector framework switched to common ConnId framework (v1.4)
-
Fine-grained authorization
-
Delegated administration
-
Flexible reporting
-
Improved reporting (based on Jasper Reports)
-
Database performance improvements
-
Iteration support for focal objects (e.g. users)
-
Administration GUI customization
-
New administration GUI pages
-
Partial multi-tenancy support
-
Support for resource read-only mode
-
Extended function libraries for expressions
-
Support for time-based mappings in object template
-
Improved synchronization reaction configuration options
-
Improved reconciliation and synchronization performance
-
Support for filters in protected accounts specification
-
Support for binary attribute values
-
Support for user photo
-
Schema improvements
-
Schema documentation
-
Improved logging messages
Quality
Release 3.0 (Newton) is intended for full production use in enterprise environments. All features are stable and well tested.
Platforms
MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested this release. The version numbers in parentheses are the actual version numbers used for the tests. However it is very likely that midPoint will also work in similar environments. Also note that this list is not closed. MidPoint can be supported in almost any reasonably recent platform (please contact Evolveum for more details).
Java
-
Sun/Oracle Java SE Runtime Environment 7 (1.7.0_09)
Please note that Java 6 environment is no longer supported (although it might work in some situations).
Web Containers
-
Apache Tomcat 6 (6.0.32, 6.0.33)
-
Apache Tomcat 7 (7.0.30, 7.0.32)
-
Sun/Oracle Glassfish 3 (3.1)
Databases
-
H2 (embedded, only recommended for demo deployments)
-
PostgreSQL (8.4.14, 9.1, 9.2)
-
MySQL
Supported MySQL version is 5.6.10 and above (with MySQL JDBC ConnectorJ 5.1.23 and above).
MySQL in previous versions didn’t support dates/timestamps with more accurate than second fraction precision. -
Oracle 11g (11.2.0.2.0)
-
Microsoft SQL Server (2008, 2008 R2, 2012)
Unsupported Platforms
Following list contains platforms that midPoint is known not to work due to various issues. As these platforms are obsolete and/or marginal we have no plans to support midPoint for these platforms.
-
Java 6
-
Sun/Oracle GlassFish 2
Download and Install
Release Form | Download | Install Instructions |
---|---|---|
Binary |
https://evolveum.com/downloads/midpoint/3.0/midpoint-3.0-dist.zip |
|
Source |
||
Java API JavaDoc |
https://evolveum.com/downloads/midpoint/3.0/midpoint-api-3.0-javadoc/ |
|
SchemaDoc |
https://evolveum.com/downloads/midpoint/3.0/midpoint-3.0-schemadoc/ |
Background and History
midPoint is roughly based on OpenIDM version 1. When compared to OpenIDM v1, midPoint code was made significantly "lighter" and provides much more sophisticated features. Although the architectural outline of OpenIDM v1 is still guiding the development of midPoint almost all the OpenIDM v1 code was rewritten. MidPoint is now based on relative changes and contains advanced identity management mechanisms such as advanced RBAC, provisioning consistency and other advanced IDM features. MidPoint development is independent for more than two years. The development pace is very rapid. Development team is small, flexible and very efficient. Contributions are welcome.
For the full project background see the midPoint History page.