MidPoint 3.2 "Tycho"
Release 3.2 is a thirteenth midPoint release code-named Tycho. The 3.2 release brings new advanced LDAP connector, internal improvements and governance technology preview.
Release date | 05 August 2015 |
---|---|
Release type | Production release |
End of support | 05 August 2017 |
Tycho Brahe (1546-1601) was a Danish astronomer. He was known for his exact astronomical observations that refuted the belief in an unchanging celestial realm. Tycho's observations were an essential contribution to the scientific revolution and influenced many scientists that came after Tycho's time. Similarly to Tycho's empirical data midPoint version 3.2 brings features that make it more anchored into reality. Governance features bring the ability to feed back reality into the policies and continually sustain IDM deployment. And very like Tycho's observations the midPoint 3.2 user experience exposes aspects of reality that might otherwise be missed. |
Credits
Majority of the work on the Tycho release was done by the Evolveum team. However, this release would not be possible without the help of our partners, customers, contributors, friends and families. We would like to express a great gratitude to all the people that contributed to the midPoint project.
We would also like to thank:
-
Biznet for their continued support and contributions.
-
… and many others that we regrettably cannot mention yet.
Features
midPoint 3.2 provides following features:
-
Basic user data model suitable for easy integration
-
Numerous built-in properties based on IDM de-facto standards (LDAP inetOrgPerson, FOAF, …) and experience
-
Extensibility by custom properties
-
Off-the-shelf support for user password credentials
-
Off-the-shelf support for user activation
-
Enabled/disabled states (extensible in the future)
-
Support for user validity time constraints (valid from, valid to)
-
-
Object template to define policies, default values, etc.
-
Ability to use conditional mappings (e.g. to create RB-RBAC setup)
-
Ability to include other object templates
-
Global and resource-specific template setup
-
-
-
Account provisioning (create, read, update, delete accounts)
-
Support for mapping and expressions to determine account attributes
-
Support of multi-value attributes
-
Processing and computation fully based on relative changes
-
-
Higher-order dependencies (enables partial support for circular provisioning dependencies)
-
-
Provisioning robustness - ability to provision to non-accessible (offline) resources
-
Provisioning consistency - ability to handle provisioning errors and compensate for inconsistencies
-
Support for tolerant attributes
-
Ability to select tolerant and non-tolerant values using a pattern (regexp)
-
-
Matching rules to support case insensitive attributes (extensible)
-
Ability to execute scripts before/after provisioning operations
-
Advanced support for account activation (enabled/disabled states)
-
Standardized account activation that matches user activation schema for easy integration
-
Ability to simulate activation capability if the connector does not provide it
-
Support for account lock-out
-
Support for account validity time constrains (valid from, valid to)
-
Support easy activation existence mappings (e.g. easy configuration of "disables instead of delete" feature)
-
Support for mapping time constraints in activation mappings that allow configuring time-related provisioning features such as deferred account delete or pre-provisioning.
-
-
Ability to specify set of protected accounts that will not be affected by IDM system
-
Connectors
-
Integration of Identity Connector Framework (ConnId)
-
Support for Evolveum Polygon connectors
-
Support for ConnId connectors
-
Support for OpenICF connectors
-
Unified Connector Framework (UCF) layer to allow more provisioning frameworks in the future
-
Automatic generation and caching of resource schema from the connector
-
Support for connector hosts and remote connectors, identity connector and connectors host type
-
Remote connector discovery
-
Support for native attribute names
-
Support for entitlement shortcut attributes (e.g.
memberOf
LDAP attribute) -
Support for auxiliary object classes
-
Support for synchronization of all object classes
-
-
Web-based administration GUI (AJAX)
-
Ability to execute identity management operations on users and accounts
-
User-centric views
-
Account-centric views (browse and search accounts directly)
-
Resource wizards
-
Layout automatically adapts to screen size (e.g. for mobile devices)
-
Easily customizable look & feel
-
Built-in XML editor for identity and configuration objects
-
-
Flexible identity repository implementations and SQL repository implementation
-
Keeping metadata for all objects (creation, modification, approvals)
-
Automatic repository cleanup to keep the data store size sustainable
-
Synchronization
-
-
Ability to execute scripts before/after reconciliation
-
-
Correlation and confirmation expressions
-
Conditional correlation expressions
-
-
Concept of channel that can be used to adjust synchronization behaviour in some situations
-
Generic Synchronization allows synchronization of roles to groups to organizational units to … anything
-
Advanced RBAC support and flexible account assignments
-
Hierarchical roles
-
Conditional roles and assignments/inducements
-
Parametric roles (including ability to assign the same role several times with different parameters)
-
Temporal constraints (validity dates: valid from, valid to)
-
Higher-order inducements
-
Advanced internal security mechanisms
-
Fine-grained authorization model
-
Delegated administration
-
-
Several assignment enforcement modes
-
Ability to specify global or resource-specific enforcement mode
-
Ability to "legalize" assignment that violates the enforcement mode
-
-
-
Built-in libraries with a convenient set of functions
-
PolyString support allows automatic conversion of strings in national alphabets
-
Mechanism to iteratively determine unique usernames and other identifiers
-
Extensibility
-
Reporting based on Jasper Reports
-
Comprehensive logging designed to aid troubleshooting
-
Rule-based RBAC (RB-RBAC) ability by using conditional mappings in user template
-
-
Auditing to file (logging)
-
Auditing to SQL table
-
-
Password recovery (security questions)
-
Partial multi-tenancy support
-
Access certification (technology preview)
-
Lightweight deployment structure
-
Support for Apache Tomcat web container
-
Import from file and resource
-
Protected accounts (accounts that will not be affected by midPoint)
-
Segregation of Duties (SoD)
-
Export objects to XML
-
Enterprise class scalability (hundreds of thousands of users)
-
API accessible using a web service, REST and local JAVA calls
-
Workflow support (based on Activiti)
-
Documentation
-
Schema documentation automatically generated from the definition (schemadoc)
Changes With Respect to Version 3.1.1
-
Password recovery (security questions)
-
Access certification (technology preview)
-
referenceSearch
expression to create a generic reference in expressions and mappings -
Reworked LDAP Connector
-
LifeRay Portal connector
-
Support for native attribute names
-
Support for entitlement shortcut attributes (e.g.
memberOf
LDAP attribute) -
Support for auxiliary object classes
-
Matching rule for LDAP distringuished name
-
Support for synchronization of all object classes
-
Asynchronous bulk delete task
-
Improved logging of authorization processing
-
Old values in audit deltas
-
Improved audit log report
-
Support "minimal" fetch strategy to avoid fetching of expensive attributes
-
Support for recomputation of other than user objects
-
GUI enhancements
-
Minor improvements for international environments
Quality
Release 3.2 (Tycho) is intended for full production use in enterprise environments. All features are stable and well tested except for access certification which is only provided as a preview of future functionality.
Platforms
MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested this release. The version numbers in parentheses are the actual version numbers used for the tests. However it is very likely that midPoint will also work in similar environments. Also note that this list is not closed. MidPoint can be supported in almost any reasonably recent platform (please contact Evolveum for more details).
Java
-
OpenJDK 7 (1.7.0_65, 1.7.0_79)
-
Sun/Oracle Java SE Runtime Environment 7 (1.7.0_45, 1.7.0_40, 1.7.0_67, 1.7.0_72)
Please note that Java 6 environment is no longer supported (although it might work in some situations).
Java 7 is supported for development, build and runtime. Java 8 is only supported for runtime.
Web Containers
-
Apache Tomcat 6 (6.0.32, 6.0.33, 6.0.36)
-
Apache Tomcat 7 (7.0.29, 7.0.30, 7.0.32, 7.0.47, 7.0.50)
-
Apache Tomcat 8 (8.0.14)
-
Sun/Oracle Glassfish 3 (3.1)
-
BEA/Oracle WebLogic (12c)
Databases
-
H2 (embedded, only recommended for demo deployments)
-
PostgreSQL (8.4.14, 9.1, 9.2)
-
MySQL
Supported MySQL version is 5.6.10 and above (with MySQL JDBC ConnectorJ 5.1.23 and above).
MySQL in previous versions didn’t support dates/timestamps with more accurate than second fraction precision. -
Oracle 11g (11.2.0.2.0)
-
Microsoft SQL Server (2008, 2008 R2, 2012)
Unsupported Platforms
Following list contains platforms that midPoint is known not to work due to various issues. As these platforms are obsolete and/or marginal we have no plans to support midPoint for these platforms.
-
Java 6
-
Sun/Oracle GlassFish 2
Download and Install
Release Form | Download | Install Instructions |
---|---|---|
Binary |
https://evolveum.com/downloads/midpoint/3.2/midpoint-3.2-dist.zip |
|
Source |
||
Java API JavaDoc |
https://www.evolveum.com/downloads/midpoint/3.2/midpoint-api-3.2-javadoc/ |
|
SchemaDoc |
https://www.evolveum.com/downloads/midpoint/3.2/midpoint-3.2-schemadoc/ |
Upgrade
Upgrade from midPoint 2.x
Upgrade from version 2.x is possible but it is not publicly supported. It requires several manual steps. Evolveum provides this upgrade as part of the subscription or professional services.
Upgrade from midPoint 3.0 and 3.1
Upgrade path from MidPoint 3.0 goes through midPoint 3.1 and 3.1.1. Upgrade to midPoint 3.1 first (refer to the midPoint 3.1 release notes). Then upgrade from midPoint 3.1 to 3.1.1 and then to 3.2.
Upgrade from midPoint 3.1.1
MidPoint 3.2 data model is essentially backwards compatible with midPoint 3.1.1. However as the data model was extended in 3.2 the database schema needs to be upgraded using the usual mechanism.
MidPoint 3.2 is a major release that fixes some issues of previous versions. Therefore there are some changes that are not strictly backward compatible. There are two important upgrade tasks and a few additional concerns:
-
MidPoint 3.2 switched to a completely new LDAP Connector. This connector is expected to resolve many issues of the original Sun ICF framework that are still felt today. However this is a completely new connector and it is not backward compatible with the old connector. There is a separate page describing the migration: LDAP Connector Migration
-
New ConnId framework brings support for synchronization of all object classes. This lead to a change of default behavior of synchronization processes. If no objectclass, kind or intent were specified in the synchronization process old midPoint versions used default account definition. The new midPoint versions will try to synchronize all object classes in this case. However, this will fail for resources that do not support the option to synchronize all object classes (which is currently the majority of all resources). Therefore it is strongly recommended to explicitly configure objectclass or kind/intent in existing synchronization tasks.
-
User interface (UI) authorization URLs were using wrong URI prefixes in previous midPoint versions (MID-1965). MidPoint 3.2 fixed that issue. However, this means that UI authorizations configured for previous midPoint versions needs to be updated. UI authorization URI prefix changed from
http://midpoint.evolveum.com/xml/ns/public/security/authorization-3
tohttp://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3
.
Changes in initial objects since 3.1.1
MidPoint has a built-in set of "initial objects" that it will automatically create in the database if they are not present.
This includes vital objects for the system to be configured (e.g. role superuser
and user administrator
). These objects may change in some midPoint releases.
But to be conservative and to avoid configuration overwrite midPoint does not overwrite existing objects when they are already in the database.
This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version.
Therefore the following list contains a summary of changes to the initial objects in this midPoint release.
The complete new set of initial objects is in the config/initial-objects
directory in both the source and binary distributions.
Although any problems caused by the change in initial objects is unlikely to occur, the implementors are advised to review the following list and assess the impact on case-by-case basis:
-
040-role-enduser: corrected UI authorization URIs (MID-1965)
-
090-report-audit: significantly improved audit log report
Background and History
MidPoint is roughly based on OpenIDM version 1. Although the architectural outline of OpenIDM v1 is still guiding the development of midPoint almost all the OpenIDM v1 code was rewritten. MidPoint has evolved dramatically from these early times. It is now based on relative changes and contains advanced identity management mechanisms such as advanced RBAC, provisioning consistency and other advanced IDM features. Governance features are currently being developed and are already available in a form of technology preview. MidPoint development is independent for more than four years. MidPoint is currently several times bigger than other competing systems. The development pace is rapid but stable. Development team is small, flexible and very efficient. Contributions are welcome.
For the full project background see the midPoint History page.