MidPoint 3.4.1 "Heisenberg" Update 1
Release 3.4.1 is a seventeenth midPoint release. It is a first maintenance update for 3.4.x version family code-named Heisenberg. The 3.4.1 release brings identity governance features and significant user interface improvements. This maintenance update brings a number of fixes and minor improvements.
Release date | 13 September 2016 |
---|---|
Release type | Maintenance release |
End of support | 24 June 2018 |
Werner Heisenberg (1901-1976) was German theoretical physicist and one of the pioneers of quantum mechanics. He is best known for the formulation of the uncertainty principle. He also made important contributions to hydrodynamics, nuclear physics, ferromagnetism and several other fields of physics. In 1932 Werner Heisenberg was awarded the Nobel Prize in Physics. Heisenberg's uncertainty principle asserts that there is an inherent limit to the precision with which certain physical properties of a particle can be known. Similarly to Heisenberg's principle midPoint 3.4 accepts that there is some degree of uncertainty when it comes to processing of the identity data. It may not be practically possible to always base the decisions on authoritative data. Practical identity management system needs to accept that the identity data are always in a state of flux. New mechanisms are needed to efficiently handle and process such ever changing data and midPoint 3.4 brings such mechanisms. MidPoint 3.4 introduces the first in the series of governance and compliance mechanisms: access certification. This makes midPoint the first open source IDM system that entered the field of identity governance. Access certification campaigns can now be defined, executed and automatically remediated. MidPoint 3.4 also brings significantly improved and streamlined user interface. Similarly to the work of Werner Heisenberg that advanced the field of quantum mechanics, midPoint 3.4 has a good chance to cause a "quantum leap" in the field of identity management. |
Credits
Majority of the work on the Heisenberg release was done by the Evolveum team. However, this release would not be possible without the help of our partners, customers, contributors, friends and families. We would like to express a great gratitude to all the people that contributed to the midPoint project.
We would also like to thank:
-
Biznet Bilisim for their continuous support to midPoint project and their suggestions and ideas.
-
AMI Praha for their ideas and numerous contributions to the midPoint project, especially their work on localization and translations.
-
Symas Corporation for their ideas, suggestions and inspirations, especially in the area of OpenLDAP integration and the use of RFC3207.
-
Union poisťovňa for their suggestions and contributions to the midPoint project.
-
Mirantis for their ideas and inspiration with OpenStack integration.
-
vnet-services for their support and contributions to the midPoint project.
We would also like to thank individually Michael Gruber, Martin Lzner, Petr Gašpark, Roman Pudil, Shawn McKinney, Tomas Corej, Florin Stingaciu, Felix Chelu and all the midPoint contributors and community members. MidPoint would not be such a great project without you. Thank you all!
Features
midPoint 3.4.1 provides following features:
-
Common user data model suitable for easy integration
-
Numerous built-in properties based on IDM de-facto standards (LDAP inetOrgPerson, FOAF, …) and experience
-
Extensibility by custom properties
-
Off-the-shelf support for user password credentials
-
Off-the-shelf support for user activation
-
Enabled/disabled states (extensible in the future)
-
Support for user validity time constraints (valid from, valid to)
-
-
Object template to define policies, default values, etc.
-
Ability to use conditional mappings (e.g. to create RB-RBAC setup)
-
Ability to include other object templates
-
Global and resource-specific template setup
-
-
Sequences for reliable allocation of unique identifiers
-
-
Identity provisioning (create, read, update, delete accounts)
-
Support for mapping and expressions to determine account attributes
-
Support of multi-value attributes
-
Processing and computation fully based on relative changes
-
-
Higher-order dependencies (enables partial support for circular provisioning dependencies)
-
-
Provisioning robustness - ability to provision to non-accessible (offline) resources
-
Provisioning consistency - ability to handle provisioning errors and compensate for inconsistencies
-
Support for tolerant attributes
-
Ability to select tolerant and non-tolerant values using a pattern (regexp)
-
-
Support for volatile attributes (attributes changed by the resource)
-
-
Matching rules to support case insensitive attributes, DN and UUID attributes, XML attributes, etc. (extensible)
-
Automatic matching rule discovery
-
-
Ability to execute scripts before/after provisioning operations
-
Advanced support for account activation (enabled/disabled states)
-
Standardized account activation that matches user activation schema for easy integration
-
Ability to simulate activation capability if the connector does not provide it
-
Support for account lock-out
-
Support for account validity time constrains (valid from, valid to)
-
Support easy activation existence mappings (e.g. easy configuration of disables instead of delete feature)
-
Support for mapping time constraints in activation mappings that allow configuring time-related provisioning features such as deferred account delete or pre-provisioning.
-
-
Ability to specify set of protected accounts that will not be affected by IDM system
-
Support for base context searches for connectors that support object hierarchies (such as LDAP)
-
Connectors
-
Integration of Identity Connector Framework (ConnId)
-
Support for Evolveum Polygon connectors
-
Support for ConnId connectors
-
Support for OpenICF connectors
-
-
Unified Connector Framework (UCF) layer to allow more provisioning frameworks in the future
-
Automatic generation and caching of resource schema from the connector
-
Support for connector hosts and remote connectors, identity connector and connectors host type
-
Remote connector discovery
-
-
Web-based administration GUI
-
Ability to execute identity management operations on users and accounts
-
User-centric views
-
Account-centric views (browse and search accounts directly)
-
Resource wizard
-
Layout automatically adapts to screen size (e.g. for mobile devices)
-
Easily customizable look feel
-
Built-in XML editor for identity and configuration objects
-
-
Self-service
-
User profile page
-
Password management page
-
Role selection and request dialog
-
-
Flexible identity repository implementations and SQL repository implementation
-
Keeping metadata for all objects (creation, modification, approvals)
-
Automatic repository cleanup to keep the data store size sustainable
-
Synchronization
-
-
Ability to execute scripts before/after reconciliation
-
-
Correlation and confirmation expressions
-
Conditional correlation expressions
-
-
Concept of channel that can be used to adjust synchronization behaviour in some situations
-
Generic Synchronization allows synchronization of roles to groups to organizational units to … anything
-
Advanced RBAC support and flexible account assignments
-
Hierarchical roles
-
Conditional roles and assignments/inducements
-
Parametric roles (including ability to assign the same role several times with different parameters)
-
Temporal constraints (validity dates: valid from, valid to)
-
Higher-order inducements
-
Entitlements and entitlement associations
-
GUI support for entitlement listing, membership and editing
-
Entitlement approval
-
-
Advanced internal security mechanisms
-
Fine-grained authorization model
-
Delegated administration
-
-
Several assignment enforcement modes
-
Ability to specify global or resource-specific enforcement mode
-
Ability to legalize assignment that violates the enforcement mode
-
-
-
Python
-
XPath version 2 (deprecated)
-
Built-in libraries with a convenient set of functions
-
PolyString support allows automatic conversion of strings in national alphabets
-
Mechanism to iteratively determine unique usernames and other identifiers
-
Extensibility
-
Support for overlay projects and deep customization
-
Support for custom GUI forms (Apache Wicket components)
-
Reporting based on Jasper Reports
-
Comprehensive logging designed to aid troubleshooting
-
Rule-based RBAC (RB-RBAC) ability by using conditional mappings in user template
-
Governance, compliance and risk management (GRC)
-
Segregation of Duties (SoD)
-
Assignment constraints for roles and organizational structure
-
-
Auditing to file (logging)
-
Auditing to SQL table
-
-
Credential management
-
Password distribution
-
Password retention policy
-
-
Support for Service objects (ServiceType) to represent servers, network devices, mobile devices, network services, etc.
-
Partial multi-tenancy support
-
Deployment and customization
-
Lightweight deployment structure
-
Support for Apache Tomcat web container
-
-
Import from file and resource
-
Self-healing consistency mechanism
-
Export objects to XML
-
Enterprise class scalability (hundreds of thousands of users)
-
API accessible using a web service, REST and local JAVA calls
-
Workflow support (based on Activiti engine)
-
Documentation
-
Schema documentation automatically generated from the definition (schemadoc)
Changes With Respect to Version 3.4
-
LDAP-based AD connector support invocation of commands and powershell scripts by using the WinRM interface.
-
Object templates can be specified for user, role, org and service subtypes.
-
Dynamic resolution of targetRef in assignment/inducement
-
Password history
-
Support for expression tracing for any individual expression
-
Reindex task
-
Minor GUI improvements
-
Java 7 platform support is deprecated
-
.NET-based exchange connector is deprecated
Changes With Respect to Version 3.3
-
Access certification (production quality)
-
Entitlement approval support
-
Support for overlay projects and deep customization
-
Major GUI improvements
-
Role selection and request dialog
-
Significantly improved look and feel
-
Look and feel unification and streamlining
-
Loading of projections (accounts) on demand
-
Improved search dialogs
-
Significantly improved resource management pages
-
Improved approval pages
-
Improved dashboards
-
Improved organizational structure pages
-
Improved the display of operation results
-
Introduced breadcrumbs and improved behavior of 'back' buttons
-
Resource wizard fixes and improvements
-
Usability improvements
-
GUI language detection and management improvements
-
-
Support for custom GUI forms (Wicket components)
-
Support for Service objects (ServiceType) to represent servers, network devices, mobile devices, network services, etc.
-
Support for base context searches for connectors that support object hierarchies (such as LDAP)
-
Improved support for entitlement associations that use non-identifier values
-
Support for volatile attributes in provisioning objects (volatilityTrigger)
-
Matching rule for XML-formatted string attributes and UUIDs
-
Automatic determination of matching rules based on ConnId subtypes.
-
Password retention policy
-
Support for orgRelation authorization that allows dynamic delegated administration.
-
Support for role/org owners in authorizations and other authorization improvements
-
LDAP-based AD connector in full production quality
-
Support for Active Directory multi-domain environment in LDAP-based AD connector
-
Support for permissive modify control in LDAP connector
-
Organizational structure recursion for associationFromLink expressions
-
Emphasized properties that will be always displayed (even if they are empty)
-
Support for lockoutStatus activation mapping
-
Pre configured databases of locales and timezones
-
Full support for Java 8 environment (both build and runtime)
-
Diagnostics improvements (connector statistics, logging improvements)
-
Improved documentation
XPath2 scripting is deprecated and it is not supported in Java8 environment.
Quality
Release 3.4.1 (Heisenberg Update 1) is intended for full production use in enterprise environments. All features are stable and well tested.
Limitations
-
MidPoint 3.4.1 comes with a bundled LDAP-based eDirectory connector. This connector is stable, however it is not included in the normal midPoint support. Support for this connector has to be purchased separately.
Platforms
MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested this release. The version numbers in parentheses are the actual version numbers used for the tests. However it is very likely that midPoint will also work in similar environments. Also note that this list is not closed. MidPoint can be supported in almost any reasonably recent platform (please contact Evolveum for more details).
Java
-
OpenJDK 8 (1.8.0_91)
-
Sun/Oracle Java SE Runtime Environment 8 (1.8.0_45, 1.8.0_65, 1.8.0_74)
-
OpenJDK 7 (1.7.0_65, 1.7.0_75, 1.7.0_80, 1.7.0_95)
-
Sun/Oracle Java SE Runtime Environment 7u40 or later (1.7.0_67, 1.7.0_72, 1.7.0_75, 1.7.0_80)
Java 6 environment is no longer supported.
Web Containers
-
Apache Tomcat 8 (8.0.14, 8.0.20, 8.0.28, 8.0.30, 8.0.33)
-
Apache Tomcat 7 (7.0.29, 7.0.30, 7.0.32, 7.0.47, 7.0.50, 7.0.69)
-
Sun/Oracle Glassfish 3 (3.1)
-
BEA/Oracle WebLogic (12c)
Databases
-
H2 (embedded, only recommended for demo deployments)
-
PostgreSQL (8.4.14, 9.1, 9.2, 9.3, 9.4, 9.4.5, 9.5, 9.5.1)
-
MySQL (5.6.26, 5.7)
Supported MySQL version is 5.6.10 and above (with MySQL JDBC ConnectorJ 5.1.23 and above).
MySQL in previous versions didn’t support dates/timestamps with more accurate than second fraction precision. -
Oracle 11g (11.2.0.2.0)
-
Microsoft SQL Server (2008, 2008 R2, 2012, 2014)
Unsupported Platforms
Following list contains platforms that midPoint is known not to work due to various issues. As these platforms are obsolete and/or marginal we have no plans to support midPoint for these platforms.
-
Java 6
-
Sun/Oracle GlassFish 2
-
Apache Tomcat 6
Download and Install
Release Form | Download | Install Instructions |
---|---|---|
Binary |
https://evolveum.com/downloads/midpoint/3.4.1/midpoint-3.4.1-dist.zip |
|
Source |
||
Java API JavaDoc |
https://evolveum.com/downloads/midpoint/3.4.1/midpoint-api-3.4.1-javadoc/ |
|
SchemaDoc |
https://evolveum.com/downloads/midpoint/3.4.1/midpoint-3.4.1-schemadoc/ |
Upgrade
Upgrade from midPoint 2.x
Upgrade from version 2.x is possible but it is not publicly supported. It requires several manual steps. Evolveum provides this upgrade as part of the subscription or professional services.
Upgrade from midPoint 3.0, 3.1, 3.1.1 and 3.2
Upgrade path from MidPoint 3.0 goes through midPoint 3.1, 3.1.1 and 3.2. Upgrade to midPoint 3.1 first (refer to the midPoint 3.1 release notes). Then upgrade from midPoint 3.1 to 3.1.1, from 3.1.1 to 3.2 then to 3.3 and finally to 3.4.
Upgrade from midPoint 3.3 and 3.3.1
MidPoint 3.4 data model is essentially backwards compatible with both midPoint 3.3 and midPoint 3.3.1. However as the data model was extended in 3.4 the database schema needs to be upgraded using the usual mechanism.
MidPoint 3.4 is a release that fixes some issues of previous versions. Therefore there are some changes that are not strictly backward compatible.
-
Version numbers of the bundled connectors have changed (LDAP, CSVfile and DatabaseTable connectors). Therefore connector references from the resource definitions that are using the bundled connectors need to be updated.
-
The namespace of live sync tokes was changed from
http://midpoint.evolveum.com/xml/ns/public/provisioning/liveSync-1.xsd
tohttp://midpoint.evolveum.com/xml/ns/public/provisioning/liveSync-3
. This change should be harmless in most cases. However, during the upgrade some synchronization changes may go missing. This should be easy to fix by synchronizing the changes manually or by executing a reconciliation process. A completely safe migration procedure is to stop the live sync processes before upgrade, change the live synchronization token namespace in process extension (XML), upgrade midPoint and then re-start the processes again. -
Workflow configuration variables processCheckInterval and allowApproveOtherItems were moved from config.xml to system configuration object.
-
When upgrading from previous versions the application-level indexes that midPoint maintains need to be updated. This can be easily done by clicking on Reindex repository objects button in the Configuration About page in midPoint GUI.
-
A reminder: XPath2 scripting was deprecated in midPoint 3.3 and it is not supported in Java8 environment. XPath2 support will be removed soon. Please migrate your XPath2 scripts to Groovy, Python or JavaScript.
MidPoint configuration of approvers and approval schemas is fully backward compatible and does not need any upgrade. However the structure of Activity workflows was changed in midPoint 3.4. There is no universal migration path for running pre-3.4 workflows to 3.4 workflows. For deployments that are actively using workflows we recommend letting all running workflow processes finish before upgrading to midPoint 3.4. After finishing, manual deletion of those workflow processes is strongly recommended. For deployments that require migration of running workflow processes we recommend using midPoint subscription and ask for a migration path for that specific deployment.
The midPoint database schema was changed in midPoint 3.4 release.
The migration SQL scripts are provided at the usual place.
These scripts will update the database schema and they will also migrate existing data if that is possible to do on the SQL level.
However there are some properties where the SQL-based migration is not possible.
The migration/reindex task to handle complete data migration was not included in the midPoint 3.4 release by mistake.
However, the midPoint 3.4 is robust enough to still work with data that are not fully migrated.
Therefore for many deployments the data migration is usually not an immediate concern and it can be postponed to the planned 3.4.1 release which will include convenient migration/reindex task.
If the data are not fully migrated the only known limitation is the search by displayName
, identifier
, ownerRef
and riskLevel
properties of roles, orgs and services.
This search will not work properly (this affects only searches of identifier
and displayName
in org objects, other properties were not searchable in midPoint 3.3.1 and earlier, therefore that should no impact existing deployments upgrading to 3.4).
In case that full data migration is required even in midPoint 3.4 there is a work round to force data migration by exporting and re-importing all roles, orgs and services.
Changes in initial objects since 3.3 and 3.3.1
MidPoint has a built-in set of initial objects that it will automatically create in the database if they are not present.
This includes vital objects for the system to be configured (e.g. role superuser
and user administrator
). These objects may change in some midPoint releases.
But to be conservative and to avoid configuration overwrite midPoint does not overwrite existing objects when they are already in the database.
This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version.
Therefore the following list contains a summary of changes to the initial objects in this midPoint release.
The complete new set of initial objects is in the config/initial-objects
directory in both the source and binary distributions.
Although any problems caused by the change in initial objects is unlikely to occur, the implementors are advised to review the following list and assess the impact on case-by-case basis:
-
020-system-configuration.xml: changed userDashboardLinks colors
-
040-role-enduser.xml: updated authorizations
-
041-role-approver.xml: new file
-
042-role-reviewer.xml: new file
-
090-report-audit.xml: minor fixes
-
110-report-user-list.xml: minor fixes
-
120-security-policy.xml: new file
-
130-report-certification-definitions.xml: new file
-
140-report-certification-campaigns.xml: new file
-
150-report-certification-cases.xml: new file
-
160-report-certification-decisions.xml: new file
-
200-lookup-languages.xml: new file
-
210-lookup-locales.xml: new file
Behavior changes since 3.3 and 3.3.1
-
Object template and assignment focus mappings with normal strength were fixed. Due to a bug in the code in previous midPoint versions these mappings behaved in a way which was very similar to strong mappings. In midPoint 3.4 these mappings behave as they should. However, this may break previous configurations that relied on the wrong behavior, especially when it comes to multi-value items such as assignments. The solution would be to change strength of these mappings to strong.
-
There were several changes to the behavior of inbound mappings, mostly focused on unifying the behavior and making inbound mappings more predictable. Firstly, inbound mappings now can target also containers and references. Secondly, inbound mappings are now made to behave in non-tolerant manner. I.e. the inbound mapping will remove any values that are not explicitly given by the mapping. This behavior can be changed by setting the tolerant flag of the mapping (not the attribute) to true. This is currently an experimental feature. Enable it if you have mappings that behave in relativistic way (i.e. correctly react to changes), and you wish that they do not remove values given by other means (e.g. by direct GUI edit). However, currently it is strongly advised to avoid that situation - i.e. it is not advised to have properties that have inbound mappings and which can also be modified by other means. In such cases it is better to create a new property that will be set exclusively by the means of inbound mapping and then use object template to derive the final target value.
Public interface changes since 3.3 and 3.3.1
-
MidPoint authentication process was re-implemented and the underlying libraries (Spring Security) were upgraded. This may bring slight changes in result and error codes for authentication and authorization failures. This may affect all remote interfaces.
Important internal changes since 3.3 and 3.3.1
These changes should not influence anyone using the midPoint. These changes should also not influence the XML-based customizations or scripting expressions that rely just on the provided library classes. These changes will influence midPoint forks and deployments that are heavily customized using the Java components.
-
The audit Java API was changed to allow passing
target
values for which we do not have full object (just OID). -
Numerous change in GUI classes and package names. See GUI Development Guide
Upgrade from midPoint 3.4
MidPoint 3.4.1 is a release that brings several improvements and fixes some issues of previous versions. Therefore there are some changes that are not strictly backward compatible.
-
Version numbers of the bundled connectors have changed (LDAP and AD/LDAP). Therefore connector references from the resource definitions that are using the bundled connectors need to be updated.
-
When upgrading from previous versions the application-level indexes that midPoint maintains need to be updated. This can be easily done by clicking on Reindex repository objects button in the Configuration About page in midPoint GUI.
-
Java 7 platform is still supported, but the support for Java 7 is now deprecated. It is strongly recommended to upgrade to Java 8.
-
A reminder: XPath2 scripting was deprecated in midPoint 3.3 and it is not supported in Java8 environment. XPath2 support will be removed soon. Please migrate your XPath2 scripts to Groovy, Python or JavaScript.
Changes in initial objects since 3.4
MidPoint has a built-in set of initial objects that it will automatically create in the database if they are not present.
This includes vital objects for the system to be configured (e.g. role superuser
and user administrator
). These objects may change in some midPoint releases.
But to be conservative and to avoid configuration overwrite midPoint does not overwrite existing objects when they are already in the database.
This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version.
Therefore the following list contains a summary of changes to the initial objects in this midPoint release.
The complete new set of initial objects is in the config/initial-objects
directory in both the source and binary distributions.
Although any problems caused by the change in initial objects is unlikely to occur, the implementors are advised to review the following list and assess the impact on case-by-case basis:
-
040-role-enduser.xml: updated authorizations
Known Issues
-
Error when object has extra extension attributes in repo MID-3249