MidPoint 3.5 "Einstein"
Release 3.5 is an eighteenth midPoint release code-named Einstein. The 3.5 release brings lots of features related to identity governance, self-registration and support for JSON/YAML.
Release date | 21 December 2016 |
---|---|
Release type | Production release |
End of support | 21 December 2018 |
Albert Einstein (1879 - 1955) was a German-born theoretical physicist. He developed the general theory of relativity, one of the most important theories of modern physics. Einstein's contributions revolutionized physics and also significantly influenced other fields of science. His revolutionary work changed our understanding of the universe. Einstein's theory of relativity was an inspiration for midPoint relativistic algorithms in the early days of the midPoint project. However even this recent midPoint version is related to Einstein's work. Einstein revolutionized the concept of time and introduced the principle of spacetime. MidPoint 3.5 includes a mechanism to reconstruct a state of objects as they were in the past. Einstein's theories provided a fundamental foundation for significant part of moder physics. Similarly the concept of policy rules introduced in midPoint 3.5 provides a fundamental foundations of more refined governance and compliance that will come in the future. Older midPoint concepts such as the concept of assignment get a stronger role in midPoint 3.5. The concepts and theories that midPoint is based on were refined and unified in midPoint 3.5. Although some of the fundamental work in midPoint 3.5 is still partially hidden and it may be slightly difficult to fully understand, we are persuaded that midPoint 3.5 is a major milestone in the midPoint history. |
Credits
Majority of the work on the Einstein release was done by the Evolveum team. However, this release would not be possible without the help of our partners, customers, contributors, friends and families. We would like to express a great gratitude to all the people that contributed to the midPoint project.
We would also like to thank:
-
AMI Praha for feature funding and for their continuous support and contributions to the midPoint project.
-
Carlos Ferreira for a complete translation of midPoint to Portuguese language.
-
Symas Corporation for their contributions in the area of cloud identity management.
-
A scientific institution that chose to remain anonymous for funding new midPoint features.
Features
midPoint 3.5 provides following features:
-
Common user data model suitable for easy integration
-
Numerous built-in properties based on IDM de-facto standards (LDAP inetOrgPerson, FOAF, …) and experience
-
Extensibility by custom properties
-
Off-the-shelf support for user password credentials
-
Off-the-shelf support for user activation
-
Enabled/disabled states (extensible in the future)
-
Support for user validity time constraints (valid from, valid to)
-
-
Object template to define policies, default values, etc.
-
Ability to use conditional mappings (e.g. to create RB-RBAC setup)
-
Ability to include other object templates
-
Global and resource-specific template setup
-
-
Sequences for reliable allocation of unique identifiers
-
Object lifecycle property
-
Object history (time machine)
-
-
Identity provisioning (create, read, update, delete accounts)
-
Support for mapping and expressions to determine account attributes
-
Support of multi-value attributes
-
Processing and computation fully based on relative changes
-
-
Higher-order dependencies (enables partial support for circular provisioning dependencies)
-
-
Provisioning robustness - ability to provision to non-accessible (offline) resources
-
Provisioning consistency - ability to handle provisioning errors and compensate for inconsistencies
-
Support for tolerant attributes
-
Ability to select tolerant and non-tolerant values using a pattern (regexp)
-
-
Support for volatile attributes (attributes changed by the resource)
-
-
Matching rules to support case insensitive attributes, DN and UUID attributes, XML attributes, etc. (extensible)
-
Automatic matching rule discovery
-
-
Ability to execute scripts before/after provisioning operations
-
Advanced support for account activation (enabled/disabled states)
-
Standardized account activation that matches user activation schema for easy integration
-
Ability to simulate activation capability if the connector does not provide it
-
Support for account lock-out
-
Support for account validity time constrains (valid from, valid to)
-
Support easy activation existence mappings (e.g. easy configuration of "disables instead of delete" feature)
-
Support for mapping time constraints in activation mappings that allow configuring time-related provisioning features such as deferred account delete or pre-provisioning.
-
-
Ability to specify set of protected accounts that will not be affected by IDM system
-
Support for base context searches for connectors that support object hierarchies (such as LDAP)
-
Passive Attribute Caching (EXPERIMENTAL)
-
Connectors
-
Integration of Identity Connector Framework (ConnId)
-
Support for Evolveum Polygon connectors
-
Support for ConnId connectors
-
Support for OpenICF connectors
-
-
Unified Connector Framework (UCF) layer to allow more provisioning frameworks in the future
-
Automatic generation and caching of resource schema from the connector
-
Support for connector hosts and remote connectors, identity connector and connectors host type
-
Remote connector discovery
-
-
Web-based administration GUI
-
Ability to execute identity management operations on users and accounts
-
User-centric views
-
Account-centric views (browse and search accounts directly)
-
Resource wizard
-
Layout automatically adapts to screen size (e.g. for mobile devices)
-
Easily customizable look & feel
-
Built-in XML editor for identity and configuration objects
-
Identity merge
-
-
Self-service
-
User profile page
-
Password management page
-
Role selection and request dialog
-
Self-registration
-
Email-based password reset
-
-
Flexible identity repository implementations and SQL repository implementation
-
Keeping metadata for all objects (creation, modification, approvals)
-
Automatic repository cleanup to keep the data store size sustainable
-
Synchronization
-
-
Ability to execute scripts before/after reconciliation
-
-
Correlation and confirmation expressions
-
Conditional correlation expressions
-
-
Concept of channel that can be used to adjust synchronization behaviour in some situations
-
Generic Synchronization allows synchronization of roles to groups to organizational units to … anything
-
Advanced RBAC support and flexible account assignments
-
Hierarchical roles
-
Conditional roles and assignments/inducements
-
Parametric roles (including ability to assign the same role several times with different parameters)
-
Temporal constraints (validity dates: valid from, valid to)
-
Higher-order inducements
-
Role catalog
-
Role request based on shopping cart paradigm
-
Entitlements and entitlement associations
-
GUI support for entitlement listing, membership and editing
-
Entitlement approval
-
-
Advanced internal security mechanisms
-
Fine-grained authorization model
-
Delegated administration
-
-
Several assignment enforcement modes
-
Ability to specify global or resource-specific enforcement mode
-
Ability to "legalize" assignment that violates the enforcement mode
-
-
-
Python
-
XPath version 2 (deprecated)
-
Built-in libraries with a convenient set of functions
-
PolyString support allows automatic conversion of strings in national alphabets
-
Mechanism to iteratively determine unique usernames and other identifiers
-
Extensibility
-
Support for overlay projects and deep customization
-
Support for custom GUI forms (Apache Wicket components)
-
Reporting based on Jasper Reports
-
Comprehensive logging designed to aid troubleshooting
-
Rule-based RBAC (RB-RBAC) ability by using conditional mappings in user template
-
Governance, compliance and risk management (GRC)
-
Segregation of Duties (SoD)
-
Assignment constraints for roles and organizational structure
-
Basic role lifecycle management (role approvals)
-
Deputy (ad-hoc privilege delegation)
-
Experimental support for policy rules
-
-
Auditing to file (logging)
-
Auditing to SQL table
-
Interactive audit log viewer
-
-
Credential management
-
Password distribution
-
Password retention policy
-
-
Support for Service objects (ServiceType) to represent servers, network devices, mobile devices, network services, etc.
-
Partial multi-tenancy support
-
Deployment and customization
-
Lightweight deployment structure
-
Support for Apache Tomcat web container
-
-
Import from file and resource
-
Self-healing consistency mechanism
-
Representation of all configuration and data objects in XML, JSON and YAML
-
Enterprise class scalability (hundreds of thousands of users)
-
API accessible using a web service, REST and local JAVA calls
-
Workflow support (based on Activiti engine)
-
Pre-configured Approval processes
-
-
Documentation
-
Schema documentation automatically generated from the definition (schemadoc)
Changes With Respect to Version 3.4.1
-
Role catalog
-
Role request based on shopping cart paradigm
-
JSON/YAML support
-
Object lifecycle property
-
Passive Attribute Caching (EXPERIMENTAL)
-
Deputy (ad-hoc privilege delegation)
-
Object history (time machine)
-
Interactive audit log viewer
-
Audit log indexing improvements
-
Assignment metadata
-
Basic role lifecycle management (role approvals)
-
Improved approval processes
-
Self-registration
-
E-mail based password reset
-
Experimental support for policy rules
-
Weak construction
-
Improvements to AD connector in multi-domain environment
-
Identity merge
-
Better control over administration GUI forms
-
MariaDB support
-
Configurable limitations of parallel execution of tasks
-
Various user interface improvements
-
Internal code cleanup
-
Documentation improvements
Java 7 environment is no longer supported.
XPath2 scripting is no longer supported.
CSVFile Connector (legacy) is deprecated.
Quality
Release 3.5 (Einstein) is intended for full production use in enterprise environments. All features are stable and well tested.
Limitations
-
MidPoint 3.5 comes with a bundled LDAP-based eDirectory connector. This connector is stable, however it is not included in the normal midPoint support. Support for this connector has to be purchased separately.
Platforms
MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested this release. The version numbers in parentheses are the actual version numbers used for the tests. However it is very likely that midPoint will also work in similar environments. Also note that this list is not closed. MidPoint can be supported in almost any reasonably recent platform (please contact Evolveum for more details).
Java
-
OpenJDK 8 (1.8.0_91, 1.8.0_111)
-
Sun/Oracle Java SE Runtime Environment 8 (1.8.0_45, 1.8.0_65, 1.8.0_74)
Java 8 only
MidPoint 3.5 is supported only on Java 8 platforms. MidPoint supported both Java 7 and Java 8 for several years. The support for Java 7 was deprecated in midPoint 3.4.1 and it was removed in midPoint 3.5. It is finally the time to abandon obsolete technology and to move on. |
Web Containers
-
Apache Tomcat 8 (8.0.14, 8.0.20, 8.0.28, 8.0.30, 8.0.33, 8.5.4)
-
Apache Tomcat 7 (7.0.29, 7.0.30, 7.0.32, 7.0.47, 7.0.50, 7.0.69)
-
Sun/Oracle Glassfish 3 (3.1)
-
BEA/Oracle WebLogic (12c)
Databases
-
H2 (embedded, only recommended for demo deployments)
-
PostgreSQL (8.4.14, 9.1, 9.2, 9.3, 9.4, 9.4.5, 9.5, 9.5.1)
-
MariaDB (10.0.28)
-
Percona Server (5.7.15)
-
MySQL (5.6.26, 5.7)
Supported MySQL version is 5.6.10 and above (with MySQL JDBC ConnectorJ 5.1.23 and above).
MySQL in previous versions didn’t support dates/timestamps with more accurate than second fraction precision. -
Oracle 11g (11.2.0.2.0)
-
Microsoft SQL Server (2008, 2008 R2, 2012, 2014)
Unsupported Platforms
Following list contains platforms that midPoint is known not to work due to various issues. As these platforms are obsolete and/or marginal we have no plans to support midPoint for these platforms.
-
Java 6
-
Java 7
-
Sun/Oracle GlassFish 2
-
Apache Tomcat 6
Download and Install
Release Form | Download | Install Instructions |
---|---|---|
Binary |
https://evolveum.com/downloads/midpoint/3.5/midpoint-3.5-dist.zip |
|
Source |
||
Java API JavaDoc |
https://evolveum.com/downloads/midpoint/3.5/midpoint-api-3.5-javadoc/ |
|
SchemaDoc |
https://evolveum.com/downloads/midpoint/3.5/midpoint-3.5-schemadoc/ |
Upgrade
Upgrade from midPoint 3.0, 3.1, 3.1.1, 3.2, 3.3, 3.3.1 and 3.4
Upgrade path from MidPoint 3.0 goes through midPoint 3.1, 3.1.1, 3.2, 3.3 and 3.4. Upgrade to midPoint 3.1 first (refer to the midPoint 3.1 release notes). Then upgrade from midPoint 3.1 to 3.1.1, from 3.1.1 to 3.2 then to 3.3, then to 3.4.1 and finally to 3.5.
Upgrade from midPoint 3.4 and 3.4.1
MidPoint 3.5 data model is essentially backwards compatible with both midPoint 3.4 and midPoint 3.4.1. However as the data model was extended in 3.5 the database schema needs to be upgraded using the usual mechanism.
If you are using Quartz Scheduler JDBC job store (e.g. because of clustering), there is a minor thing to take care of: If possible, make sure that QRTZ_FIRED_TRIGGERS
table is empty before the upgrade.
(It is because a "not nullable" column was added to that table, so we have to make a little guess when filling-in values for it.) The table is actually empty most of the time; it supposedly contains records only during task starting and execution.
So, before upgrading, please make sure no task is executing.
-
The simplest way how to ensure emptiness of the table is correctly shutting down midPoint before upgrade.
-
If that would not help (and there are still some records in
QRTZ_FIRED_TRIGGERS
table), you might try to suspend tasks before shutting down midPoint. -
If even that would not help, you can probably ignore the fact, and run the upgrade script nevertheless.
Also it is recommended to close (i.e. accept or reject) all open approval work items.
MidPoint 3.5 is a release that fixes some issues of previous versions. Therefore there are some changes that are not strictly backward compatible.
-
Java 7 environment is no longer supported. Please upgrade to Java 8 before upgrading midPoint.
-
XPath2 scripting is no longer supported. Please migrate your XPath2 scripts to Groovy, JavaScript or Python.
-
Version numbers of the bundled connectors have changed (LDAP, AD and CSVfile connectors). Therefore connector references from the resource definitions that are using the bundled connectors need to be updated.
-
The
PolicyViolationException
was moved fromcom.evolveum.midpoint.model.api.PolicyViolationException
tocom.evolveum.midpoint.util.exception.PolicyViolationException
. MidPoint source code is, of course, updated. But if you use this exception in the customization scripts and expressions you have to update the package name during the upgrade process.
Changes in initial objects since 3.4 and 3.4.1
MidPoint has a built-in set of "initial objects" that it will automatically create in the database if they are not present.
This includes vital objects for the system to be configured (e.g. role superuser
and user administrator
). These objects may change in some midPoint releases.
But to be conservative and to avoid configuration overwrite midPoint does not overwrite existing objects when they are already in the database.
This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version.
Therefore the following list contains a summary of changes to the initial objects in this midPoint release.
The complete new set of initial objects is in the config/initial-objects
directory in both the source and binary distributions.
Although any problems caused by the change in initial objects is unlikely to occur, the implementors are advised to review the following list and assess the impact on case-by-case basis:
-
040-role-enduser.xml: fixed permissions
-
043-role-delegator.xml: new file, role for delegators (deputy support)
-
100-report-reconciliation.xml: fixed report
-
110-report-user-list.xml: report fix for CSV output
-
200-lookup-languages.xml: new supported languages
-
210-lookup-locales.xml: new supported locales
-
230-lookup-lifecycle-state.xml: new file, lookup for lifecycle states
Bundled connector changes since 3.4 and 3.4.1
-
The CSVFile Connector (legacy) is deprecated. It is still fully supported and it is still bundled with midPoint. However, it is technologically obsolete and it will be replaced by a new CSV Connector in midPoint 3.6. Therefore please consider using the new CSV Connector in new projects even with midPoint 3.5. The CSV Connector was not entirely finished at the time of midPoint 3.5 release - and that was the reason why midPoint 3.5 is still using the old connector. However it is expected that the new connector will be finished and stabilized in early 2017.
-
The LDAP connector was upgraded to the latest available version.
Behavior changes since 3.4 and 3.4.1
-
Attribute names are being escaped into XML element name form. All non-compliant characters are replaced by
_xN
sequence, whereN
is the hex representation of that particular character. E.g.a#
becomesa_x23
andParent Org Name
becomesParent_x20Org_x20Name
. Please review your configuration files. -
For repository searches, the only matching rule supported for plain string values is stringIgnoreCase. All the others will cause an exception to be thrown. (Previously they were silently ignored, which used to lead to hard-to-diagnose problems, e.g. if
polyStringNorm
was used instead.)
Public interface changes since 3.4 and 3.4.1
-
The
PolicyViolationException
was moved fromcom.evolveum.midpoint.model.api.PolicyViolationException
tocom.evolveum.midpoint.util.exception.PolicyViolationException
.
Important internal changes since 3.4 and 3.4.1
These changes should not influence anyone using the midPoint. These changes should also not influence the XML-based customizations or scripting expressions that rely just on the provided library classes. These changes will influence midPoint forks and deployments that are heavily customized using the Java components.
-
The Prism data representation layer has been significantly re-engineered. This should not influence any midPoint usage. It also should not influence common customizations. However deep customizations and customizations that go beyond public APIs may need to be updated.
Known Issues
As far as we know at the time of the release there was no known critical or security issue.
There is currently no plan to fix the known issues of midPoint 3.5 en masse. These issues will be fixed in future maintenance versions of midPoint only if the fix is requested by midPoint subscriber. No other issues will be fixed - except for severe security issues that may be found in the future.
The known issues of midPoint 3.5 may or may not be fixed in midPoint 3.6. This depends on the available time, issue severity and many variables that are currently difficult to predict. The only reliable way how to make sure that an issue is fixed is to purchase midPoint subscription. Or you can fix the bug yourself. MidPoint is always open to contributions.
This may seem a little bit harsh at a first sight. But there are very good reasons for this policy. And in fact it is no worse than what you get with most commercial software. We are just saying that with plain language instead of scrambling it into a legal mumbo-jumbo.