MidPoint 3.9.1 "Galileo" Update 1

Last modified 01 Mar 2024 00:32 +01:00

Release 3.9.1 is a thirtieth midPoint release. It is the first maintenance update for 3.9.x version family code-named Galileo. The 3.9.1 release brings bugfixes and minor improvements.

Release date14 November 2019
Release type Maintenance release
End of support09 November 2020

Galileo Galilei (1564 - 1642) was Italian polymath. He was an astronomer, physicist and engineer. Galileo studied speed and velocity, gravity and free fall, the principle of relativity, inertia, motion, pendulums, inventing thermoscope, military compass, he is famous for using telescope for scientific observation of celestial bodies. Overall Galileo made significant achievements in many fields of human knowledge, science and technology.

Similarly to Galileo himself, the reach of midPoint 3.9 is surprisingly broad. There are significant user interface improvements, improvements to security (especially multi-tenant authorizations), major improvements to internal provisioning mechanism and a large selection of smaller improvements. There are several major improvements to the midPoint ecosystem: significant improvements to connector framework, major release of LDAP connector, new GUI testing framework, containerization improvements and so on. MidPoint 3.9 is yet another major milestone on a midPoint journey.


midPoint 3.9 provides following features:

Changes With Respect to Version 3.9

  • Performance improvements

  • Support for activation in assignmentTargetSearch expressions

  • Allow abstract types to be part of focus/target specification for global policy rules

  • Numerous bugfixes

Changes With Respect to Version 3.8

  • User interface improvements

    • Improved assignment/inducement target selection popup

    • Additional registration form based on object lifecycle

    • Form validation expressions

    • New system configuration page

    • Custom actions for object lists ("user" tasks that can be launched from GUI)

    • Custom pre-registration form

    • Shopping cart improvements

    • Organization tree page performance improvements

    • Miscellaneous user experience improvements

  • Governance improvements

    • Certification campaigns can be run only for non-decided cases

    • Improved certification and workitems reports

  • Customization Improvements

  • Security improvements

  • Provisioning

    • Full use of improved ConnId framework (

    • Minor improvements to connector paging support

    • Full support for capabilities per object type

    • Major update of consistency mechanism

  • Connectors

    • Support for native timestamps in ConnId framework, LDAP and Active Directory connectors.

    • Full support for ConnId updateDelta() operation in LDAP and AD connectors.

    • Additional search filter support in LDAP and AD connectors.

    • Active directory connector may use user’s own identity when changing password

    • Support for connector instance name (InstanceNameAware)

    • Minor improvements to CSV connector (contributed)

  • Miscellaneous improvements

    • Improved documentation

    • Error criticality handling improvement

    • Legacy support for XPath2 was removed, expression processing code was cleaned up.

    • Improved Maven overlay support

    • Run bulk action from policy rules.

    • Docker containerization improvements.

    • User interface testing framework (a.k.a. "Schroedinger")

    • Automatic detection of database schema version and compatibility

    • Support for listing of object items that are deprecated or planned for removal

    • Minor improvements to REST interface

PostgreSQL 9.4 and earlier is no longer supported.
Microsoft SQL Server 2012 is no longer supported.
Tomcat 8.0.x is no longer supported (Tomcat 8.0.x is EOL).
XPath2 is no longer supported. Please migrate your XPath2 scripts to Groovy, JavaScript or Python.

Next version: 4.0

Next planned midPoint version is version 4.0. This means that a major release is planned after the 3.9 release. Major release 4.0 is likely to introduce changes, that are not strictly compatible with midPoint 3.x. We mostly plan removal of schema elements that are deprecated for a long time or elements that were never really used. Therefore this move should not affect midPoint deployments that are maintained properly. MidPoint 3.9 includes a tool to check whether your deployment is likely to be affected by midPoint 4.0, which may give you sufficient time to prepare for 4.0 release. You can use new verify command for Ninja command-line tool to check your deployment.

Purpose and Quality

Release 3.9.1 (Galileo Update 1) is intended for full production use. It belongs to a feature release family, supported only for a reduced time period. Therefore it is intended for users that prefer new features over long-term stability.

All features are stable and well tested - except the features that are explicitly marked as experimental or partially implemented. Those features are supported only with special subscription contract.


  • MidPoint comes with a bundled LDAP-based eDirectory connector. This connector is stable, however it is not included in the normal midPoint support. Support for this connector has to be purchased separately.

  • There is an option to modify midPoint to support LDAP and CAS authentication by using Spring Security modules. This method is used in several midPoint deployments. However, such authentication modules are not officially supported as part of usual midPoint subscriptions. Only community-level support is provided for those modules. Commercial-grade support for this authentication method is available, but it has to be explicitly negotiated in a subscription contract.

  • MidPoint user interface has flexible (fluid) design and it is able to adapt to various screen sizes, including screen sizes used by some mobile devices. However, midPoint administration interface is also quite complex and it would be very difficult to correctly support all midPoint functionality on very small screens. Therefore midPoint often works well on larger mobile devices (tablets) it is very likely to be problematic on small screens (mobile phones). Even though midPoint may work well on mobile devices, the support for small screens is not included in standard midPoint subscription. Partial support for small screens (e.g. only for self-service purposes) may be provided, but it has to be explicitly negotiated in a subscription contract.

  • There are several add-ons and extensions for midPoint that are not explicitly distributed with midPoint. This includes midPoint plug-in for Eclipse IDE, extension of Jasper studio, Java client library, various samples, scripts, connectors and other non-bundled items. Support for these non-bundled items is limited. Generally speaking those non-bundled items are supported only for platform subscribers and those that explicitly negotiated the support in their contract. For other cases there is only community support available. For those that are interested in official support for IDE add-ons there is a possibility to use subscription to help us develop midPoint studio (MID-4701).


MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested with this release. The version numbers in parentheses are the actual version numbers used for the tests.

It is very likely that midPoint will also work in similar environments. But only the versions specified below are supported as part of midPoint subscription and support programs - unless a different version is explicitly agreed in the contract.

Support for some platforms is marked as "deprecated". Support for such deprecated versions can be removed in any midPoint release. Please migrate from deprecated platforms as soon as possible.


  • OpenJDK 8 (1.8.0_91, 1.8.0_111, 1.8.0_151, 1.8.0_181)

  • Sun/Oracle Java SE Runtime Environment 8 (1.8.0_45, 1.8.0_65, 1.8.0_74, 1.8.0_131)

Web Containers

  • Apache Tomcat 8.5 (8.5.4). Tomcat 8.0.x is no longer supported as its support life is over (EOL).

Web container (application server) support

MidPoint 3.7 introduced Stand-alone deployment form that does not need an application server. This is the primary deployment model for midPoint. The deployment to web container is still supported. However the only supported web container is Apache Tomcat. Other web containers (application servers) may be supported if the support is explicitly negotiated in midPoint subscription. Except for those cases midPoint development team will not provide any support for other web containers.

Currently there are no plans to remove support for deployed midPoint installation using a WAR file. However, it is possible that this deployment form will get phased out eventually unless there are active subscribers preferring this deployment method. MidPoint subscription is strongly recommended if you plan to use this method in the future.


  • H2 (embedded). Supported only in embedded mode. Not supported for production deployments. Only the version specifically bundled with midPoint is supported.
    H2 is intended only for development, demo and similar use cases. It is not supported for any production use. Also, upgrade of deployments based on H2 database are not supported.

  • PostgreSQL 9.5 (9.5, 9.5.1).

  • MariaDB (10.0.28)

  • MySQL 5.7 (5.7)

  • Oracle 12c

  • Microsoft SQL Server 2014

Supported Browsers

  • Firefox (any recent version)

  • Safari (any recent version)

  • Chrome (any recent version)

  • Opera (any recent version)

  • Microsoft Internet Explorer (version 9 or later)

Recent version of browser as mentioned above means any stable stock version of the browser released in the last two years. We formally support only stock, non-customized versions of the browsers without any extensions or other add-ons. According to the experience most extensions should work fine with midPoint. However, it is not possible to test midPoint with all of them and support all of them. Therefore, if you chose to use extensions or customize the browser in any non-standard way you are doing that on your own risk. We reserve the right not to support customized web browsers.

Microsoft Internet Explorer compatibility mode is not supported.

Important Bundled Components

Component Version Description


ConnId Connector Framework

LDAP connector bundle


LDAP, Active Directory and eDirectory connector

CSV connector


Connector for CSV files

DatabaseTable connector

Connector for simple database tables

Stand-alone deployment model

MidPoint deployment method has changed in midPoint release 3.7. Stand-alone deployment is now the default deployment method. MidPoint default configuration, scripts and almost everything else was adapted for this method.


MidPoint is software that is designed for easy upgradeability. We do our best to maintain strong backward compatibility of midPoint data model, configuration and system behavior. However, midPoint is also very flexible and comprehensive software system with a very rich data model. It is not humanly possible to test all the potential upgrade paths and scenarios. Also some changes in midPoint behavior are inevitable to maintain midPoint development pace. Therefore we can assure reliable midPoint upgrades only for midPoint subscribers. This section provides overall overview of the changes and upgrade procedures. Although we try to our best it is not possible to foresee all possible uses of midPoint. Therefore the information provided in this section are for information purposes only without any guarantees of completeness. In case of any doubts about upgrade or behavior changes please use services associated with midPoint subscription or purchase professional services.

Upgrade from midPoint 3.0, 3.1, 3.1.1, 3.2, 3.3, 3.3.1, 3.4, 3.4.1, 3.5, 3.5.1, 3.6, 3.6.1, 3.7, 3.7.1 and 3.7.2

Upgrade path from MidPoint 3.0 goes through midPoint 3.1, 3.1.1, 3.2, 3.3, 3.4.1, 3.5.1, 3.6.1 and 3.7.2. Upgrade to midPoint 3.1 first. Then upgrade from midPoint 3.1 to 3.1.1, from 3.1.1 to 3.2 then to 3.3, then to 3.4.1, 3.5.1, 3.6.1, 3.7.2, 3.8 and finally to 3.9.

Upgrade from midPoint 3.8

MidPoint 3.9 data model is essentially backwards compatible with previous midPoint versions. However as the data model was extended in 3.9 the database schema needs to be upgraded using the usual mechanism. There were also other changes that may affect some deployments:

  • Consistency mechanism in midPoint was update and aligned with manual connectors, taking into account possible future extension for asynchronous provisioning operations. Old shadow "consistency" properties (objectChange, result, attemptNumber, failedOperationType) are no longer used. Their content is ignored. All operations that are not completed immediately are now recorded in pendingOperation container.

  • Version numbers of some bundled connectors have changed. Therefore connector references from the resource definitions that are using the bundled connectors need to be updated.

  • New resource capability (delta update) was introduced. Therefore please make sure that native resource capabilities are refreshed for resources that support delta update capability (most notably LDAP and AD connectors).

Changes in initial objects since 3.8

MidPoint has a built-in set of "initial objects" that it will automatically create in the database if they are not present. This includes vital objects for the system to be configured (e.g. role superuser and user administrator). These objects may change in some midPoint releases. But to be conservative and to avoid configuration overwrite midPoint does not overwrite existing objects when they are already in the database. This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version. Therefore the following list contains a summary of changes to the initial objects in this midPoint release. The complete new set of initial objects is in the config/initial-objects directory in both the source and binary distributions. Although any problems caused by the change in initial objects is unlikely to occur, the implementors are advised to review the following list and assess the impact on case-by-case basis:* *

  • 000-system-configuration.xml: logging appender configuration updated

  • 010-value-policy.xml: removed deprecated minOccurs

  • 015-security-policy.xml: removed deprecated minOccurs

  • 040-role-enduser.xml: reducing authorizations (get instead of read)

  • 140-report-certification-campaigns.xml: report definition fixed

  • 150-report-certification-cases.xml: report definition fixed

  • 160-report-certification-decisions.xml: report definition fixed

  • 200-lookup-languages.xml: new language: japanese, lithuanian

  • 210-lookup-locales.xml: new language: japanese, lithuanian

Bundled connector changes since 3.8 and 3.8.1

  • The LDAP connector and AD Connector were upgraded to the latest available version. This version brings major changes that take advantage of ConnId framework development. There is support for native timestamps. But there is one important internal change. LDAP and AD connectors now support "update delta" operation instead of legacy update operations. Delta-based updates are superior to legacy method and this change resolves a lot of subtle problems of complex changes on resources. However, the connector has to let midPoint know that it supports delta-based update operations. This is done by the means of resource capabilities. This happens automatically for new midPoint deployments. Older midPoint deployments simply need to refresh (native) resource capabilities.

Behavior changes since 3.8 and 3.8.1

  • Shadow objects now use pendingOperations to record operation retries. Prior to 3.9 a different mechanism was used. The mechanism of operation retries and manual resources was unified in midPoint 3.9.

  • Dead shadows remain in midPoint repository for some time (7 days by default). The reason is to avoid some corner cases. But this also improves visibility, e.g. administrator can check operation result in the dead shadow.

  • Refresh operation on shadow cleans up dead shadows and expired pending operations. This normally happens during reconciliation. The same refresh tasks that are used for manual resources can be used as a lightweight replacement to clean up the shadows without reconciliation.

  • Error criticality handling definition was changed

    • Change of (experimental) criticality definition schema (boolean→fatal/partial). This is incompatible change in schema. However, this was justified in a minor release as this functionality is marked as experimental.

    • PolicyViolationException has partial criticality by default.

  • LDAP and AD connectors support only delta-based update operation now. Please refresh native resource capabilities for those connectors to work well after upgrade to 3.9.

  • Self-service password change is now using special self-service channel (http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#selfService)

  • XPath2 is no longer supported. Please migrate your XPath2 scripts to Groovy, JavaScript or Python.

  • Assembly of midPoint Maven artifacts and Maven overlay was fixed. This may affect existing midPoint overlay projects. Please have a look at the most recent midPoint overlay example and adjust your overlay projects accordingly.

  • Interpretation of shadow with no kind/intent has changed. Before 3.9 those shadows were interpreted as having default kind/intent. In 3.9 the meaning has changed. MidPoint 3.9 now interprets shadows with no kind/intent in such a way as the kind/intent is unknown (undetermined). This should not affect existing deployment with correct configuration in any significant way. However, deployments upgraded from 3.8 may experience a lot of updates to shadow kind/intent. This may cause problems if object synchronization part of resource definition is not configured correctly.

  • There were several improvements to "search iterative" functionality. This should not affect existing deployment - unless for a few special cases that (incorrectly) relied on older behavior. In case that your deployment is using search iterative method in a non-standard way additional testing is recommended after upgrade to 3.9.

  • Authorizations maintain their zone of control by default. In midPoint 3.9 the default authorizations allowed to change an object in such a way that it was no longer accessible to the user. This default behavior was changed in midPoint 3.9, which now does not allow such change by default. This is more intuitive and also more secure default behavior and it should affect only minimal number of existing deployments. Old behavior can still be enabled if needed.

Public interface changes since 3.8

  • There were several fixes and minor improvements to REST API. The interface should be completely backward compatible.

  • There were several fixes and minor improvements to IDM Model Java API. The interface should be completely backward compatible.

Important internal changes since 3.8

These changes should not influence people that use midPoint "as is". These changes should also not influence the XML/JSON/YAML-based customizations or scripting expressions that rely just on the provided library classes. These changes will influence midPoint forks and deployments that are heavily customized using the Java components.

  • There was a major update to provisioning mechanism that handles provisioning errors and operation retries (a.k.a. "consistency mechanism"). It was aligned with mechanism that supports manual resources. Shadow objects now use pendingOperations to record operation retries. Most of the algorithms in this part of the system were improved.

Known Issues and Limitations

As all real-world software midPoint 3.9.1 has some known issues. Full list of the issues is maintained in bug tracking system. As far as we know at the time of the release there was no known critical or security issue.

There is currently no plan to fix the known issues of midPoint 3.9.1 en masse. These issues will be fixed in future maintenance versions of midPoint only if the fix is covered by a support agreement or subscription. No other issues will be fixed - except for severe security issues that may be found in the future.

The known issues of midPoint 3.9.1 may or may not be fixed in following releases. This depends on the available time, issue severity and many variables that are currently difficult to predict. The only reliable way how to make sure that an issue is fixed is to purchase midPoint support. Or you can fix the bug yourself. MidPoint is always open to contributions.

This may seem a little bit harsh at a first sight. But there are very good reasons for this policy. And in fact it is no worse than what you get with most commercial software. We are just saying that with plain language instead of scrambling it into a legal mumbo-jumbo.

There is a support to set up storage of credentials in either encrypted or hashed form. There is also unsupported and undocumented option to turn off credential storage. This option partially works, but there may be side effects and interactions. This option is not fully supported yet. Do not use it or use it only at your own risk. It is not included in any midPoint support agreement.

Native attribute with the name of 'id' cannot be currently used in midPoint (MID-3872). If the attribute name in the resource cannot be changed then the workaround is to force the use of legacy schema. In that case midPoint will use the legacy ConnId attribute names (icfs:name and icfs:uid).

JavaDoc is temporarily not available due to the issue in Java platform. This issue is fixed in Java 9 platform, but backport of this fix to Java 8 is (quite surprisingly) not planned. This should be fixed in midPoint 4.0 with Java 11 support.


Majority of the work on the Galileo release was done by the Evolveum team. However, this release would not be possible without the help of our partners, customers, contributors, friends and families. We would like to express our thanks to all the people that contributed to the midPoint project both by providing financial support, their own time or those that maintain a pleasant and creative environment for midPoint team. However, midPoint project would not exist without proper funding. Therefore we would like to express our deepest gratitude to all midPoint subscribers that made midPoint project possible.


Planned release dates are just that: they are planned. We do not promise or guarantee release dates. Software development is a creative activity that includes a lot of inherent risk. We are trying really hard to provide the best estimates. We are not able to provide precise dates for releases or deliveries. Do not rely on midPoint release dates. Plan your project properly to address the risk of delayed midPoint releases.

Planned scope of midPoint releases is also an estimate. MidPoint development process always includes the balancing of the iron triangle. Therefore planned release scope may change at any time. There is a method to make sure that midPoint releases will work well for your project and that method is platform subscription.

We do not make any claims that midPoint is perfect. Quite the contrary. MidPoint is a practical software, developed by living and breathing developers and deployed in a real world. There are both known and unknown issues in midPoint. Also, midPoint is not feature-complete. New features are introduced in midPoint all the time. But not all of them are completed. There are always some limitations. As the license states, midPoint is provided "AS IS". Please do not rely on midPoint functionality that you have not tested to make sure that it works. MidPoint support and subscription programs are a way how to handle those issues. But even with support service, do not rely on functionality that is not documented. If you plan to use undocumented or non-existing functionality, platform subscription is the right service for you.

Was this page helpful?
Thanks for your feedback