MidPoint 4.4 LTS "Tesla" Update 10
- Changes with Respect to Version 4.4.9
- Changes with Respect to Version 4.4.8
- Changes with Respect to Version 4.4.7
- Changes with Respect to Version 4.4.6
- Changes with Respect to Version 4.4.5
- Changes with Respect to Version 4.4.4
- Changes With Respect To Version 4.4.3
- Changes With Respect To Version 4.4.2
- Changes With Respect To Version 4.4.1
- Changes With Respect To Version 4.4
- Changes With Respect To Version 4.3
- Platforms
- Important Bundled Components
- Upgrade
- Upgrade From MidPoint 4.4
- Upgrade From MidPoint 4.3.x
- Upgrade From MidPoint 4.0
- Upgrade From MidPoint 4.1 And 4.2
- Upgrade From MidPoint 3.9 And Older
- Changes In Initial Objects Since 4.3
- Bundled Connector Changes Since 4.3
- Behavior Changes Since 4.4.7
- Behavior Changes Since 4.3
- Schema Changes Since 4.3
- Public Interface Changes Since 4.3
- Important Internal Changes Since 4.3
Release 4.4.10 is a sixty-second midPoint release. It is the ninth maintenance update for 4.4.x version family code-named Tesla. The 4.4.10 release brings mainly security bugfixes.
Release date | 21 November 2024 |
---|---|
Release type | Maintenance release (LTS) |
End of support | 26 November 2024 |
Nikola Tesla (1856-1943) was a Serbian-American inventor, electrical engineer, mechanical engineer, and futurist. He has experimented with high-voltage, high-frequency electricity, including the iconic Tesla coil. However, his work on alternating current (AC) electric motors and polyphase AC system were perhaps the most consequential. He has made crucial contributions to the design of the modern AC electricity supply system, a system that is a backbone of almost every electrical power supply network in the world. Our world would be a completely different place without the contributions of Nikola Tesla. As Nikola Tesla built on top of scientists and engineers who came before him, midPoint 4.4 builds on work done during the development of previous midPoint releases, culminating in a release that can be used to build a whole new world of identity management and governance. MidPoint 4.4 is focused on scalability, it is able to process millions of identities, providing unprecedented performance, flexibility and manageability in a seamless open source package. Brand-new repository implementation using native PostgreSQL capabilities provides the power, supported by many performance and diagnostic improvements in almost every part of the code. Overall, midPoint 4.4 is a release unlike any other, enabling deployments that were not possible before. |
Changes with Respect to Version 4.4.9
-
Fixed issue with task notifier not getting error message for composite task handlers (e.g. reconciliation). See MID-10026.
-
Fixed the issue with unassigning role members to produce the action only for the selected relation. See MID-9936.
-
Fixed the issue with assignment counter on the object details page. See MID-10099.
-
Fixed fetching accounts with different association definitions in different intents. See MID-9910.
-
Fixed closing multi-node tasks when some nodes are not available. See MID-10021.
-
Fixed updating invisible fields during validation of items. See MID-10091.
-
Fixed displaying error messages with technical details via new configuration options. See MID-9993.
To see full list of fixes see Evolveum Issue Tracker.
Changes with Respect to Version 4.4.8
-
Fixed updating of model before form validation by expression validator with dependency on another attribute. See MID-9688.
-
Added
verify-audit
action to Ninja which reports audits records with incorrect oids. See MID-9450. -
Fixed inappropriate applications of weak mappings when a resource is down. See MID-9861.
-
Fixed saving properties of additional connectors. See MID-7918.
-
Fixed associationFromLink and behavior regarding dead shadows. See MID-9468 and MID-9487.
-
Fixed showing Save button when #modify execution-phase item-limited authorization is present. See MID-9898.
-
Improved the optimizing triggers creator, so that it works also throughout the cluster. See MID-9368.
-
Fixed incorrect displaying owner/approver relations in All direct/indirect assignments panel. See MID-9467.
-
Added
midpoint.isFocusDeleted()
method to allow keeping projections' data when focus is being deleted. See MID-9669.
Changes with Respect to Version 4.4.7
-
Fixed the issue with authorizations being checked too late during the operation processing. In specific situations the user-supplied code could be executed before the authorization checks took place. See MID-9459 and Security Advisory 22.
-
Added missing authorizations checks for some less frequently used operations. See behavior changes since 4.4.7, MID-9460 and Security Advisory 23.
-
Introduced fine-grained authorizations that grant access at the level of a single REST operation. See Service Authorizations.
-
Showing of a 404 error page instead of a 500 error page when the focus object could not be found on the details page
To see full list of fixes see Evolveum Issue Tracker
Changes with Respect to Version 4.4.6
-
Fix in workflow when are combined autocomplete and approval.
-
Fixed necessity of "namingAttr" attribute for LDAP authentication module.
-
Fixes in GUI
-
Search refreshing after selecting object type in org tree
-
Showing all properties of audit delta
-
Deactivated save button for users with only browse permissions and allow it for users that can assign/unassign assignment.
-
Fix for load timeout for Cases page.
-
Ordering of task detail tabs.
-
Assignment Constraints in shopping card.
-
Trimming whitespace on start and end of password.
-
Content of 'Certification' → 'Certification scheduling'.
-
-
Ninja fixes: better UX, stuck of import,
To see full list of fixes see Evolveum Issue Tracker
Changes with Respect to Version 4.4.5
-
Security fixes
-
Fixed issue when less privileged user was able to execute custom Groovy scripts via Bulk Tasks. See Security Advisory: Less privileged user able to execute custom Groovy scripts via Bulk Tasks.
-
Fixed CSRF vulnerability if SAML2 or OIDC was used. See Security Advisory: CSRF protection was not working if user logged using SAML2 or OIDC.
-
-
CSV export
-
Various GUI fixes (shopping cart, certifications)
-
Ninja tool improved
-
Upgrade related features added, more commands available
-
Commands and options names realigned:
-
All command and option names are kebab cased
-
File output is now
-o, --output
-
-O, --overwrite
for all commands
-
-
Changes with Respect to Version 4.4.4
-
Fix for disabled users are able to log-in via LDAP authentication vulnerability. See Security Advisory: Disabled Users able to log-in when LDAP authentication is enabled for details.
-
Fix for post-registration form vulnerability (disabled by default). See Self Registration feature allows to change password of other users for details.
-
New functionality for exporting anonymous role mining data. This functionality enables the export of relationships between roles, users, and organizations while ensuring the privacy and security of the exported data. The current version supports the export of anonymous role mining data using Ninja tool, see Ninja documentation. For more information, please refer to the Anonymous Export of Role Mining Data.
-
Updated initial objects with certification reports, see MID-8665 and commit 427a0cdf.
-
Documentation for
orgRef
authorization object selector was fixed, see MID-8445 and commit b23253fa. -
Post-registration form (invitation form) requires Nonce authorization, see Self Registration configuration before 4.6 for proper configuration and link generation.
Changes With Respect To Version 4.4.3
-
MID-8451: fixed form validation in GUI for invisible fields based ObjectTemplateType/ iteratorSpecification/maxIterations
-
MID-8112: fixed action to delete object on repository object page
-
Multiple fixes in request access wizard
-
MID-8348: Password panel "remove password" now visible when necessary
-
Fix of undesired matching rule (e.g. ignore-case) application in correlation queries.
-
Upgrade of AD/LDAP connectors.[1]
-
The whole list of fixed issues can be found here.
Changes With Respect To Version 4.4.2
-
Fixes around Cases/Work Items and Manual Resources.
-
GUI fixes around reports and shopping carts.
-
Fix of the authorization bug in REST Client.[2]
-
Fixed UTF-8 support (e.g. emojis, kanji and more), previously prohibited by obsolete Xalan.[3]
-
Dependency upgrades to Spring Boot 2.5.14 (Spring Framework 5.3.20, Spring Security 5.6.6) and many additional security upgrades.
-
…and many more fixes - the whole list can be found here.
Changes With Respect To Version 4.4.1
-
Classpath scan scope for UI panels. Narrowed to
com.evolveum.midpoint
by default. It can be changed via configuration property. See more here. -
The behaviour of
hasArchetype
method inMidpointFunctions
has been fixed (and therefore changed). Now it’s consistent with other archetype-related methods in that it takes archetype assignments into account.[4] -
Reporting on synchronization situation transitions during reconciliation tasks has been improved (changed).[5]
-
GUI performance was significantly improved.
-
New option for turning off serialization in GUI was introduced. See PR #167 for more details.
-
Fixed bug for Native repository removing shadow attributes and JPEG photo when reindex is used.[6]
-
Various fixes for Native repository, mostly around iterative search (skipped audit events and ordering fixes).[7]
Changes With Respect To Version 4.4
-
Improved migration to native PostgreSQL repository
-
Fixed extensions / attributes indexing
-
Audit migration using ninja
-
-
Updated initial objects - adding archetypes to propagation and system tasks
-
Updated bundled DatabaseTable connector
-
Improved error handling in ninja
-
Improved password quality meter
-
Miscellaneous style improvements and fixes in GUI
-
Web session size improvements (GUI)
-
Miscellaneous bugfixes
Changes With Respect To Version 4.3
New Features and Improvements
-
Major features
-
Overall performance and scalability improvements
-
Axiom query language (integration, documentation) (experimental)
-
User experience improvements
-
Major improvements to task management
-
Numerous visibility and diagnostics improvements
-
-
Introduced concept of "activity"
-
Cluster auto-scaling capabilities
-
Cluster-wide thresholds
-
Progress and statistics reporting improvements
-
-
Repository improvements
-
Native PostgreSQL database schema, focused on scalability
-
Production support for storing full objects in repository in JSON format
-
Miscellaneous improvements
-
Reports and dashboards were significantly improved, completely replacing Jasper functionality.
-
Archetyped personas
-
Ability to de-activate individual mappings
-
-
Provisioning and connector improvements
-
Connector auto-loading
-
Maximum idle lifetime of connector instance (ConnId)
-
-
Internals and Development
-
Java 17 support
-
Prism separated to a dedicated project
-
Schrodinger separated to a dedicated project
-
MidScale Project
Significant part of midPoint 4.4.x functionality was developed in the scope of midScale project, co-funded by NGI_TRUST and Evolveum. MidScale was focused on significant increase in midPoint scalability. The scalability issues were addressed from several angles at once: data storage, internal performance, task management, user interface, with many smaller improvements in almost every midPoint component. The result of midScale project is a major scalability improvement, enabling midPoint deployments that go well beyond millions of managed identities.
MidScale project introduced brand-new Native PostgreSQL repository implementation. This implementation is developed and tuned specially for PostgreSQL database, taking advantage of native database features, providing improved performance and scalability. This is now the primary and recommended repository for midPoint deployments. Related to this is also new implementation of the SQL audit with (optionally) time-based partitioned tables allowing for very fast audit data removal.
Task management system was significantly updated during midScale project. The major improvements are related to the ease of complex task configuration, enhanced ability to distribute tasks across the cluster (this includes task auto-scaling and cluster-wide thresholds), and supporting large deployments by improving task progress and statistics reporting, error handling (including selective re-processing of failed items), diagnostics, and overall visibility. See the description of activities for more information.
Numerous performance improvements were made during midScale project. Almost every midPoint component was improved, from the low-level data representation (Prism), through the model components (Projector, Clockwork) all the way up to user interface. The performance improvements add up, increasing overall performance of midPoint 4.4.
Axiom Query Language was developed during midScale project, as a new, human-friendly query language. Axiom query language replaces old, XML-based query language that was used since the dawn of midPoint project. Albeit Axiom query language is still experimental, it is already a very useful tool.
MidPoint user interface was improved during midScale, both its functionality and usability. The were numerous smaller improvements and several bigger improvements to look and feel of the user interface.
For more details about midScale project please see midScale project home page.
Deprecation, Feature Removal And Incompatible Changes
-
Generic repository implementation (which was the only available repository implementation in midPoint 4.2 and earlier) is deprecated. It was replaced by native PostgreSQL repository, which is now strongly recommended for all production deployments of midPoint.
-
Use of HQL query language for audit log queries and dashboard widgets is no longer supported. Please use midPoint query languages instead.
-
OID in new repository must be in UUID format. This was always recommended and repository never created non-UUID OIDs, but it was possible (against all advices) to use any string as OID, typically for configuration objects. New repository will not work with these.
-
Support for
objectType
,employeeType
,roleType
,orgType
andserviceType
was removed, these deprecated items are no longer present in midPoint schema. Also, support for objectsubtype
is still deprecated. Please use archetypes instead. -
Jasper-based reports are no longer supported. Use of Jasper-based reports in midPoint is deprecated since midPoint 4.2 in favor of the new "native" reports. See Rewrite Jasper to Object Collection Report Guide for details.
-
Custom resource namespace (
namespace
item inResourceType
) is no longer supported. -
Production deployments of midPoint in Microsoft Windows environment are no longer supported. Microsoft Windows is still supported for evaluation, demo, development and similar non-production purposes.
-
JMX-based node-to-node communication in midPoint cluster is no longer supported. Please use the default REST communication method instead.
-
Explicit deployment to an external web container is deprecated since midPoint 4.1. It is strongly recommended using the default stand-alone deployment method instead.
-
MidPoint plug-in for Eclipse IDE was never officially supported and it will not be developed anymore. This plugin is abandoned in favor of IntelliJ IDEA environment (MidPoint Studio).
-
Support for generic repository implementation together with all the database engines supported by this implementation is deprecated. This affects Oracle, Microsoft SQL and also PostgreSQL databases using the "old" generic database schema. MySQL and MariaDB are not supported since midPoint 4.3. Please use native PostgreSQL repository implementation instead. See Repository Database Support for more details.
-
Support for PostgreSQL 10 is deprecated, it is very likely it will be removed soon.
-
There are the following incompatible changes regarding tasks:
-
The pre-4.4 configuration style for partitioned tasks (partitioned reconciliation, partitioned focus validity scanning, or generic partitioned tasks) is not supported. Please use activity-based configuration instead to achieve that functionality.
-
The pre-4.4 configuration style for multi-node (coordinator/workers) tasks is no longer supported. Please use activity-based configuration instead to achieve that functionality.
-
The
finishOperationsOnly
extension property in reconciliation tasks is no longer supported. Please use activity-based configuration instead to achieve that functionality. -
Long-deprecated
http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/focus-validation-scanner/handler-3
task handler URI is no longer supported. -
The
extension/reporting/determineExpectedTotal
(an experimental configuration item) was changed toreporting/itemCounting/determineOverallSize
(still an experimental one).
-
-
Python expressions support is now optional and not part of the distribution.
-
Dependency for support of
saml2
authentication module was changed to Spring Security saml2-service-provider. Functionality of a new module is equivalent to the functionality of oldsaml2
module, however some configuration properties are not available in the new module. Such properties were tagged as deprecated in schema of saml2 authentication module. We need change attribute 'provider' to 'identityProvider' in 'serviceProvider'. When we use some keys of 'type' ENCRYPTION, we need remove it service provider obtain it from metadata for identity provider. You can see new configuration on Flexible Authentication Configuration. -
Schema items that were planned for removal in midPoint 4.4.10 were removed. Please see "Upgrade" section below for the details.
-
Support policy for systems connected to midPoint was clarified. Only integration to systems that are covered by regular support from their vendors will be supported by Evolveum. Please see Evolveum Support For Systems Connected to MidPoint for details. This also means that Active Directory 2012R2 is no longer supported.
-
GUI authorization for page 'My work item' in certification menu was change to 'http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#myCertificationDecisions'. Old authorization 'http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#certificationDecisions' works for page 'All cases to decide' in certification menu.
-
There are the following incompatible changes regarding GUI configuration:
-
identifier
attribute for the GUI features is mandatory. Default features have system defined identifiers. -
To overwrite or customize default midPoint tables (e.g. All users, All roles,…)
identifier
attribute must be set correctly. E.g. for All Users identifierallUsers
must be used. -
Configuration for virtual containers was improved. Now it is possible to define virtual container on different panels, also custom ones. This required a changed in the configuration, where
container
definition was moved fromobjectDetailsPanel/container
toobjectDetailsPage/panel/container
. -
GUI was significantly changed in 4.4 - tabs on details pages were replaced with details navigation menu. Old configuration for tab customization won’t work with the new design. It has to be adapted to the new design and structures, look at the examples.
-
Default behavior for customizing visibility of different panels on details page was changed. Now, the configuration has additional meaning. E.g. if a user defines its custom panel for user’s details, all default (system-defined) panels will be visible by default. To show only custom panel, the default (system-defined) panels have to be hidden explicitly.
-
Releases Of Other Components
-
New version of LDAP connector bundle (including LDAP Connector and Active Directory Connector) was released and bundled with midPoint 4.4.10.
-
New version of DatabaseTable Connector was released and bundled with midPoint 4.4.10.
-
Docker images were released in Docker Hub: 4.4.4 and 4.4.4-alpine
-
Prism data representation library is separated from midPoint code into ist own project. It was released together with midPoint 4.4.10.
Purpose and Quality
Release 4.4.10 LTS (Tesla Update 10) is intended for full production use. It belongs to a long-term support (LTS) family, supported for a prolonged time period. Therefore it is intended for users that prefer long-term stability over new features.
All features are stable and well tested - except the features that are explicitly marked as experimental or partially implemented. Those features are supported only with special subscription contract.
Limitations
Following list provides summary of limitation of this midPoint release.
-
Functionality that is marked as Experimental Functionality is not supported for general use (yet). Such features are not covered by midPoint support. They are supported only for those subscribers that funded the development of this feature by the means of subscriptions and sponsoring or for those that explicitly negotiated such support in their support contracts.
-
MidPoint comes with bundled LDAP Connector. Support for LDAP connector is included in standard midPoint support service, but there are limitations. This "bundled" support only includes operations of LDAP connector that 100% compliant with LDAP standards. Any non-standard functionality is explicitly excluded from the bundled support. We strongly recommend to explicitly negotiate support for a specific LDAP server in your midPoint support contract. Otherwise only standard LDAP functionality is covered by the support. See LDAP Connector page for more details.
-
MidPoint comes with bundled Active Directory Connector (LDAP). Support for AD connector is included in standard midPoint support service, but there are limitations. Only some versions of Active Directory deployments are supported. Basic AD operations are supported, but advanced operations may not be supported at all. The connector does not claim to be feature-complete. See Active Directory Connector (LDAP) page for more details.
-
MidPoint user interface has flexible (fluid) design and it is able to adapt to various screen sizes, including screen sizes used by some mobile devices. However, midPoint administration interface is also quite complex and it would be very difficult to correctly support all midPoint functionality on very small screens. Therefore midPoint often works well on larger mobile devices (tablets) it is very likely to be problematic on small screens (mobile phones). Even though midPoint may work well on mobile devices, the support for small screens is not included in standard midPoint subscription. Partial support for small screens (e.g. only for self-service purposes) may be provided, but it has to be explicitly negotiated in a subscription contract.
-
There are several add-ons and extensions for midPoint that are not explicitly distributed with midPoint. This includes Java client library, various samples, scripts, connectors and other non-bundled items. Support for these non-bundled items is limited. Generally speaking those non-bundled items are supported only for platform subscribers and those that explicitly negotiated the support in their contract.
-
MidPoint contains a basic case management user interface. This part of midPoint user interface is not finished. The only supported part of this user interface is the part that is used to process requests and approvals. Other parts of case management user interface are considered to be experimental, especially the parts dealing with manual provisioning cases.
This list is just an overview, it may not be complete. Please see the documentation regarding detailed limitations of individual features.
Platforms
MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested with this release. The version numbers in parentheses are the actual version numbers used for the tests.
It is very likely that midPoint will also work in similar environments. But only the versions specified below are supported as part of midPoint subscription and support programs - unless a different version is explicitly agreed in the contract.
Operating System
MidPoint is likely to work on any operating system that supports the Java platform. However, for production deployment, only some operating systems are supported:
-
Linux (x86_64)
We are positive that MidPoint can be successfully installed on other operating systems, especially macOS and Microsoft Windows desktop. Such installations can be used to for evaluation, demonstration or development purposes. However, we do not support these operating systems for production environments. The tooling for production use is not maintained, such as various run control (start/stop) script, low-administration and migration tools, backup and recovery support and so on.
Java
-
OpenJDK 11 (11.0.10).
-
OpenJDK 17. This is a recommended platform.
OpenJDK 17 is a recommended Java platform to run midPoint.
Support for Oracle builds of JDK is provided only for the period in which Oracle provides public support (free updates) for their builds. As far as we are aware, free updates for Oracle JDK 11 are no longer available. Which means that Oracle JDK 11 is not supported for MidPoint anymore. MidPoint is an open source project, and as such it relies on open source components. We cannot provide support for platform that do not have public updates as we would not have access to those updates and therefore we cannot reproduce and fix issues. Use of open source OpenJDK builds with public support is recommended instead of proprietary builds.
Web Containers
MidPoint is bundled with an embedded web container. This is the default and recommended deployment option. See Stand-Alone Deployment for more details.
Explicit deployment of war
file to web container is deprecated.
Following Apache Tomcat versions are supported:
-
Apache Tomcat 9.0 (9.0.65)
Apache Tomcat 8.0.x and 8.5.x are no longer supported. Support for explicit deployment to newer Tomcat versions is not planned. Please migrate to the default stand-alone deployment model as soon as possible.
Databases
Since midPoint 4.4, midPoint comes with two repository implementations: native and generic. Native PostgreSQL repository implementation is strongly recommended for all production deployments.
See Repository Database Support for more details.
Since midPoint 4.0, PostgreSQL is the recommended database for midPoint deployments. Our strategy is to officially support the latest stable version of PostgreSQL database (to the practically possible extent). PostgreSQL database is the only database with clear long-term support plan in midPoint. We make no commitments for future support of any other database engines. See Repository Database Support page for the details. Only a direct connection from midPoint to the database engine is supported. Database and/or SQL proxies, database load balancers or any other devices (e.g. firewalls) that alter the communication are not supported.
Native Database Support
Native PostgreSQL repository implementation is developed and tuned specially for PostgreSQL database, taking advantage of native database features, providing improved performance and scalability.
This is now the primary and recommended repository for midPoint deployments. Following database engines are supported:
-
PostgreSQL 15, 14 or 13
Native PostgreSQL repository implementation was developed during midPoint 4.3 and 4.4 in scope of midScale project. It is available for production use since midPoint 4.4.
Generic Database Support (deprecated)
Generic repository implementation is based on object-relational mapping abstraction (Hibernate), supporting several database engines with the same code. Following database engines are supported with this implementation:
-
H2 (embedded). Supported only in embedded mode. Not supported for production deployments. Only the version specifically bundled with midPoint is supported.
H2 is intended only for development, demo and similar use cases. It is not supported for any production use. Also, upgrade of deployments based on H2 database are not supported. -
PostgreSQL 15, 14, 13, 12, 11. Support for PostgreSQL 10 is deprecated, it is very likely it will be removed soon.
-
Oracle 19c, 21c
-
Microsoft SQL Server 2019, 2016 SP1
Support for generic repository implementation together with all the database engines supported by this implementation is deprecated. Please use native PostgreSQL repository implementation instead. See Repository Database Support for more details.
Supported Browsers
-
Firefox
-
Safari
-
Chrome
-
Edge
-
Opera
Any recent version of the browsers is supported. That means any stable stock version of the browser released in the last two years. We formally support only stock, non-customized versions of the browsers without any extensions or other add-ons. According to the experience most extensions should work fine with midPoint. However, it is not possible to test midPoint with all of them and support all of them. Therefore, if you chose to use extensions or customize the browser in any non-standard way you are doing that on your own risk. We reserve the right not to support customized web browsers.
Important Bundled Components
Component | Version | Description |
---|---|---|
Tomcat |
9.0.65 |
Web container |
ConnId |
1.5.1.10 |
ConnId Connector Framework |
3.5 |
LDAP and Active Directory |
|
2.4 |
Connector for CSV files |
|
1.5.0.0 |
Connector for simple database tables |
Download and Install
Release Form | Download | Install Instructions |
---|---|---|
Binary |
https://evolveum.com/downloads/midpoint/4.4.10/midpoint-4.4.10-dist.zip |
|
Source |
||
Java API JavaDoc |
https://evolveum.com/downloads/midpoint/4.4.10/midpoint-api-4.4.10-javadoc/ |
|
SchemaDoc |
https://evolveum.com/downloads/midpoint/4.4.10/midpoint-4.4.10-schemadoc/ |
Upgrade
MidPoint is a software designed with easy upgradeability in mind. We do our best to maintain strong backward compatibility of midPoint data model, configuration and system behavior. However, midPoint is also very flexible and comprehensive software system with a very rich data model. It is not humanly possible to test all the potential upgrade paths and scenarios. Also, some changes in midPoint behavior are inevitable to maintain midPoint development pace. Therefore there may be some manual actions and configuration changes that need to be done during upgrades, mostly related to feature lifecycle.
This section provides overall overview of the changes and upgrade procedures. Although we try to our best, it is not possible to foresee all possible uses of midPoint. Therefore, the information provided in this section are for information purposes only without any guarantees of completeness. In case of any doubts about upgrade or behavior changes please use services associated with midPoint subscription programs.
Please refer to the MidPoint Upgrade Guide for general instructions and description of the upgrade process. The guide describes the steps applicable for upgrades of all midPoint releases. Following sections provide details regarding release 4.4.10.
Upgrade From MidPoint 4.4
MidPoint 4.4.10 data model is completely backwards compatible with midPoint 4.4.
The usual upgrade mechanism can be used for upgrades from midPoint 4.4 to 4.4.10. In addition to that, we recommend following actions:
-
Re-import of initial files:
042-role-reviewer.xml
,*-archetype-task-*.xml
,560-task-validity.xml
, and570-task-trigger.xml
. There were also changes in000-system-configuration.xml
(objectCollectionView
forpropagation-task-view
andmulti-propagation-task-view
) that may need to be incorporated into system configuration object. -
Minor changes for the Native repository require execution of
postgres-new-upgrade*.sql
scripts as described here. There are no table changes, but database procedures were improved (support for partition creation for the past) and missing org closure triggers added. (Generic repository does not require any upgrade.) -
Please check if there is a need to add authorizations to specific users due to behavior changes since 4.4.7.
Upgrade From MidPoint 4.3.x
MidPoint 4.4.10 data model is not completely backwards compatible with midPoint version earlier than 4.4. However, the vast majority of data items is compatible. Therefore the usual upgrade mechanism can be used. There are some important changes to keep in mind:
-
Database schema needs to be upgraded using the usual mechanism. Please see MidPoint Upgrade Guide for details.
-
Version numbers of some bundled connectors have changed. Therefore connector references from the resource definitions that are using the bundled connectors need to be updated.
-
Deprecated elements that were planned to be removed in midPoint 4.4.10 were removed. Please see detailed list below.
-
MidPoint 4.4.10 contains native PostgreSQL repository implementation, which is now recommended repository for all midPoint deployments. However, this new repository implementation is not directly compatible with generic repository implementation that was present in previous midPoint versions. It is strongly recommended migrating to the new native PostgreSQL repository implementation. However, it is not recommended upgrading the system and migrating the repositories in one step. It is recommended doing it in two separate steps. Please see Migration to Native PostgreSQL Repository for the details.
-
Jasper-based reports, deprecated since midPoint 4.2, are no longer supported. The functionality was replaced with native reporting capabilities of midPoint. Legacy Jasper reports have to be manually migrated. Please see Rewrite Jasper to Object Collection Report Guide for details.
-
Production deployments of midPoint in Microsoft Windows environment are no longer supported. Microsoft Windows is still supported for evaluation, demo, development and similar non-production purposes.
-
Tasks should be re-imported because their run-time data structures have been changed. Moreover, bucketed, multi-node and partitioned tasks have to be manually or semi-manually adapted to the new activity-based configuration language. "Change execution" task should be checked for changed default object type. Please see Migration of Tasks from 4.0/4.3 to 4.4 for details.
Upgrade From MidPoint 4.0
Both midPoint 4.0 and midPoint 4.4 are long-term support (LTS) releases. Therefore there is a direct upgrade path from midPoint 4.0 to midPoint 4.4. The usual upgrade mechanism can be used to upgrade midPoint 4.0 to midPoint 4.4. However, please make sure you are using correct upgrade scripts, as there are scripts to support upgrade from both version 4.0 and version 4.3.
Be sure to the latest maintenance version for 4.0 LTS, at least version 4.0.4, otherwise you will not be warned about all the necessary schema changes and other possible incompatiblities. |
Upgrade of midPoint 4.0 to midPoint 4.4 is effectively upgrade of four midPoint versions in one step. Although the upgrade scripts and instructions will do the "technical" part of the upgrade, updating the database schema and the software in a single step, there still may be functionality changes in all the intermediary midPoint releases. Therefore, it is strongly recommended reading all the release notes for all the intermediary releases (4.1, 4.2, 4.3 and 4.4), adjusting your configuration as necessary.
The most important changes are summarized below:
-
Java 8 platform is no longer supported. Please use Java 17 or Java 11.
-
MySQL and MariaDB are no longer supported.
-
SOAP-based interface is no longer supported. Please use RESTful interface instead.
-
Unofficial Eclipse plugin for midPoint is no longer supported. Please use MidPoint Studio instead.
-
Archetypes were applied to server tasks in midPoint 4.1. Server task definitions need to be re-imported or adjusted. Please see midPoint 4.1 release notes for the details.
-
.NET remote connector server is no longer supported.
-
Microsoft Internet Explorer is no longer supported.
-
Unofficial option to use Spring Security modules is no longer available. It was replaced by flexible authentication mechanisms.
-
Channel namespaces were changed in midPoint 4.2. Please see midPoint 4.2 release notes for the details.
-
Use of HQL query language for audit log queries and dashboard widgets is no longer supported. Please use midPoint query languages instead.
-
Production deployments of midPoint in Microsoft Windows environment are no longer supported. Microsoft Windows is still supported for evaluation, demo, development and similar non-production purposes.
-
Many deprecated elements were removed from midPoint schema.
-
MidPoint 4.4.10 contains native PostgreSQL repository implementation, which is now recommended repository for all midPoint deployments. However, this new repository implementation is not directly compatible with generic repository implementation that was present in previous midPoint versions. It is strongly recommended migrating to the new native PostgreSQL repository implementation. However, it is not recommended upgrading the system and migrating repositories in one step. It is recommended doing it in two separate steps. Please see Migration to Native PostgreSQL Repository for the details.
-
Jasper-based reports, deprecated since midPoint 4.2, are no longer supported (including support for JasperSoft Studio). The functionality was replaced with native reporting capabilities of midPoint. Legacy Jasper reports have to be manually migrated. Please see Rewrite Jasper to Object Collection Report Guide for details.
-
Tasks should be re-imported because their run-time data structures have been changed. Moreover, bucketed, multi-node and partitioned tasks have to be manually or semi-manually adapted to the new activity-based configuration language. "Change execution" task should be checked for changed default object type. Please see Migration of Tasks from 4.0/4.3 to 4.4 for details.
However, please keep in mind that every midPoint release introduced more changes than can fit into this list. Please see the release notes for the details.
Upgrade From MidPoint 4.1 And 4.2
Upgrade from the intermediary feature releases to midPoint 4.4.10 is not supported directly. Please upgrade to midPoint 4.2.x first, then upgrade to midPoint 4.3.x, then finally upgrade to midPoint 4.4.
Upgrade From MidPoint 3.9 And Older
Upgrade from midPoint 3.9.x or older to midPoint 4.4.10 is not supported directly. Please upgrade to midPoint 4.0.4 first, then upgrade to midPoint 4.4.
Changes In Initial Objects Since 4.3
MidPoint has a built-in set of "initial objects" that it will automatically create in the database if they are not present.
This includes vital objects for the system to be configured (e.g. role Superuser
and user administrator
).
These objects may change in some midPoint releases.
However, midPoint is conservative and avoids overwrite of customized configuration objects.
Therefore midPoint does not overwrite existing objects when they are already in the database.
This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version.
The following list contains a summary of changes to the initial objects in this midPoint release.
The complete new set of initial objects is in the config/initial-objects
directory in both the source and binary distributions.
Although any problems caused by the change in initial objects is unlikely to occur, the implementors are advised to review the changes and assess the impact on case-by-case basis:
-
000-system-configuration.xml
: Updated task archetypes, removedorg.reflections
logger, updatedobjectCollectionViews
for report tasks, better icons for task details menu. -
023-archetype-manual-provisioning-case.xml
,024-archetype-operation-request.xml
,025-archetype-approval-case.xml
: Updated archetypes, removing deprecated items, switching to new panel and form configuration. -
059-archetype-report.xml
,060-archetype-report-dashboard.xml
,061-archetype-report-collection.xml
: adapted configuration to changes in GUI. -
*-report-*.xml
(all report definitions): Configuration changed from Jasper to collection-based reports. Changedtarget
variable totargetRef
,initiator
toinitiatorRef
and so on. Updating scripts to work with references rather than values. Column specification. Paging specification adjusted. -
270-object-collection-audit.xml
: Created new panel for parameter with date type. -
*-task-*-.xml
(all task definitions): Migrated from legacy to the new (activity-based) configuration. Updated task archetypes, migrated to activities configuration, removing deprecated items. Adjustements for task details page. -
507-archetype-task-report-export-classic.xml
renamed to507-archetype-task-report.xml
. -
Tasks (cleanup, validity, and trigger scanner):
Please review source code history for detailed list of changes.
Bundled Connector Changes Since 4.3
-
LDAP and AD connectors were upgraded to the latest available version 3.3. See LDAP connector page and Active Directory connector page for details.
-
DatabaseTable connector was upgraded to the latest available version 1.4.9.0. See DatabaseTable connector page for details.
Behavior Changes Since 4.4.7
-
The following authorizations were added into the
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3
namespace:-
test
: test resource, -
importFromResource
: importing a single shadow or the whole object class, -
recompute
recomputing a user or other object (with limited support for now), -
notifyChange
.
If there are users that need to execute these operations, make sure they get the appropriate authorization.
-
-
Invocation of "empty" modification operations, i.e. operations that make no change to the midPoint state, now require at least minimal authorizations. One of
add
,modify
,delete
,recompute
,assign
,unassign
,delegate
,changeCredentials
(all in thehttp://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3
namespace) suffices to start such "empty" modification operation.The rationale behind this change is that execution of even a seemingly "empty" operation is a complex process. In order to minimize the possibility of interfering with it, we restricted the set of users that are able to start such an operation. This change should not affect standard midPoint users, as usually they should have at least one of these authorizations to carry out any meaningful work in midPoint.
Behavior Changes Since 4.3
-
Customization of default midPoint tables (e.g. All users, All roles,…) works differently than in previous versions (see description of incompatible changes above).
-
There are some changes in the behavior of tasks:
-
When single-run task encounters a fatal error, it is no longer closed. It is suspended instead. This is to allow resuming and continuing with the activity that failed. (There can be more than single activity in a task.)
-
Default type of objects being processed by recomputation activity has been changed from
UserType
toFocusType
(but only when new activity-based configuration style is used). -
Default type of objects being processed by iterative change execution activity has been changed from
UserType
toObjectType
(regardless of whether activity-based or legacy configuration is used). -
The propagation activity now ignores search options configured by the user - they have no meaning for it anyway.
-
Schema Changes Since 4.3
-
Property
objectType
was removed fromFocusType
. The functionality was replaced by archetypes. -
Properties
employeeType
,roleType
,orgType
andserviceType
were removed. The functionality was replaced bysubtype
property, which was later replaced by archetypes. Thesubtype
property still remains, however it is deprecated. It is strongly recommended migrating all object subtyping functionality to archetypes. -
Property
namespace
was removed from resource definitions, without a replacement. The ability to explicitly specify custom resource namespace was considered redundant. -
Property
passwordPolicyRef
was removed fromschemaHandling
section of resource definitions. The ability to specify resource password policy still remains, however it was consolidated with security policy. Please specify resource security policy instead of password policy. -
Boolean property
minor
was removed from operation result data structure. It was replaced byimportance
enumeration property. -
Boolean property
ignore
was removed fromschemaHandling
section of resource definitions. It was replaced byprocessing
enumeration property. -
Property
subresultStripThreshold
was removed from internals configuration data structure. -
Element
reportOutput
was removed, together with associated report output object type. It was replaced byreportData
, and associated report data object type, which allows specification of both output and input data. -
Properties of admin GUI configuration
objectLists
andobjectList
were removed, replaced by view specification propertiesobjectCollectionViews
andobjectCollectionView
. -
Property
name
was removed from some admin GUI configuration data structures, replaced byidentifier
property. -
Reference
collectionRef
was removed from admin GUI view specification, replaced by more complexcollection
configuration. -
Property
visibility
was removed from dashboard configuration, replaced by equivalent mechanism in admin GUI configuration. -
Container
registration
was removed from security policy, replaced by self-registration flow specification. -
Specification of
jmxPort
was removed from node object, as JMX intra-node communication mechanism was replaced by RESTful interface. -
Property
running
was removed from node object. -
Property
operationalStatus
was renamed tooperationalState
in node object. -
Property
executionStatus
was renamed toexecutionState
in task object. -
Deprecated properties
canRunOnNode
andotherHandlersUriStack
were removed from the task object. -
A couple of run-time data structures related to task execution were significantly changed. The major difference is that various pieces of information were moved from the level of the task to so-called activity state (a container for all information related to the state of the specific activity):
-
OperationStatsType
:iterationInformation
,iterativeTaskInformation
,synchronizationInformation
,actionsExecutedInformation
,workBucketManagementPerformanceInformation
moved to an activity state, -
TaskActivityStateType
(wasTaskWorkStateType
): bucket-related items were moved to an activity state, -
WorkAllocationDefinitionType
) (wasWorkAllocationConfigurationType
): deleted obsolete configuration properties:allocateFirst
,workAllocationMaxRetries
,workAllocationRetryIntervalBase
,workAllocationRetryExponentialThreshold
,workAllocationRetryIntervalLimit
- they are no longer needed because of improvements in the bucket allocation algorithm, -
ProvisioningStatisticsType
was cleaned up from 21 deprecated properties.
-
Public Interface Changes Since 4.3
-
Prism component was separated into a dedicated project.
-
Prism API was changes in several places. However, this is not yet stable public interface therefore the changes are not tracked in details.
-
There were changes to the IDM Model Interface (Java). Please see source code history for details.
Important Internal Changes Since 4.3
These changes should not influence people that use midPoint "as is". These changes should also not influence the XML/JSON/YAML-based customizations or scripting expressions that rely just on the provided library classes. These changes will influence midPoint forks and deployments that are heavily customized using the Java components.
-
There were changes in internal code structure at numerous places do to refactoring and code cleanup. Most changes were related to the midScale effort. Heavy customizations of midPoint existing midPoint versions are likely to break in midPoint 4.4.
Known Issues and Limitations
As all real-world software midPoint 4.4.10 has some known issues. Full list of the issues is maintained in bug tracking system. As far as we know at the time of the release there was no known critical or security issue.
There is currently no plan to fix the known issues of midPoint 4.4.10 en masse. These issues will be fixed in future maintenance versions of midPoint only if the fix is covered by a support agreement or subscription. No other issues will be fixed - except for severe security issues that may be found in the future.
The known issues of midPoint 4.4.10 may or may not be fixed in following releases. This depends on the available time, issue severity and many variables that are currently difficult to predict. The only reliable way how to make sure that an issue is fixed is to purchase midPoint support. Or you can fix the bug yourself. MidPoint is always open to contributions.
This may seem a little bit harsh at a first sight. But there are very good reasons for this policy. And in fact it is no worse than what you get with most commercial software. We are just saying that with plain language instead of scrambling it into a legal mumbo-jumbo.
Some known issues are listed below:
-
There is a support to set up storage of credentials in either encrypted or hashed form. There is also unsupported and undocumented option to turn off credential storage. This option partially works, but there may be side effects and interactions. This option is not fully supported yet. Do not use it or use it only at your own risk. It is not included in any midPoint support agreement.
-
Native attribute with the name of 'id' cannot be currently used in midPoint (MID-3872). If the attribute name in the resource cannot be changed then the workaround is to force the use of legacy schema. In that case midPoint will use the legacy ConnId attribute names (icfs:name and icfs:uid).
-
We have seen issues upgrading H2 instances to a new version. Generally speaking H2 is not supported for any particular use. We try to make H2 work and we try to make it survive an upgrade, but there are occasional issues with H2 use and upgrade. Make sure that you back up your data in a generic format (XML/JSON/YAML) in regular intervals to avoid losing them. It is particularly important to back up your data before upgrades and when working with development version of midPoint.
Credits
Majority of the work on the Tesla release was done by the Evolveum team. However, this release would not be possible without the help of our partners, customers, contributors, friends and families. We would like to express our thanks to all the people that contributed to the midPoint project both by providing financial support, their own time or those that maintain a pleasant and creative environment for midPoint team. However, midPoint project would not exist without proper funding. Therefore we would like to express our deepest gratitude to all midPoint subscribers that made midPoint project possible.
Disclaimer
Planned release dates are just that: they are planned. We do not promise or guarantee release dates. Software development is a creative activity that includes a lot of inherent risk. We are trying really hard to provide the best estimates. We are not able to provide precise dates for releases or deliveries. Do not rely on midPoint release dates. Plan your project properly to address the risk of delayed midPoint releases.
Planned scope of midPoint releases is also an estimate. MidPoint development process always includes the balancing of the iron triangle. Therefore planned release scope may change at any time. There is a method to make sure that midPoint releases will work well for your project and that method is platform subscription.
We do not make any claims that midPoint is perfect. Quite the contrary. MidPoint is a practical software, developed by living and breathing developers and deployed in a real world. There are both known and unknown issues in midPoint. Also, midPoint is not feature-complete. New features are introduced in midPoint all the time. But not all of them are completed. There are always some limitations. As the license states, midPoint is provided "AS IS". Please do not rely on midPoint functionality that you have not tested to make sure that it works. MidPoint support and subscription programs are a way how to handle those issues. But even with support service, do not rely on functionality that is not documented. If you plan to use undocumented or non-existing functionality, platform subscription is the right service for you.