MidPoint 4.5 "Nightingale"

Last modified 11 Apr 2022 16:04 +02:00

Release 4.5 is a fortieth midPoint release code-named Nightingale. The 4.5 release brings identity matching capabilities, support for OpenID Connect, notification, user interface and other improvements.

Release date11 April 2022
Release type Feature release
End of support11 April 2023
nightingale.png

Florence Nightingale (1820 – 1910) was an English social reformer, statistician and the founder of modern nursing. She established the first secular school for nurses, laying the foundation for professional nursing. Florence Nightingale was also a pioneer in statistics and data visualization, using the methods to draw conclusions and actionables from medical data, saving numerous lives.

Similarly to statistics and visualization used by Florence Nightingale, midPoint 4.5 brings improvements to data analytic capabilities. New identity correlation mechanisms can be used to find meaning in the data, to quickly identify account owners. Improvements to Axiom query language are also contributing to analytic and reporting capabilities. This is supplemented with notification and user interface enhancements, improving presentation of the data.

Changes With Respect To Version 4.4

New Features and Improvements

  • Major features

  • User interface improvements

    • Improved system configuration pages

    • Miscellaneous GUI usability and user experience updates

    • User interface for editing notification message templates

  • Miscellaneous improvements

  • Internal improvements

    • New code generator, replacing legacy JAXB/JAXWS generator

Deprecation, Feature Removal And Incompatible Changes

Releases Of Other Components

  • New version of LDAP connector bundle (including LDAP Connector and Active Directory Connector) was released during the course of midPoint 4.5 development. New version of LDAP connector includes native fail-over functionality.

  • New version of DatabaseTable Connector was released and bundled with midPoint.

  • Docker images were released in Docker Hub: 4.5 and 4.5-alpine.

  • Overlay project examples will be released soon after released together with midPoint 4.5 release.

  • MidPoint Studio version 4.5 will be released soon after midPoint 4.5 release.

  • Prism data representation library was separated from midPoint code into ist own project. It was released together with midPoint 4.5.

  • Midpoint client Java library will be released soon after released together with midPoint 4.5 release.

Purpose and Quality

Release 4.5 (Nightingale) is intended for full production use. It belongs to a feature release family, supported only for a reduced time period. Therefore it is intended for users that prefer new features over long-term stability.

All features are stable and well tested - except the features that are explicitly marked as experimental or partially implemented. Those features are supported only with special subscription contract.

Limitations

Following list provides summary of limitation of this midPoint release.

  • Functionality that is marked as Experimental Functionality is not supported for general use (yet). Such features are not covered by midPoint support. They are supported only for those subscribers that funded the development of this feature by the means of subscriptions and sponsoring or for those that explicitly negotiated such support in their support contracts.

  • MidPoint comes with bundled LDAP Connector. Support for LDAP connector is included in standard midPoint support service, but there are limitations. This "bundled" support only includes operations of LDAP connector that 100% compliant with LDAP standards. Any non-standard functionality is explicitly excluded from the bundled support. We strongly recommend to explicitly negotiate support for a specific LDAP server in your midPoint support contract. Otherwise only standard LDAP functionality is covered by the support. See LDAP Connector page for more details.

  • MidPoint comes with bundled Active Directory Connector (LDAP). Support for AD connector is included in standard midPoint support service, but there are limitations. Only some versions of Active Directory deployments are supported. Basic AD operations are supported, but advanced operations may not be supported at all. The connector does not claim to be feature-complete. See Active Directory Connector (LDAP) page for more details.

  • MidPoint user interface has flexible (fluid) design, it is able to adapt to various screen sizes, including screen sizes used by some mobile devices. However, midPoint administration interface is also quite complex and it would be very difficult to correctly support all midPoint functionality on very small screens. Therefore, midPoint often works well on larger mobile devices (tablets) it is very likely to be problematic on small screens (mobile phones). Even though midPoint may work well on mobile devices, the support for small screens is not included in standard midPoint subscription. Partial support for small screens (e.g. only for self-service purposes) may be provided, but it has to be explicitly negotiated in a subscription contract.

  • There are several add-ons and extensions for midPoint that are not explicitly distributed with midPoint. This includes Java client library, various samples, scripts, connectors and other non-bundled items. Support for these non-bundled items is limited. Generally speaking those non-bundled items are supported only for platform subscribers and those that explicitly negotiated the support in their contract.

  • MidPoint contains a basic case management user interface. This part of midPoint user interface is not finished. The only supported part of this user interface is the part that is used to process requests and approvals. Other parts of case management user interface are considered to be experimental, especially the parts dealing with manual provisioning cases.

  • Production deployments of midPoint in Microsoft Windows environment are not supported. Microsoft Windows is supported only for evaluation, demo, development and similar non-production purposes.

  • Identity matching developed in midPoint 4.5 is supported only for integration with ID Match API. Newly-developed internal correlators and all other correlation functionality developed in midPoint 4.5 is considered experimental. The correlation functionality present in midPoint 4.4 (and older) is still fully functional and supported.

This list is just an overview, it may not be complete. Please see the documentation regarding detailed limitations of individual features.

Platforms

MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested with this release. The version numbers in parentheses are the actual version numbers used for the tests.

It is very likely that midPoint will also work in similar environments. But only the versions specified below are supported as part of midPoint subscription and support programs - unless a different version is explicitly agreed in the contract.

Operating System

MidPoint is likely to work on any operating system that supports the Java platform. However, for production deployment, only some operating systems are supported:

  • Linux (x86_64)

We are positive that MidPoint can be successfully installed on other operating systems, especially macOS and Microsoft Windows desktop. Such installations can be used to for evaluation, demonstration or development purposes. However, we do not support these operating systems for production environments. The tooling for production use is not maintained, such as various run control (start/stop) script, low-administration and migration tools, backup and recovery support and so on.

Java

  • OpenJDK 11 (11.0.14).

  • OpenJDK 17. This is a recommended platform.

OpenJDK 17 is a recommended Java platform to run midPoint.

Support for Oracle builds of JDK is provided only for the period in which Oracle provides public support (free updates) for their builds. As far as we are aware, free updates for Oracle JDK 11 are no longer available. Which means that Oracle JDK 11 is not supported for MidPoint anymore. MidPoint is an open source project, and as such it relies on open source components. We cannot provide support for platform that do not have public updates as we would not have access to those updates, and therefore we cannot reproduce and fix issues. Use of open source OpenJDK builds with public support is recommended instead of proprietary builds.

Databases

Since midPoint 4.4, midPoint comes with two repository implementations: native and generic. Native PostgreSQL repository implementation is strongly recommended for all production deployments.

See Repository Database Support for more details.

Since midPoint 4.0, PostgreSQL is the recommended database for midPoint deployments. Our strategy is to officially support the latest stable version of PostgreSQL database (to the practically possible extent). PostgreSQL database is the only database with clear long-term support plan in midPoint. We make no commitments for future support of any other database engines. See Repository Database Support page for the details. Only a direct connection from midPoint to the database engine is supported. Database and/or SQL proxies, database load balancers or any other devices (e.g. firewalls) that alter the communication are not supported.

Native Database Support

Native PostgreSQL repository implementation is developed and tuned specially for PostgreSQL database, taking advantage of native database features, providing improved performance and scalability.

This is now the primary and recommended repository for midPoint deployments. Following database engines are supported:

  • PostgreSQL 14 or 13

Generic Database Support (deprecated)

Generic repository implementation is based on object-relational mapping abstraction (Hibernate), supporting several database engines with the same code. Following database engines are supported with this implementation:

  • H2 (embedded). Supported only in embedded mode. Not supported for production deployments. Only the version specifically bundled with midPoint is supported.
    H2 is intended only for development, demo and similar use cases. It is not supported for any production use. Also, upgrade of deployments based on H2 database are not supported.

  • PostgreSQL 14, 13, 12, 11.

  • Oracle 12c

  • Microsoft SQL Server 2019, 2016 SP1

Support for generic repository implementation together with all the database engines supported by this implementation is deprecated. It is strongly recommended to migrate to native PostgreSQL repository implementation as soon as possible. See Repository Database Support for more details.

Supported Browsers

  • Firefox

  • Safari

  • Chrome

  • Edge

  • Opera

Any recent version of the browsers is supported. That means any stable stock version of the browser released in the last two years. We formally support only stock, non-customized versions of the browsers without any extensions or other add-ons. According to the experience most extensions should work fine with midPoint. However, it is not possible to test midPoint with all of them and support all of them. Therefore, if you chose to use extensions or customize the browser in any non-standard way you are doing that on your own risk. We reserve the right not to support customized web browsers.

Important Bundled Components

Component Version Description

Tomcat

9.0.48

Web container

ConnId

1.5.0.18

ConnId Connector Framework

LDAP connector bundle

3.4

LDAP and Active Directory

CSV connector

2.4

Connector for CSV files

DatabaseTable connector

1.4.9.1

Connector for simple database tables

Upgrade

MidPoint is a software designed with easy upgradeability in mind. We do our best to maintain strong backward compatibility of midPoint data model, configuration and system behavior. However, midPoint is also very flexible and comprehensive software system with a very rich data model. It is not humanly possible to test all the potential upgrade paths and scenarios. Also, some changes in midPoint behavior are inevitable to maintain midPoint development pace. Therefore, there may be some manual actions and configuration changes that need to be done during upgrades, mostly related to feature lifecycle.

This section provides overall overview of the changes and upgrade procedures. Although we try to our best, it is not possible to foresee all possible uses of midPoint. Therefore, the information provided in this section are for information purposes only without any guarantees of completeness. In case of any doubts about upgrade or behavior changes please use services associated with midPoint subscription programs.

Please refer to the MidPoint Upgrade Guide for general instructions and description of the upgrade process. The guide describes the steps applicable for upgrades of all midPoint releases. Following sections provide details regarding release 4.5.

Upgrade From MidPoint 4.4.x

MidPoint 4.5 data model is backwards compatible with previous midPoint version. Therefore the usual upgrade mechanism can be used. There are some important changes to keep in mind:

Please see MidPoint Upgrade Guide for details.

  • Version numbers of some bundled connectors have changed. Therefore, connector references from the resource definitions that are using the bundled connectors need to be updated.

It is strongly recommended migrating to the new native PostgreSQL repository implementation for all deployments that have not migrated yet. However, it is not recommended upgrading the system and migrating the repositories in one step. It is recommended doing it in two separate steps. Please see Migration to Native PostgreSQL Repository for the details.

Upgrade From MidPoint Versions Older Than 4.4

Upgrade from midPoint versions older than 4.4 to midPoint 4.5 is not supported directly. Please upgrade to midPoint 4.4.x first.

Changes In Initial Objects Since 4.4

MidPoint has a built-in set of "initial objects" that it will automatically create in the database if they are not present. This includes vital objects for the system to be configured (e.g. role Superuser and user administrator). These objects may change in some midPoint releases. However, midPoint is conservative and avoids overwrite of customized configuration objects. Therefore midPoint does not overwrite existing objects when they are already in the database. This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version. The following list contains a summary of changes to the initial objects in this midPoint release. The complete new set of initial objects is in the config/initial-objects directory in both the source and binary distributions. Although any problems caused by the change in initial objects is unlikely to occur, the implementors are advised to review the changes and assess the impact on case-by-case basis:

  • 000-system-configuration.xml: Added new archetypes for utility and system tasks, added archetypes for propagations tasks

  • 027-archetype-correlation-case.xml: New archetype for correlation cases

  • 042-role-reviewer.xml: Update authorization for page 'My work item' in role 'Reviewer'

  • 140-report-certification-campaigns.xml, 150-report-certification-cases.xml: Fixed parsing support for YAML-formatted expression in Axiom Query

  • 251-object-collection-resource-up.xml, 260-object-collection-task-all.xml, 261-object-collection-task-active.xml: Converted search filters to Axiom query

  • 262-object-collection-task-report.xml: Converted search filters to Axiom query, fixed incorrect namespace

  • 271-object-collection-audit-24h.xml, 272-object-collection-audit-errors-24h.xml, 273-object-collection-audit-modifications-24h.xml, 330-object-collection-my-cases.xml: Fixed parsing support for YAML-formatted expression in Axiom Query

  • 5*-archetype-task-*.xml: Cleanup of task archetypes (removed ownerRef, task name via focusMapping)

  • 513-archetype-task-shadow-integrity-check.xml, 514-archetype-task-shadows-refresh.xml, 515-archetype-task-objects-delete.xml, 516-archetype-task-shadows-delete-long-time-not-updated.xml, 517-archetype-task-execute-change.xml, 518-archetype-task-execute-deltas.xml, 519-archetype-task-reindex-repository.xml, 520-archetype-task-certification.xml, 521-archetype-task-approval.xml, 522-archetype-task-object-integrity-check.xml, 530-archetype-task-validity.xml, 531-archetype-task-trigger.xml, 560-task-validity.xml, 570-task-trigger.xml: Added new archetypes for utility and system tasks

  • 520-archetype-task-certification.xml, 521-archetype-task-approval.xml, 532-archetype-task-propagation.xml, 533-archetype-task-multi-propagation.xml: Added archetypes for propagations tasks

Please review source code history for detailed list of changes.

Copies of initial object files are located in config/initial-objects directory of midPoint distribution packages. These files can be used as a reference during upgrades. On-line version can be found in midPoint source code.

Bundled Connector Changes Since 4.4

Behavior Changes Since 4.4

  • Notifications

    • Previously, if no transport was specified for customNotifier, customTransport was quietly implied. This is no longer the case and the transport must be explicitly mentioned just like in any other notifier. Custom notifier is actually in no way tied to the custom transport only - any transport can be used.

    • Previously, schema allowed nesting notifiers, e.g. putting simpleFocalObjectNotifier inside timeValidityNotifier or any other notifier. This is no longer possible, if there is any nesting of concrete notifiers in your System configuration object it must be removed. Nesting inside handler element and inside chained/forked blocks is fine, although the latter is deprecated now. This nested notifiers didn’t do anything anyway, so it is unlikely anyone used them.

  • Mappings

    • Up to now, we have skipped association inbound mappings if there was no input value. This was not consistent with the handling of other mappings. This is now changed. So, please make sure your mappings correctly treat null input values. See resource-dummy-autogreen.xml for an example.

    • Names of classes and packages that are relevant for logging has been changed. To log the inbound processing in details, one should now use com.evolveum.midpoint.model.impl.lens.projector.focus.inbounds

  • Approvals

    • Deprecated isEnabled() method on workflow/case manager. Its value was driven by workflow/enabled config.xml property. Now it was removed, because the flag is common for all cases - and this functionality is now more deeply embedded in midPoint. The disabling of Cases GUI section should now be done using other means (e.g. authorizations).

    • Removed unused GeneralChangeProcessor from approvals (workflow-impl). This module was originally created when Activiti was used, but it was never really used. With Activiti removal in 4.0 it was practically dead. Now it’s finally removed.

Schema Changes Since 4.4

Important Internal Changes Since 4.4

These changes should not influence people that use midPoint "as is". These changes should also not influence the XML/JSON/YAML-based customizations or scripting expressions that rely just on the provided library classes. These changes will influence midPoint forks and deployments that are heavily customized using the Java components.

  • Legacy JAXB/JAXWS code generator was replaced with a brand new code. Generated code is almost completely compatible with the previous code. Moreover, there are some new features (e.g. more convenient constructors/factories) that can be used in the new code.

  • For performance reasons, user interface code is scanning only com.evolveum packages on classpath. This can be changed using settings in application.yml file. This change may influence Maven overlay projects that include GUI customizations.

Known Issues and Limitations

As all real-world software midPoint 4.5 has some known issues. Full list of the issues is maintained in bug tracking system. As far as we know at the time of the release there was no known critical or security issue.

There is currently no plan to fix the known issues of midPoint 4.5 _en masse_. These issues will be fixed in future maintenance versions of midPoint only if the fix is covered by a support agreement or subscription. No other issues will be fixed - except for severe security issues that may be found in the future.

The known issues of midPoint 4.5 may or may not be fixed in following releases. This depends on the available time, issue severity and many variables that are currently difficult to predict. The only reliable way how to make sure that an issue is fixed is to purchase midPoint support. Or you can fix the bug yourself. MidPoint is always open to contributions.

This may seem a little bit harsh at a first sight. But there are very good reasons for this policy. And in fact it is no worse than what you get with most commercial software. We are just saying that with plain language instead of scrambling it into a legal mumbo-jumbo.

Some of the known issues are listed below:

  • There is a support to set up storage of credentials in either encrypted or hashed form. There is also unsupported and undocumented option to turn off credential storage. This option partially works, but there may be side effects and interactions. This option is not fully supported yet. Do not use it or use it only at your own risk. It is not included in any midPoint support agreement.

  • Native attribute with the name of 'id' cannot be currently used in midPoint (MID-3872). If the attribute name in the resource cannot be changed then the workaround is to force the use of legacy schema. In that case midPoint will use the legacy ConnId attribute names (icfs:name and icfs:uid).

  • We have seen issues upgrading H2 instances to a new version. Generally speaking H2 is not supported for any particular use. We try to make H2 work and we try to make it survive an upgrade, but there are occasional issues with H2 use and upgrade. Make sure that you back up your data in a generic format (XML/JSON/YAML) in regular intervals to avoid losing them. It is particularly important to back up your data before upgrades and when working with development version of midPoint.

Credits

Majority of the work on the Nightingale release was done by the Evolveum team. However, this release would not be possible without the help of our partners, customers, contributors, friends and families. We would like to express our thanks to all the people that contributed to the midPoint project both by providing financial support, their own time or those that maintain a pleasant and creative environment for midPoint team. However, midPoint project would not exist without proper funding. Therefore we would like to express our deepest gratitude to all midPoint subscribers that made midPoint project possible.

Disclaimer

Planned release dates are just that: they are planned. We do not promise or guarantee release dates. Software development is a creative activity that includes a lot of inherent risk. We are trying really hard to provide the best estimates. We are not able to provide precise dates for releases or deliveries. Do not rely on midPoint release dates. Plan your project properly to address the risk of delayed midPoint releases.

Planned scope of midPoint releases is also an estimate. MidPoint development process always includes the balancing of the iron triangle. Therefore planned release scope may change at any time. There is a method to make sure that midPoint releases will work well for your project and that method is platform subscription.

We do not make any claims that midPoint is perfect. Quite the contrary. MidPoint is a practical software, developed by living and breathing developers and deployed in a real world. There are both known and unknown issues in midPoint. Also, midPoint is not feature-complete. New features are introduced in midPoint all the time. But not all of them are completed. There are always some limitations. As the license states, midPoint is provided "AS IS". Please do not rely on midPoint functionality that you have not tested to make sure that it works. MidPoint support and subscription programs are a way how to handle those issues. But even with support service, do not rely on functionality that is not documented. If you plan to use undocumented or non-existing functionality, platform subscription is the right service for you.