MidPoint 4.5 "Nightingale"
Release 4.5 is a fortieth midPoint release code-named Nightingale. The 4.5 release brings identity matching capabilities, support for OpenID Connect, notification, user interface and other improvements.
Release date | 11 April 2022 |
---|---|
Release type | Feature release |
End of support | 11 April 2023 |
Florence Nightingale (1820 – 1910) was an English social reformer, statistician and the founder of modern nursing. She established the first secular school for nurses, laying the foundation for professional nursing. Florence Nightingale was also a pioneer in statistics and data visualization, using the methods to draw conclusions and actionables from medical data, saving numerous lives. Similarly to statistics and visualization used by Florence Nightingale, midPoint 4.5 brings improvements to data analytic capabilities. New identity correlation mechanisms can be used to find meaning in the data, to quickly identify account owners. Improvements to Axiom query language are also contributing to analytic and reporting capabilities. This is supplemented with notification and user interface enhancements, improving presentation of the data. |
Changes With Respect To Version 4.4
New Features and Improvements
-
Major features
-
Identity matching, supporting InCommon ID Match integration
-
Notifications improvements
-
OpenID Connect support (section - Module oidc)
-
-
User interface improvements
-
Improved system configuration pages
-
Miscellaneous GUI usability and user experience updates
-
User interface for editing notification message templates
-
-
Miscellaneous improvements
-
Axiom query language expressions
-
New
focusBehaviorUpdate
option to avoid update of last login timestamp in user object. -
Native fail-over support in LDAP connector
-
Significantly improved reference documentation of mappings
-
-
Internal improvements
-
New code generator, replacing legacy JAXB/JAXWS generator
-
Deprecation, Feature Removal And Incompatible Changes
-
Explicit deployment of midPoint (in a form of WAR file) to Tomcat web container is no longer supported. This mechanism was deprecated since midPoint 4.1. Deploying midPoint as a stand-alone application is the only supported method now.
-
PostgreSQL 10 is no longer supported.
-
Generic repository implementation (which was the only available repository implementation in midPoint 4.2 and earlier) was deprecated in midPoint 4.4. It was replaced by native PostgreSQL repository. It is strongly recommended for all new deployments to use native PostgreSQL repository. Moreover, it is recommended that all existing deployments migrate to the native PostgreSQL repository as soon as possible.
Releases Of Other Components
-
New version of LDAP connector bundle (including LDAP Connector and Active Directory Connector) was released during the course of midPoint 4.5 development. New version of LDAP connector includes native fail-over functionality.
-
New version of DatabaseTable Connector was released and bundled with midPoint.
-
Docker images were released in Docker Hub: 4.5 and 4.5-alpine.
-
Overlay project examples will be released soon after released together with midPoint 4.5 release.
-
MidPoint Studio version 4.5 will be released soon after midPoint 4.5 release.
-
Prism data representation library was separated from midPoint code into ist own project. It was released together with midPoint 4.5.
-
Midpoint client Java library will be released soon after released together with midPoint 4.5 release.
Purpose and Quality
Release 4.5 (Nightingale) is intended for full production use. It belongs to a feature release family, supported only for a reduced time period. Therefore it is intended for users that prefer new features over long-term stability.
All features are stable and well tested - except the features that are explicitly marked as experimental or partially implemented. Those features are supported only with special subscription contract.
Limitations
Following list provides summary of limitation of this midPoint release.
-
Functionality that is marked as Experimental Functionality is not supported for general use (yet). Such features are not covered by midPoint support. They are supported only for those subscribers that funded the development of this feature by the means of subscriptions and sponsoring or for those that explicitly negotiated such support in their support contracts.
-
MidPoint comes with bundled LDAP Connector. Support for LDAP connector is included in standard midPoint support service, but there are limitations. This "bundled" support only includes operations of LDAP connector that 100% compliant with LDAP standards. Any non-standard functionality is explicitly excluded from the bundled support. We strongly recommend to explicitly negotiate support for a specific LDAP server in your midPoint support contract. Otherwise only standard LDAP functionality is covered by the support. See LDAP Connector page for more details.
-
MidPoint comes with bundled Active Directory Connector (LDAP). Support for AD connector is included in standard midPoint support service, but there are limitations. Only some versions of Active Directory deployments are supported. Basic AD operations are supported, but advanced operations may not be supported at all. The connector does not claim to be feature-complete. See Active Directory Connector (LDAP) page for more details.
-
MidPoint user interface has flexible (fluid) design, it is able to adapt to various screen sizes, including screen sizes used by some mobile devices. However, midPoint administration interface is also quite complex and it would be very difficult to correctly support all midPoint functionality on very small screens. Therefore, midPoint often works well on larger mobile devices (tablets) it is very likely to be problematic on small screens (mobile phones). Even though midPoint may work well on mobile devices, the support for small screens is not included in standard midPoint subscription. Partial support for small screens (e.g. only for self-service purposes) may be provided, but it has to be explicitly negotiated in a subscription contract.
-
There are several add-ons and extensions for midPoint that are not explicitly distributed with midPoint. This includes Java client library, various samples, scripts, connectors and other non-bundled items. Support for these non-bundled items is limited. Generally speaking those non-bundled items are supported only for platform subscribers and those that explicitly negotiated the support in their contract.
-
MidPoint contains a basic case management user interface. This part of midPoint user interface is not finished. The only supported part of this user interface is the part that is used to process requests and approvals. Other parts of case management user interface are considered to be experimental, especially the parts dealing with manual provisioning cases.
-
Production deployments of midPoint in Microsoft Windows environment are not supported. Microsoft Windows is supported only for evaluation, demo, development and similar non-production purposes.
-
Identity matching developed in midPoint 4.5 is supported only for integration with ID Match API. Newly-developed internal correlators and all other correlation functionality developed in midPoint 4.5 is considered experimental. The correlation functionality present in midPoint 4.4 (and older) is still fully functional and supported.
This list is just an overview, it may not be complete. Please see the documentation regarding detailed limitations of individual features.
Platforms
MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested with this release. The version numbers in parentheses are the actual version numbers used for the tests.
It is very likely that midPoint will also work in similar environments. But only the versions specified below are supported as part of midPoint subscription and support programs - unless a different version is explicitly agreed in the contract.
Operating System
MidPoint is likely to work on any operating system that supports the Java platform. However, for production deployment, only some operating systems are supported:
-
Linux (x86_64)
We are positive that MidPoint can be successfully installed on other operating systems, especially macOS and Microsoft Windows desktop. Such installations can be used to for evaluation, demonstration or development purposes. However, we do not support these operating systems for production environments. The tooling for production use is not maintained, such as various run control (start/stop) script, low-administration and migration tools, backup and recovery support and so on.
Java
-
OpenJDK 11 (11.0.14).
-
OpenJDK 17. This is a recommended platform.
OpenJDK 17 is a recommended Java platform to run midPoint.
Support for Oracle builds of JDK is provided only for the period in which Oracle provides public support (free updates) for their builds. As far as we are aware, free updates for Oracle JDK 11 are no longer available. Which means that Oracle JDK 11 is not supported for MidPoint anymore. MidPoint is an open source project, and as such it relies on open source components. We cannot provide support for platform that do not have public updates as we would not have access to those updates, and therefore we cannot reproduce and fix issues. Use of open source OpenJDK builds with public support is recommended instead of proprietary builds.
Databases
Since midPoint 4.4, midPoint comes with two repository implementations: native and generic. Native PostgreSQL repository implementation is strongly recommended for all production deployments.
See Repository Database Support for more details.
Since midPoint 4.0, PostgreSQL is the recommended database for midPoint deployments. Our strategy is to officially support the latest stable version of PostgreSQL database (to the practically possible extent). PostgreSQL database is the only database with clear long-term support plan in midPoint. We make no commitments for future support of any other database engines. See Repository Database Support page for the details. Only a direct connection from midPoint to the database engine is supported. Database and/or SQL proxies, database load balancers or any other devices (e.g. firewalls) that alter the communication are not supported.
Native Database Support
Native PostgreSQL repository implementation is developed and tuned specially for PostgreSQL database, taking advantage of native database features, providing improved performance and scalability.
This is now the primary and recommended repository for midPoint deployments. Following database engines are supported:
-
PostgreSQL 14 or 13
Generic Database Support (deprecated)
Generic repository implementation is based on object-relational mapping abstraction (Hibernate), supporting several database engines with the same code. Following database engines are supported with this implementation:
-
H2 (embedded). Supported only in embedded mode. Not supported for production deployments. Only the version specifically bundled with midPoint is supported.
H2 is intended only for development, demo and similar use cases. It is not supported for any production use. Also, upgrade of deployments based on H2 database are not supported. -
PostgreSQL 14, 13, 12, 11.
-
Oracle 12c
-
Microsoft SQL Server 2019, 2016 SP1
Support for generic repository implementation together with all the database engines supported by this implementation is deprecated. It is strongly recommended to migrate to native PostgreSQL repository implementation as soon as possible. See Repository Database Support for more details.
Supported Browsers
-
Firefox
-
Safari
-
Chrome
-
Edge
-
Opera
Any recent version of the browsers is supported. That means any stable stock version of the browser released in the last two years. We formally support only stock, non-customized versions of the browsers without any extensions or other add-ons. According to the experience most extensions should work fine with midPoint. However, it is not possible to test midPoint with all of them and support all of them. Therefore, if you chose to use extensions or customize the browser in any non-standard way you are doing that on your own risk. We reserve the right not to support customized web browsers.
Important Bundled Components
Component | Version | Description |
---|---|---|
Tomcat |
9.0.48 |
Web container |
ConnId |
1.5.0.18 |
ConnId Connector Framework |
3.4 |
LDAP and Active Directory |
|
2.4 |
Connector for CSV files |
|
1.4.9.1 |
Connector for simple database tables |
Download and Install
Release Form | Download | Install Instructions |
---|---|---|
Binary |
https://evolveum.com/downloads/midpoint/4.5/midpoint-4.5-dist.zip |
|
Source |
||
Java API JavaDoc |
https://www.evolveum.com/downloads/midpoint/4.5/midpoint-api-4.5-javadoc/ |
|
SchemaDoc |
https://www.evolveum.com/downloads/midpoint/4.5/midpoint-4.5-schemadoc/ |
Upgrade
MidPoint is a software designed with easy upgradeability in mind. We do our best to maintain strong backward compatibility of midPoint data model, configuration and system behavior. However, midPoint is also very flexible and comprehensive software system with a very rich data model. It is not humanly possible to test all the potential upgrade paths and scenarios. Also, some changes in midPoint behavior are inevitable to maintain midPoint development pace. Therefore, there may be some manual actions and configuration changes that need to be done during upgrades, mostly related to feature lifecycle.
This section provides overall overview of the changes and upgrade procedures. Although we try to our best, it is not possible to foresee all possible uses of midPoint. Therefore, the information provided in this section are for information purposes only without any guarantees of completeness. In case of any doubts about upgrade or behavior changes please use services associated with midPoint subscription programs.
Please refer to the MidPoint Upgrade Guide for general instructions and description of the upgrade process. The guide describes the steps applicable for upgrades of all midPoint releases. Following sections provide details regarding release 4.5.
Upgrade From MidPoint 4.4.x
MidPoint 4.5 data model is backwards compatible with previous midPoint version. Therefore the usual upgrade mechanism can be used. There are some important changes to keep in mind:
-
Database schema needs to be upgraded using the usual mechanism.
Please see MidPoint Upgrade Guide for details.
-
Version numbers of some bundled connectors have changed. Therefore, connector references from the resource definitions that are using the bundled connectors need to be updated.
It is strongly recommended migrating to the new native PostgreSQL repository implementation for all deployments that have not migrated yet. However, it is not recommended upgrading the system and migrating the repositories in one step. It is recommended doing it in two separate steps. Please see Migration to Native PostgreSQL Repository for the details.
Upgrade From MidPoint Versions Older Than 4.4
Upgrade from midPoint versions older than 4.4 to midPoint 4.5 is not supported directly. Please upgrade to midPoint 4.4.x first.
Changes In Initial Objects Since 4.4
MidPoint has a built-in set of "initial objects" that it will automatically create in the database if they are not present.
This includes vital objects for the system to be configured (e.g. role Superuser
and user administrator
).
These objects may change in some midPoint releases.
However, midPoint is conservative and avoids overwrite of customized configuration objects.
Therefore midPoint does not overwrite existing objects when they are already in the database.
This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version.
The following list contains a summary of changes to the initial objects in this midPoint release.
The complete new set of initial objects is in the config/initial-objects
directory in both the source and binary distributions.
Although any problems caused by the change in initial objects is unlikely to occur, the implementors are advised to review the changes and assess the impact on case-by-case basis:
-
000-system-configuration.xml
: Added new archetypes for utility and system tasks, added archetypes for propagations tasks -
027-archetype-correlation-case.xml
: New archetype for correlation cases -
042-role-reviewer.xml
: Update authorization for page 'My work item' in role 'Reviewer' -
140-report-certification-campaigns.xml
,150-report-certification-cases.xml
: Fixed parsing support for YAML-formatted expression in Axiom Query -
251-object-collection-resource-up.xml
,260-object-collection-task-all.xml
,261-object-collection-task-active.xml
: Converted search filters to Axiom query -
262-object-collection-task-report.xml
: Converted search filters to Axiom query, fixed incorrect namespace -
271-object-collection-audit-24h.xml
,272-object-collection-audit-errors-24h.xml
,273-object-collection-audit-modifications-24h.xml
,330-object-collection-my-cases.xml
: Fixed parsing support for YAML-formatted expression in Axiom Query -
5*-archetype-task-*.xml
: Cleanup of task archetypes (removed ownerRef, task name via focusMapping) -
513-archetype-task-shadow-integrity-check.xml
,514-archetype-task-shadows-refresh.xml
,515-archetype-task-objects-delete.xml
,516-archetype-task-shadows-delete-long-time-not-updated.xml
,517-archetype-task-execute-change.xml
,518-archetype-task-execute-deltas.xml
,519-archetype-task-reindex-repository.xml
,520-archetype-task-certification.xml
,521-archetype-task-approval.xml
,522-archetype-task-object-integrity-check.xml
,530-archetype-task-validity.xml
,531-archetype-task-trigger.xml
,560-task-validity.xml
,570-task-trigger.xml
: Added new archetypes for utility and system tasks -
520-archetype-task-certification.xml
,521-archetype-task-approval.xml
,532-archetype-task-propagation.xml
,533-archetype-task-multi-propagation.xml
: Added archetypes for propagations tasks
Please review source code history for detailed list of changes.
Copies of initial object files are located in config/initial-objects directory of midPoint distribution packages. These files can be used as a reference during upgrades. On-line version can be found in midPoint source code.
|
Bundled Connector Changes Since 4.4
-
LDAP and AD connectors were upgraded to the latest available version 3.4. See LDAP connector page and Active Directory connector page for details.
-
DatabaseTable connector was upgraded to the latest available version 1.4.9.1. See DatabaseTable connector page for details.
Behavior Changes Since 4.4
-
Notifications
-
Previously, if no transport was specified for
customNotifier
,customTransport
was quietly implied. This is no longer the case and the transport must be explicitly mentioned just like in any other notifier. Custom notifier is actually in no way tied to the custom transport only - any transport can be used. -
Previously, schema allowed nesting notifiers, e.g. putting
simpleFocalObjectNotifier
insidetimeValidityNotifier
or any other notifier. This is no longer possible, if there is any nesting of concrete notifiers in your System configuration object it must be removed. Nesting insidehandler
element and insidechained
/forked
blocks is fine, although the latter is deprecated now. This nested notifiers didn’t do anything anyway, so it is unlikely anyone used them.
-
-
Mappings
-
Up to now, we have skipped association inbound mappings if there was no input value. This was not consistent with the handling of other mappings. This is now changed. So, please make sure your mappings correctly treat null input values. See resource-dummy-autogreen.xml for an example.
-
Names of classes and packages that are relevant for logging has been changed. To log the inbound processing in details, one should now use
com.evolveum.midpoint.model.impl.lens.projector.focus.inbounds
-
-
Approvals
-
Deprecated
isEnabled()
method on workflow/case manager. Its value was driven byworkflow/enabled
config.xml
property. Now it was removed, because the flag is common for all cases - and this functionality is now more deeply embedded in midPoint. The disabling of Cases GUI section should now be done using other means (e.g. authorizations). -
Removed unused
GeneralChangeProcessor
from approvals (workflow-impl
). This module was originally created when Activiti was used, but it was never really used. With Activiti removal in 4.0 it was practically dead. Now it’s finally removed.
-
Schema Changes Since 4.4
-
groupBy
in filters is no longer supported. -
Elements in SAML authentication configuration were changed, to match configuration of Spring Security SAML2 service provider library. There are some incompatible changes. Please see schema definition for details.
Important Internal Changes Since 4.4
These changes should not influence people that use midPoint "as is". These changes should also not influence the XML/JSON/YAML-based customizations or scripting expressions that rely just on the provided library classes. These changes will influence midPoint forks and deployments that are heavily customized using the Java components.
-
Legacy JAXB/JAXWS code generator was replaced with a brand new code. Generated code is almost completely compatible with the previous code. Moreover, there are some new features (e.g. more convenient constructors/factories) that can be used in the new code.
-
For performance reasons, user interface code is scanning only
com.evolveum
packages on classpath. This can be changed using settings inapplication.yml
file. This change may influence Maven overlay projects that include GUI customizations.
Known Issues and Limitations
As all real-world software midPoint 4.5 has some known issues. Full list of the issues is maintained in bug tracking system. As far as we know at the time of the release there was no known critical or security issue.
There is currently no plan to fix the known issues of midPoint 4.5 en masse. These issues will be fixed in future maintenance versions of midPoint only if the fix is covered by a support agreement or subscription. No other issues will be fixed - except for severe security issues that may be found in the future.
The known issues of midPoint 4.5 may or may not be fixed in following releases. This depends on the available time, issue severity and many variables that are currently difficult to predict. The only reliable way how to make sure that an issue is fixed is to purchase midPoint support. Or you can fix the bug yourself. MidPoint is always open to contributions.
This may seem a little bit harsh at a first sight. But there are very good reasons for this policy. And in fact it is no worse than what you get with most commercial software. We are just saying that with plain language instead of scrambling it into a legal mumbo-jumbo.
Some of the known issues are listed below:
-
There is a support to set up storage of credentials in either encrypted or hashed form. There is also unsupported and undocumented option to turn off credential storage. This option partially works, but there may be side effects and interactions. This option is not fully supported yet. Do not use it or use it only at your own risk. It is not included in any midPoint support agreement.
-
Native attribute with the name of 'id' cannot be currently used in midPoint (MID-3872). If the attribute name in the resource cannot be changed then the workaround is to force the use of legacy schema. In that case midPoint will use the legacy ConnId attribute names (icfs:name and icfs:uid).
-
We have seen issues upgrading H2 instances to a new version. Generally speaking H2 is not supported for any particular use. We try to make H2 work and we try to make it survive an upgrade, but there are occasional issues with H2 use and upgrade. Make sure that you back up your data in a generic format (XML/JSON/YAML) in regular intervals to avoid losing them. It is particularly important to back up your data before upgrades and when working with development version of midPoint.
Credits
Majority of the work on the Nightingale release was done by the Evolveum team. However, this release would not be possible without the help of our partners, customers, contributors, friends and families. We would like to express our thanks to all the people that contributed to the midPoint project both by providing financial support, their own time or those that maintain a pleasant and creative environment for midPoint team. However, midPoint project would not exist without proper funding. Therefore we would like to express our deepest gratitude to all midPoint subscribers that made midPoint project possible.
Disclaimer
Planned release dates are just that: they are planned. We do not promise or guarantee release dates. Software development is a creative activity that includes a lot of inherent risk. We are trying really hard to provide the best estimates. We are not able to provide precise dates for releases or deliveries. Do not rely on midPoint release dates. Plan your project properly to address the risk of delayed midPoint releases.
Planned scope of midPoint releases is also an estimate. MidPoint development process always includes the balancing of the iron triangle. Therefore planned release scope may change at any time. There is a method to make sure that midPoint releases will work well for your project and that method is platform subscription.
We do not make any claims that midPoint is perfect. Quite the contrary. MidPoint is a practical software, developed by living and breathing developers and deployed in a real world. There are both known and unknown issues in midPoint. Also, midPoint is not feature-complete. New features are introduced in midPoint all the time. But not all of them are completed. There are always some limitations. As the license states, midPoint is provided "AS IS". Please do not rely on midPoint functionality that you have not tested to make sure that it works. MidPoint support and subscription programs are a way how to handle those issues. But even with support service, do not rely on functionality that is not documented. If you plan to use undocumented or non-existing functionality, platform subscription is the right service for you.