MidPoint 4.7 "Johnson" Update 2

Last modified 02 Jul 2024 17:36 +02:00

Release 4.7.2 is a fiftieth midPoint release. It is the second maintenance update for 4.7.x version family code-named Johnson. The 4.7.2 release brings Ninja tool improvements, security and miscleanous bugfixes.

Release date20 September 2023
Release type Maintenance release
End of support14 April 2024
johnson.png

Katherine Johnson (1918-2020) was an American mathematician whose calculations of orbital mechanics were critical to the success of many crewed spaceflights. She mastered complex manual calculations, earning a reputation as "human computer" for calculating trajectories of spacecrafts with a very limited technology. She helped pioneer the use of electronic computers to perform complex calculations at NASA, making spaceflight easier and safer.

Similarly to Katherine Johnson, midPoint 4.7 brings an ability to reliably project trajectories. Simulation feature in midPoint 4.7 can predict results of future operations before they are applied. Improved identity governance reports provide insights into identity data. Object marks, improved password reset, and numerous user experience improvements of midPoint 4.7 make identity management easier and safer.

Changes With Respect To Version 4.7.1

Changes With Respect To Version 4.7

Changes With Respect To Version 4.6

New Features and Improvements

  • Simulations. They cover various mechanisms of "what-if" analysis in midPoint. Now we can see expected effects of actions without the risk of damaging the system state. We can separate production-ready parts of the configuration from those being developed, and choose what configuration should be engaged during specific simulation. We can define binary "event marks" tagging individual objects being processed during simulation, as well as quantitative metrics for these objects and their changes. All these metrics can be aggregated, analyzed, and reported on, along with details of individual changes.

  • Extending password reset functionality with the multiple verifications. Within this improvement the logic of the security policies usage was reworked in such way that user currently can have multiple security policies referenced (e.g. one can be referenced from the organization structure, second - from the archetype). Therefore, an algorithm of the security policies merging was realised: the security policy referenced from the organization structure overrides the global security policy configuration, the security policy referenced from the archetype overrides the security policy referenced from the organization structure.

  • Simplification of application and business role creation using the role wizard. The business role wizard contains simple configuration steps for creating a role, assigning application roles and assigning members. The wizard for application roles contains similar steps, a step for creating a role, steps for assigning an application and a step for assigning members. See Wizard panel configuration for more details.

  • MidPoint now stores additional IGA-related value metadata for role membership references. The missing data will be populated automatically after the object is recomputed or changed. Utilizing these metadata, Indirect accesses report was added as an initial object (see this report example).

  • Initial implementation of Reference search.

  • Import preview for one shadow.

  • Delta viewer updated on several pages (focus save preview, audit event details, simulations, …​). See Delta visualization for more details.

  • Object Marks and Object Operation Policies. Added new mechanism for lightweight administrative / policy marking of objects (supported only with native repository, in this release marks are only supported for shadows). The functionality of protected shadows was reworked in favor of object marks and object operation policies, which allows for shadows to be explicitly marked as protected or excluded from synchronization.

Miscellaneous Improvements

  • ConnId handlers are disabled by default, there is no need to disable them explicitly.

Releases Of Other Components

  • New version (2.6) of CSV Connector was released and bundled with midPoint. The connector supports internal filtering of search results, it does not need ConnId result handlers any more.

  • New version (3.6.1) of LDAP connector bundle (including LDAP Connector and Active Directory Connector) was released and bundled with midPoint. This version fixes a bug with large integer numbers (MID-4424). Resource schema of LDAP and AD resources need to be refreshed (deleted and re-fetched) for the connector to operate correctly. Please see Upgrade section below for details.

  • Docker images will be released in Docker Hub soon after midPoint 4.7.2 release.

  • Overlay project examples will be released soon after midPoint 4.7.2 release.

  • MidPoint Studio version 4.7.2 will be released soon after midPoint 4.7.2 release.

  • Prism data representation library 4.7.2 was released together with midPoint 4.7.2.

  • Midpoint client Java library will be released soon after midPoint 4.7.2 release.

Purpose and Quality

Release 4.7.2 (Johnson Update 2) is intended for full production use. It belongs to a feature release family, supported only for a reduced time period. Therefore it is intended for users that prefer new features over long-term stability.

All features are stable and well tested - except the features that are explicitly marked as experimental or partially implemented. Those features are supported only with special subscription contract.

Limitations

Following list provides summary of limitation of this midPoint release.

  • Functionality that is marked as Experimental Functionality is not supported for general use (yet). Such features are not covered by midPoint support. They are supported only for those subscribers that funded the development of this feature by the means of subscriptions and sponsoring or for those that explicitly negotiated such support in their support contracts.

  • MidPoint comes with bundled LDAP Connector. Support for LDAP connector is included in standard midPoint support service, but there are limitations. This "bundled" support only includes operations of LDAP connector that 100% compliant with LDAP standards. Any non-standard functionality is explicitly excluded from the bundled support. We strongly recommend to explicitly negotiate support for a specific LDAP server in your midPoint support contract. Otherwise, only standard LDAP functionality is covered by the support. See LDAP Connector page for more details.

  • MidPoint comes with bundled Active Directory Connector (LDAP). Support for AD connector is included in standard midPoint support service, but there are limitations. Only some versions of Active Directory deployments are supported. Basic AD operations are supported, but advanced operations may not be supported at all. The connector does not claim to be feature-complete. See Active Directory Connector (LDAP) page for more details.

  • MidPoint user interface has flexible (responsive) design, it is able to adapt to various screen sizes, including screen sizes used by some mobile devices. However, midPoint administration interface is also quite complex, and it would be very difficult to correctly support all midPoint functionality on very small screens. Therefore, midPoint often works well on larger mobile devices (tablets), but it is very likely to be problematic on small screens (mobile phones). Even though midPoint may work well on mobile devices, the support for small screens is not included in standard midPoint subscription. Partial support for small screens (e.g. only for self-service purposes) may be provided, but it has to be explicitly negotiated in a subscription contract.

  • There are several add-ons and extensions for midPoint that are not explicitly distributed with midPoint. This includes Java client library, various samples, scripts, connectors and other non-bundled items. Support for these non-bundled items is limited. Generally speaking, those non-bundled items are supported only for platform subscribers and those that explicitly negotiated the support in their contract.

  • MidPoint contains a basic case management user interface. This part of midPoint user interface is not finished. The only supported parts of this user interface are those that are used to process requests, approvals, and manual correlation. Other parts of case management user interface are considered to be experimental, especially the parts dealing with manual provisioning cases.

  • Production deployments of midPoint 4.7.2 in Microsoft Windows environment are not supported, as midPoint 4.7.2 is a feature release. Production deployments in Windows environments are supported only for LTS releases. For midPoint 4.7.2, Microsoft Windows is supported only for evaluation, demo, development and similar non-production purposes. Please see Supported Platforms for MidPoint Deployment for details.

This list is just an overview, it may not be complete. Please see the documentation regarding detailed limitations of individual features.

Platforms

MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested with this release. The version numbers in parentheses are the actual version numbers used for the tests.

It is very likely that midPoint will also work in similar environments. But only the versions specified below are supported as part of midPoint subscription and support programs - unless a different version is explicitly agreed in the contract.

Operating System

MidPoint is likely to work on any operating system that supports the Java platform. However, for production deployment, only some operating systems are supported:

  • Linux (x86_64)

We are positive that midPoint can be successfully installed on other operating systems, especially macOS and Microsoft Windows desktop. Such installations can be used to for evaluation, demonstration or development purposes. However, we do not support these operating systems for production environments. The tooling for production use is not maintained, such as various run control (start/stop) scripts, low-level administration and migration tools, backup and recovery support and so on. Please see Supported Platforms for MidPoint Deployment for details.

Production deployments in Windows environments are supported only for LTS releases. As midPoint 4.7.2 is a feature release, Windows environment is not supported for production use.

Java

  • OpenJDK 11 (11.0.16).

  • OpenJDK 17. This is a recommended platform.

OpenJDK 17 is the recommended Java platform to run midPoint.

Support for Oracle builds of JDK is provided only for the period in which Oracle provides public support (free updates) for their builds. As far as we are aware, free updates for Oracle JDK 11 are no longer available. Which means that Oracle JDK 11 is not supported for MidPoint anymore. MidPoint is an open source project, and as such it relies on open source components. We cannot provide support for platform that do not have public updates as we would not have access to those updates, and therefore we cannot reproduce and fix issues. Use of open source OpenJDK builds with public support is recommended instead of proprietary builds.

Databases

Since midPoint 4.4, midPoint comes with two repository implementations: native and generic. Native PostgreSQL repository implementation is strongly recommended for all production deployments.

See Repository Database Support for more details.

Since midPoint 4.0, PostgreSQL is the recommended database for midPoint deployments. Our strategy is to officially support the latest stable version of PostgreSQL database (to the practically possible extent). PostgreSQL database is the only database with clear long-term support plan in midPoint. We make no commitments for future support of any other database engines. See Repository Database Support page for the details. Only a direct connection from midPoint to the database engine is supported. Database and/or SQL proxies, database load balancers or any other devices (e.g. firewalls) that alter the communication are not supported.

Native Database Support

Native PostgreSQL repository implementation is developed and tuned specially for PostgreSQL database, taking advantage of native database features, providing improved performance and scalability.

This is now the primary and recommended repository for midPoint deployments. Following database engines are supported:

  • PostgreSQL 15, 14, and 13

Generic Database Support (deprecated)

Generic repository implementation is based on object-relational mapping abstraction (Hibernate), supporting several database engines with the same code. Following database engines are supported with this implementation:

  • H2 (embedded). Supported only in embedded mode. Not supported for production deployments. Only the version specifically bundled with midPoint is supported.
    H2 is intended only for development, demo and similar use cases. It is not supported for any production use. Also, upgrade of deployments based on H2 database are not supported.

  • PostgreSQL 15, 14, 13, 12, and 11

  • Oracle 21c

  • Microsoft SQL Server 2019

Support for generic repository implementation together with all the database engines supported by this implementation is deprecated. It is strongly recommended to migrate to native PostgreSQL repository implementation as soon as possible. See Repository Database Support for more details.

Supported Browsers

  • Firefox

  • Safari

  • Chrome

  • Edge

  • Opera

Any recent version of the browsers is supported. That means any stable stock version of the browser released in the last two years. We formally support only stock, non-customized versions of the browsers without any extensions or other add-ons. According to the experience most extensions should work fine with midPoint. However, it is not possible to test midPoint with all of them and support all of them. Therefore, if you chose to use extensions or customize the browser in any non-standard way you are doing that on your own risk. We reserve the right not to support customized web browsers.

Important Bundled Components

Component Version Description

Tomcat

9.0.65

Web container

ConnId

1.5.1.10

ConnId Connector Framework

LDAP connector bundle

3.6.1

LDAP and Active Directory

CSV connector

2.6

Connector for CSV files

DatabaseTable connector

1.5.0.0

Connector for simple database tables

Upgrade

MidPoint is a software designed with easy upgradeability in mind. We do our best to maintain strong backward compatibility of midPoint data model, configuration and system behavior. However, midPoint is also very flexible and comprehensive software system with a very rich data model. It is not humanly possible to test all the potential upgrade paths and scenarios. Also, some changes in midPoint behavior are inevitable to maintain midPoint development pace. Therefore, there may be some manual actions and configuration changes that need to be done during upgrades, mostly related to feature lifecycle.

This section provides overall overview of the changes and upgrade procedures. Although we try to our best, it is not possible to foresee all possible uses of midPoint. Therefore, the information provided in this section are for information purposes only without any guarantees of completeness. In case of any doubts about upgrade or behavior changes please use services associated with midPoint subscription programs.

Please refer to the MidPoint Upgrade Guide for general instructions and description of the upgrade process. The guide describes the steps applicable for upgrades of all midPoint releases. Following sections provide details regarding release 4.7.2.

Upgrade From MidPoint 4.6.x

MidPoint 4.7.2 data model is backwards compatible with previous midPoint version. Please follow our Upgrade guide carefully.

Note that:

  • There are database schema changes (see Database schema upgrade).

  • Version numbers of some bundled connectors have changed. Connector references from the resource definitions that are using the bundled connectors need to be updated.

  • See also the Actions required information below.

It is strongly recommended migrating to the new native PostgreSQL repository implementation for all deployments that have not migrated yet. However, it is not recommended upgrading the system and migrating the repositories in one step. It is recommended doing it in two separate steps. Please see Migration to Native PostgreSQL Repository for the details.

Upgrade From MidPoint Versions Older Than 4.6

Upgrade from midPoint versions older than 4.6 to midPoint 4.7.2 is not supported directly. Please upgrade to midPoint 4.6.x first.

Deprecation, Feature Removal And Major Incompatible Changes Since 4.6

This section is relevant to the majority of midPoint deployments. It refers to the most significant functionality removals and changes in this version.
  • ConnId result handlers are disabled by default. Result handlers were enabled by default in previous midPoint versions as this was default set by ConnId framework. However, most connectors do not need result handlers, and the result handlers may even be harmful when used with some connector, the default setting was changed in midPoint 4.7.

    Actions required:

    • Explicitly enable ConnId result handlers for the connectors that need them. Vast majority of connectors do not need result handlers, no action is required for such connectors. CSV connector 2.5 and older required result handlers. However, the connector was updated and version 2.6 of CSV connector does not require result handlers. As CSV connector is bundled with midPoint, no special action is required even in this case, except for the usual connector upgrade procedure.

  • New version (3.6.1) of LDAP connector bundle (including LDAP Connector and Active Directory Connector) was released and bundled with midPoint 4.7. This version fixes a bug with large integer numbers (MID-4424).

    Actions required:

    • Resource schema of LDAP and AD resources need to be refreshed for the connector to operate correctly. The schema section of the resource definition object should be deleted. Subsequent test operation on the resource will re-fetch the schema, correctly setting data types for large integer attributes.

  • Scripts using objectVariableMode set to prismReference should, by default, be provided with the real value of the reference, however in some cases they were provided PrismReferenceValue instead. This is now fixed and real value of type Referencable is provided.

    Actions required:

    • Review your custom scripts for occurence of <objectVariableMode>prismReference</objectVariableMode>. If found, review the script code if it conforms to the Referencable interface.

    • If PrismReferenceValue value should be provided instead, add to your script element the following sub-element: <valueVariableMode>prismValue</valueVariableMode>

    • If Referencable is fine but for whatever reason PrismReferenceValue is needed as well, it can be easily obtained by def prismRefValue = object?.asReferenceValue() (assuming the input Referencable variable is called object).

Changes In Initial Objects Since 4.6

This section is relevant to the majority of midPoint deployments.

MidPoint has a built-in set of "initial objects" that it will automatically create in the database if they are not present. This includes vital objects for the system to be configured (e.g., the role Superuser and the user administrator). These objects may change in some midPoint releases. However, midPoint is conservative and avoids overwriting customized configuration objects. Therefore, midPoint does not overwrite existing objects when they are already in the database. This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version.

The following list contains a description of changes to the initial objects in this midPoint release. The complete new set of initial objects is in the config/initial-objects directory in both the source and binary distributions.

Actions required: Please review the changes and apply them appropriately to your configuration. More details are provided along with individual changes below.

  • 000-system-configuration.xml:

    • Minor changes in home page widgets in adminGuiConfiguration/homePage/widget container values related to the fix for MID-8294.

      Action suggested: Apply these changes to your configuration.

    • Added object collection views for:

      • correlation cases (correlation-case-view),

      • application roles (application-role),

      • business roles (business-role),

      • applications (application),

      • event marks (event-mark),

      • object marks (object-mark).

        Action suggested: Copy these new views into your configuration, unless you are sure you don’t need them.

    • Added user details panel applications.

      Action suggested: Add it to your configuration.

    • Resource wizard panel rw-connectorConfiguration-partial was updated for LDAP and AD connectors (bindDn and bindPassword properties were made visible) and for the DB Table connector (host and database properties were made visible).

      Action suggested: Update your configuration accordingly.

  • 015-security-policy.xml: name attribute was replaced with identifier within authentication modules and sequences definition.

    Action suggested: Update your configuration accordingly.

  • 130-report-certification-definitions.xml, 140-report-certification-campaigns.xml, 150-report-certification-cases.xml, 160-report-certification-work-items.xml (previously 160-report-certification-decisions.xml) were fixed. Please see MID-8665 and commit 0d552a71.

    Action suggested: Use these files to replace your existing ones.

  • 310-dashboard-admin.xml was fixed. Please see MID-8362, MID-8084, and commit d774ddea.

    Action suggested: Update your configuration accordingly.

  • A number of initial objects were added: object and event marks, four new object archetypes, two object collections, and six new reports.

    Action suggested: None. These new objects will be imported automatically.

Please review source code history for detailed list of changes.

Copies of initial object files are located in config/initial-objects directory of midPoint distribution packages. These files can be used as a reference during upgrades. On-line version can be found in midPoint source code.

Schema Changes Since 4.6

This section is relevant to the majority of midPoint deployments. It mostly describes what data items were marked as deprecated, or removed altogether from the schema. (Additions are not described here.) You should at least scan through it - or use the ninja tool to check the deprecations for you.
  • name attribute is deprecated for AuthenticationSequenceType, identifier is added to be used instead of name as a unique sequence identifier.

  • name attribute is deprecated for AuthenticationSequenceModuleType, identifier is added to be used instead of name as a unique sequence module identifier.

  • name attribute is deprecated for CredentialsResetPolicyType, identifier is added to be used instead of name as a unique credentials reset identifier.

  • name attribute is deprecated for AbstractAuthenticationModuleType, identifier is added to be used instead of name as a unique authentication module identifier.

  • securityPolicyRef attribute is added to ArchetypeType. For now only structural archetypes can have a reference to a security policy.

  • Several authentication modules were added in order to be used for user identification or user authentication. For now the modules are used within password reset process. Following attributes are added to AuthenticationModulesType type: attributeVerification (used to verify user’s attributes values), focusIdentification (used to identify the user comparing their identifier(s) value), hint (used to give the user a possibility to remember their password). The related to flexible authentication functionality types were also extended to make the new modules work properly. So, CredentialsPolicyType type was extended with attributeVerification elements, each of them services the corresponding module.

  • Necessity of the authentication modules was extended with more values, therefore required, requisite and optional values can be used for AuthenticationSequenceModuleNecessityType type.

  • AuthenticationSequenceModuleType type was extended with acceptEmpty element, so that module can be skipped in case of empty credentials with acceptEmpty=true.

Actions required:

  • Inspect your configuration for deprecated items, and replace them by their suggested equivalents. You can use ninja tool for this.

Behavior Changes Since 4.6

This section describes changes in the behavior that existed before this release. New behavior is not mentioned here. Plain bugfixes (correcting incorrect behavior) are skipped too. Only things that cannot be described as simple "fixing" something are described here.

The changes since 4.5 are of interest probably for "advanced" midPoint deployments only. You should at least scan through them, though.

  • The behavior of synchronization reaction to deleted situation was changed. Now it checks the existence of (other) accounts of given type, and invokes the actions only if there is none. See commit 89e139da.

  • The behavior of "Shadows cleanup" activity was changed. Now it checks for real existence of abandoned shadows, assuming that the resource in question has the read capability. See also MID-8350 and commit 9402fd3b.

  • Safe operations during preview changes

    • Create on demand feature used in assignment target search now doesn’t create objects in internal midpoint repository nor on resources. Operations rather fails if necessary.

    • Sequence numbers aren’t used during preview. Sequence number doesn’t advance, nor is returned to list of returned values.

  • Create on demand is now safe to use in multithreaded tasks.

  • Users that run distributed report exports now need also the #modify authorization for ReportDataType objects instead of simple #add. It is because of the fix in the process of aggregation of these reports. See also commit 60f52da3.

  • User authentication while password reset procedure was improved with new authentication modules. For more information, please see Password Reset Configuration page for details.

  • Selection of resource objects for Live synchronization tasks was implemented (see MID-8537 and commit d929179c). Some configuration that are not 100% correct and rely e.g. on setting kind to account in a live sync task that returns unqualified objects (i.e. objects without kind and intent), would break down. Please check your settings. If your task expects that some objects may not be qualified, do not use kind and intent for specification of synchronized resource objects set.

  • Legalization of projections now creates constructions with specific object kind and intent. As an additional safety check, for unclassified projections (i.e. those with unknown kind or intent), we do not create legalization assignments. See MID-8562 and commit e57142b9.

  • When an assignment target (pointed to by targetRef) cannot be found during assignment deletion, the error is no longer logged. (Only at DEBUG level.) See MID-8366 and commit 75c10795.

  • The handling of authorizations of so-called elaborate items (e.g. task activity and activityState) was fixed. These are no longer ignored during authorization processing. If your authorizations relied on the original (faulty) behavior, please adapt them. See MID-8635 and commit 131cb46d.

Java and REST API Changes Since 4.6

As for the Java API, this section describes changes in midpoint and basic function libraries. (MidPoint does not have explicitly defined Java API, yet. But these two objects are something that can be unofficially considered to be the API of midPoint, usable e.g. from scripts.)
  • There were only minor API changes in this release

Internal Changes Since 4.6

These changes should not influence people that use midPoint "as is". They should also not influence the XML/JSON/YAML-based customizations or scripting expressions that rely just on the provided library classes. These changes will influence midPoint forks and deployments that are heavily customized using the Java components.
  • Some now-obsolete methods in OperationResult were removed (see commit c90e5ee1).

  • Code in the provisioning-impl module was streamlined, so check any potential dependencies on it.

  • So-called proposed shadows are no longer marked using lifecycleState property. See MID-4833, commit b7d9c550, and the docs.

Known Issues and Limitations

As all real-world software midPoint 4.7.2 has some known issues. Full list of the issues is maintained in bug tracking system. As far as we know at the time of the release there was no known critical or security issue.

There is currently no plan to fix the known issues of midPoint 4.7.2 en masse. These issues will be fixed in future maintenance versions of midPoint only if the fix is covered by a support agreement or subscription. No other issues will be fixed - except for severe security issues that may be found in the future.

The known issues of midPoint 4.7.2 may or may not be fixed in following releases. This depends on the available time, issue severity and many variables that are currently difficult to predict. The only reliable way how to make sure that an issue is fixed is to purchase midPoint support. Or you can fix the bug yourself. MidPoint is always open to contributions.

This may seem a little bit harsh at a first sight. But there are very good reasons for this policy. And in fact it is no worse than what you get with most commercial software. We are just saying that with plain language instead of scrambling it into a legal mumbo-jumbo.

Credits

Majority of the work on the Johnson release was done by the Evolveum team. However, this release would not be possible without the help of our partners, customers, contributors, friends and families. We would like to express our thanks to all the people that contributed to the midPoint project both by providing financial support, their own time or those that maintain a pleasant and creative environment for midPoint team. However, midPoint project would not exist without proper funding. Therefore we would like to express our deepest gratitude to all midPoint subscribers that made midPoint project possible.

Disclaimer

Planned release dates are just that: they are planned. We do not promise or guarantee release dates. Software development is a creative activity that includes a lot of inherent risk. We are trying really hard to provide the best estimates. We are not able to provide precise dates for releases or deliveries. Do not rely on midPoint release dates. Plan your project properly to address the risk of delayed midPoint releases.

Planned scope of midPoint releases is also an estimate. MidPoint development process always includes the balancing of the iron triangle. Therefore planned release scope may change at any time. There is a method to make sure that midPoint releases will work well for your project and that method is platform subscription.

We do not make any claims that midPoint is perfect. Quite the contrary. MidPoint is a practical software, developed by living and breathing developers and deployed in a real world. There are both known and unknown issues in midPoint. Also, midPoint is not feature-complete. New features are introduced in midPoint all the time. But not all of them are completed. There are always some limitations. As the license states, midPoint is provided "AS IS". Please do not rely on midPoint functionality that you have not tested to make sure that it works. MidPoint support and subscription programs are a way how to handle those issues. But even with support service, do not rely on functionality that is not documented. If you plan to use undocumented or non-existing functionality, platform subscription is the right service for you.

Was this page helpful?
YES NO
Thanks for your feedback