MidPoint 4.8 "Curie" - Update 3

Release 4.8.3 is a fifty-seventh midPoint release, code-named Curie. The 4.8.3 release brings security, stability and miscellaneous bugfixes.

Release date10 May 2024
Release type Maintenance release (LTS)
End of support17 October 2028

Marie Salomea Skłodowska–Curie (1867-1934) was Polish-French physicist and chemist who conducted pioneering research on radioactivity. She invented a technique for isolating radioactive isotopes, leading to discovery of two new elements: polonium and radium. She was the first woman to win a Nobel Prize, the first person to win a Nobel Prize twice, and the only person to win a Nobel Prize in two scientific fields.

Discoveries of Marie Curie echoed through several fields of science and technology. In a similar way, midPoint 4.8 brings improvements in numerous areas. Similarly to the techniques developed by Marie Curie, midPoint 4.8 introduces mechanisms to isolate roles from permission data. Upgrade, security and stability improvements support long-term sustainability. Overall, midPoint 4.8 is a culmination of work spread through several previous releases, bringing substantial value to the users for many years to come.

Changes with Respect To Version 4.8.2

  • Tomcat container work directory size growing issue fixed. See MID-9430.

  • GUI header layout improvements. See MID-9579.

  • Missing localization keys fixed in GUI. See MID-9589, MID-9610

  • Request access wizard

  • New implementation and look of date time picker.

  • Fixed issue with Asynchronous Messaging Connector not working. See MID-9512.

  • Fixed issue with reporting of errors during search objects in table by axiom query. See MID-9499 and MID-9400.

  • Fixed icon of case outcome in column of table. See MID-9533.

  • Fixed associationTargetSearch evaluator for associations with multiple intents. See MID-9561 and MID-9565.

  • Fixed associationFromLink evaluator for dead shadows. See MID-9468 and MID-9487.

  • Fixed handling of related object types that differ in associations. See MID-9591 and this commit.

  • Fixed editing of configuration properties with const feature (via XML). See MID-7918.

  • Added basic.setExtensionPropertyValues method. See MID-9554.

  • Fixed and improved search behaviour for request access role catalog (role tree). Now scope and object type can be used to search. See MID-9598.

  • Fixed closing approval case with 'skip' outcome for last stage. See MID-9533.

  • Fixed showing of hiding errors for query in search. See MID-9499 and MID-9400.

  • Removing dependency on raw authorization for visualisation of delta for reference item. See MID-9631.

  • Adding info about activation on delegation panel. See MID-9644.

  • Adding check option for removing resource data on confirm popup of shadow removing. See MID-9661.

  • Hide full text search if isn’t allow. See MID-9457.

  • Display all shadows in the table for projections when value for 'dead' search item is 'undefined'. See MID-9659

  • Resolving the issue for creating a new member object with predefined by archetype options on members panel.

  • Resolving several issues for Self Credentials page. Now password propagation to resource takes into account the script, defined in resource for credentials, in case of the appropriate configuration.

  • Notification sending strategy was added to the general notifier configuration. It is possible to configure now if the notification message should be generated once and sent to all recipients in the same form or if the message should be generated for each recipient separately. More details can be found in the Basic structure of the notification definition.

  • Fixed edit of resource not working when using Query Language in particular filters. See MID-9532.

  • Fixed error when displaying particular deltas in history view and audit. See MID-9547.

  • Fixed error in Groovy scripts when role.requestable caused compilation error. See MID-9658.

  • Fixed incorrect conversion of XML PolyString filters in Query Playground to Query Language. See MID-9413.

  • Fixed search on Resource Object page - query language now supports attributes, basic search box is updated after switching Object Class. See MID-9593, MID-9548.

  • Fixed incorrect execution of Ref Filter with Target eg. assignment/targetRef matches (relation = manager and @ ( …​ )) in generic repository. See MID-9592.

  • Fixed Reindex tasks breaking Simulation Results. See MID-9435.

  • Changes in initial objects:

    • 250-object-collection-resource.xml: All resources object collection was updated with a filter to exclude resource templates.

    • 251-object-collection-resource-up.xml: Resources up object collection was updated with a filter to exclude resource templates.

To see full list of fixes see Evolveum Issue Tracker

Changes With Respect To Version 4.8.1

  • Fixed the issue with authorizations being checked too late during the operation processing. In specific situations the user-supplied code could be executed before the authorization checks took place. See MID-9459.

  • Added missing authorizations checks for some less frequently used operations. See behavior changes since 4.8.1 and MID-9460.

  • Introduced fine-grained authorizations that grant access at the level of a single REST operation. See Service Authorizations.

  • Fixed necessity of "namingAttr" attribute for LDAP authentication module.

  • Upgraded version of ConnId to

  • Bugfixes in request access wizard. Starting with this version wizard honours global boolean flag systemConfiguration/roleManagement/defaultExecuteAfterAllApprovals to decide when to execute changes. Also, handling icons in tables/tiles was improved.

  • Fixed displaying of the configured label and help for object type search item.

  • Fix for hidden details panel accessible by URL. See MID-9492.

  • Showing of a 404 error page instead of a 500 error page when the focus object could not be found on the details page.

To see full list of fixes see Evolveum Issue Tracker

Changes With Respect To Version 4.8

  • Updated default Security Policy to be stricter and compatible out of the box with default Active Directory policy

  • Administrator initial password is configurable / generated. See Administrator Initial Password for details.

  • The indication of official vs. unofficial build was added to the About page. See MidPoint JAR Signature Status for details.

  • We have added a new algorithm to detect which users are in the production-like environment. It would have the following impact, depending on your subscription status.

    • active subscribers: none

    • subscribers who are in the renewal period: none during the grace period of 90 days

    • non-subscribers: disabled cluster communication; if a non-H2 generic repository is used, the GUI would be disabled and the only option would be to set a subscription ID

Please contact our official partners or mailto:sales@evolveum.com to inquire about your subscription options.

  • Role Mining Analysis Optimization:

    • Improved efficiency and stability in Role Mining analysis.

    • Added progress status tracer for enhanced visibility.

    • Improved work with Role Mining analysis results.

  • Various fixes and improvements in Self Registration feature - UI fixes of confirmation screens, escaping of special characters in nonces,approval support for activating registered users, security fixes.

  • Bugfixes in Request Access functionality - fixes in search, add all functionality, teammate display, collection filters

  • Various fixes in Self Service - Credentials

    • Removed trimming of whitespaces in passwords.

    • Fixed incorrect forced password change on all resources.

    • Adding new configuration attribute passwordHintConfigurability, which affects password hint configurability, can be found on the Credentials Page.

  • Docker Image updated to JDK 21

  • Fixed various authorization issues, fixed authorization for users certification work items.

  • Improvements and fixes in Resource Wizard - fixes in credential mapping wizard, object type issues when changing lifecycle state, editing outbound mappings, fixed correlation items configuration page.

  • Fixes in documentation for workflow authorization

  • Fixes in provisioning and resources - fixed delayed delete configuration sometimes not setting trigger, global timeout setting of the AD/LDAP connector.

  • Various fixes in correlation functionality

  • Various fixes in search functionlaity

    • fixed search by properties of referenced objects not working on some objects in generic repository

    • Fixed date filter user inteface to allow enter date range

  • Fixed upgrade plan for Generic repository from 4.4.x to 4.8

  • Fixes & Improvements in user experience and GUI

    • small fixes of errors in GUI behaviour

    • Fixed inconsistent localization and its selection

    • Improved messages and error reporting in self registration feature, search functionality, correlation funtionality

  • Also, please have a look at changes mentioned in Changes With Respect To Version 4.8.x .

To see full list of fixes see Evolveum Issue Tracker

Changes With Respect To Version 4.7

New Features and Major Improvements

  • Role Mining. Introduction of role mining functionality. A tool to simplify access management that uses artificial intelligence (AI) algorithms and analytical techniques to sift through the complex network of user and access mappings and group them into cohesive business roles based on access patterns.

  • Anonymous Data Export. Introduction of anonymous role mining data export. This feature allows users to export relationships between roles, users, and organizations while ensuring the privacy and security of exported data. The following options are available for exporting anonymized role mining data:

  • Identity Recovery feature brings a possibility to recover forgotten user’s data.

  • Auditing of resource-related operations. Shadow changes are now being audited with the new auditing stage RESOURCE.

  • Ninja tool was greatly improved. It now facilitates midPoint upgrade process significantly.

  • Predefined activation mappings. Built-in support for configuring advanced activation mappings, such as disable instead of delete, delayed delete and pre-provision was added.

  • DUO 2FA authentication. New authentication module for DUO was implemented.

  • GUI was significantly improved in various areas. Details are described below.

  • Also, please have a look at changes mentioned in Changes With Respect To Version 4.8 and Changes With Respect To Version 4.8.x .

Other Improvements

Data Model

The support in the generic repository is limited, as this repository is deprecated now: the personalNumber is not searchable there.
  • Shadow creation and modification timestamps are now being consistently added for all shadows at all times. This may change the behavior related to dead shadows retention, as described here.

  • Audit records are now searchable by the following automatically determined delta properties: delta/objectOid, delta/objectName, delta/resourceRef, delta/shadowKind, delta/shadowIntent. This applies to native repository only.

  • Tasks are searchable by the characteristics of affected objects: archetype, resource, object class, kind, intent, execution mode, and predefined configuration used. For relevant task types, these values are automatically maintained in affectedObjects item. This item can then be used to search for tasks in the native repository.


  • The Resource wizard was improved:

    • Configuration of activation mappings (such as delayed delete, pre-create or disable instead or delete) using resource wizard was simplified.

    • Configuration of password mappings using resource wizard was simplified.

    • Two-steps wizard for attribute mappings configuration was introduced. For now, attributes shown in the first and the second step are hardcoded and can only be hidden by the configuration.

      • Main configuration contains attributes name, source, target, ref (resource attribute), strength, expression and condition.

      • Optional configuration contains attributes description, exclusive, authoritative, channel and except channel.

    • Identifiers arw-construction-mapping, rw-attribute-inbound and rw-attribute-outbound of old wizard panels are ignored, so we can remove it from configuration.

  • The GUI for resource details was reworked. It is now much simpler and easier to use.

  • Query playground was reworked. Now it expects the midPoint (Axiom) query language. Also, possibility to convert filter defined in XML to the one in midPoint (Axiom) query language was added.

  • There are smaller improvements in Request Access feature usability (e.g., MID-8907, MID-8317).

  • It is now possible to use a collection view for the All Accesses panel (MID-8880).

  • Multi-tab use of midPoint was improved (MID-6342), although the solution is still not complete.

  • Resource templates can now be configured through the object collection view in the Admin GUI configuration.

    • Archetype Resource template object can be associated with resource (ResourceType) objects that either represent or serve as templates, facilitating the customization of guide views for template objects.

    • Object Collection All resource templates for the purpose of displaying all resource templates within the system.

Security and Performance

  • The performance of security-related post-processing of objects retrieved was improved.

  • Faster and more flexible privilege elevation feature is now available, including more precise auditing.

  • The expression profiles feature was improved in 4.8. In particular, trusted bulk actions can now be run by unprivileged users. Assigning expression profiles to arbitrary expressions is a limited, experimental feature. See Expression Profiles Coverage.

  • Selected items smaller than an object (e.g. case work items, certification cases, certification cases work items, operation execution records, partially also assignments and simulation-related processed objects records) can be authorized regarding getting, searching, and completion (for work items). This improves flexibility when defining authorizations for them. See also Type and Parent Clauses. Various legacy authorizations like #readOwnCertificationDecisions are now deprecated, as they can be written in the new, flexible, style.

  • The new fine-grained bulk-3# authorizations were introduced, replacing now-deprecated #executeScript one.

  • New model-3#use authorization was created. Currently, it covers submitting tasks from templates. Later, its use will be extended to other scenarios. See also Behavior Changes Since 4.7.

  • OIDC authentication module was improved. See the documentation for more configuration details.

  • The owasp-dependency check scanning was added to Jenkins.


MidPoint Studio

  • The midPoint query language is now much better supported in the Studio, regarding syntax highlighting, code completion, and error reporting. This support will be further improved in the future.

Deployment Methodology


  • Support for loading connectors from connid-connectors directory was added. The use of original icf-connectors directory is deprecated.

  • Groovy scripting language was updated to version 4.0. See Groovy 4.0 Release Notes for more details.

    • If using ScriptedSQL connector, it needs to be updated to latest version (2.3), which uses Groovy 4.

    • Other third-party Groovy-based connectors needs to be updated to version, which use Groovy 4.

  • Selected third-party dependencies underwent major updates - to Spring Framework 6, Hibernate 6, and Wicket 10. Note that this resulted in migration from Java EE javax package names to jakarta package names.

  • Documentation improvements: for example, a list of searchable items.

Releases Of Other Components

  • New version ( of DatabaseTable Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.

  • New version (2.7) of CSV Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.

  • New version (3.7) of LDAP connector bundle (including LDAP Connector and Active Directory Connector) was released and bundled with midPoint.

    • This version improve processing of fetching existing entry when updating it in AD connector. (MID-8929).

    • Adding configuration option for suppression of user parameter exceptions and log only a warning message.

  • Docker images will be released in Docker Hub soon after midPoint 4.8.3 release.

  • Overlay project examples will be released soon after midPoint 4.8.3 release.

  • MidPoint Studio version 4.8.3 will be released soon after midPoint 4.8.3 release.

  • Prism data representation library 4.8.3 was released together with midPoint 4.8.3.

  • Midpoint client Java library will be released soon after midPoint 4.8.3 release.

Changes With Respect To Version 4.4 LTS

  • Simulations. They cover various mechanisms of "what-if" analysis in midPoint. Now we can see expected effects of actions without the risk of damaging the system state. We can separate production-ready parts of the configuration from those being developed, and choose what configuration should be engaged during specific simulation. We can define binary "event marks" tagging individual objects being processed during simulation, as well as quantitative metrics for these objects and their changes. All these metrics can be aggregated, analyzed, and reported on, along with details of individual changes.

  • Object Marks and Object Operation Policies. Added new mechanism for lightweight administrative / policy marking of objects (for now only shadows are supported).

  • Significantly improved IGA reporting, such as report answering the question Who has access to what and why.

  • The whole look-and-feel was greatly improved along with upgrading AdminLTE from 2.4 to 3.2, Bootstrap from 3.4 to 4.6, Font-Awesome from 5.15 to 6.1.

  • New request access wizard was implemented with the emphasis of better UX. Also, more configuration options were added.

  • Smart correlation. MidPoint now supports very flexible correlation of resource objects (accounts, groups, and so on) to respective focus objects (users, roles, orgs, …​). Multiple weighted correlation rules can be used. Matching based on fuzzy logic (Levenshtein distance, trigram similarity) is supported. As experimental features, custom normalization and matching data from multiple sources are available.

  • Resource templates. No more copying-and-pasting of resource configuration fragments! MidPoint now supports the inheritance between resources and resource object types. This means the administrator can define features common to multiple resources, and put them in the "super-resource" (or resource template) definition. The same is true at the level of resource object types.

  • Generic Repository with PostgreSQL is not supported, if you are using PostgreSQL with generic repository, please migrate to PostgreSQL native repository.

  • Full support for midPoint query language. Since 4.8 it is possible to use expressions in filters when using midPoint (Axiom) query language. In addition to this, new helper functions were added to simplify usage of filters in script expressions. Those helper functions might be considered as public API for writing filters in scripts.

  • Native fail-over support in LDAP connector

  • Many GUI and UX improvements focusing on easier first steps with midPoint.

  • Java 11 platform is no longer supported. Please use Java 17 or Java 21.

  • PostgreSQL 13 is no longer supported. Please upgrade to PostgreSQL 14 or 15 before upgrading to midPoint 4.8.

For more detailed list of changes please consult release notes of:

Purpose and Quality

Release 4.8.3 LTS (Curie Update 3) is intended for full production use. It belongs to a long-term support (LTS) family, supported for a prolonged time period. Therefore it is intended for users that prefer long-term stability over new features.

All features are stable and well tested - except the features that are explicitly marked as experimental or partially implemented. Those features are supported only with special subscription contract.


Following list provides summary of limitation of this midPoint release.

  • Functionality that is marked as Experimental Functionality is not supported for general use (yet). Such features are not covered by midPoint support. They are supported only for those subscribers that funded the development of this feature by the means of subscriptions and sponsoring or for those that explicitly negotiated such support in their support contracts.

  • MidPoint comes with bundled LDAP Connector. Support for LDAP connector is included in standard midPoint support service, but there are limitations. This "bundled" support only includes operations of LDAP connector that 100% compliant with LDAP standards. Any non-standard functionality is explicitly excluded from the bundled support. We strongly recommend to explicitly negotiate support for a specific LDAP server in your midPoint support contract. Otherwise, only standard LDAP functionality is covered by the support. See LDAP Connector page for more details.

  • MidPoint comes with bundled Active Directory Connector (LDAP). Support for AD connector is included in standard midPoint support service, but there are limitations. Only some versions of Active Directory deployments are supported. Basic AD operations are supported, but advanced operations may not be supported at all. The connector does not claim to be feature-complete. See Active Directory Connector (LDAP) page for more details.

  • MidPoint user interface has flexible (responsive) design, it is able to adapt to various screen sizes, including screen sizes used by some mobile devices. However, midPoint administration interface is also quite complex, and it would be very difficult to correctly support all midPoint functionality on very small screens. Therefore, midPoint often works well on larger mobile devices (tablets), but it is very likely to be problematic on small screens (mobile phones). Even though midPoint may work well on mobile devices, the support for small screens is not included in standard midPoint subscription. Partial support for small screens (e.g. only for self-service purposes) may be provided, but it has to be explicitly negotiated in a subscription contract.

  • There are several add-ons and extensions for midPoint that are not explicitly distributed with midPoint. This includes Java client library, various samples, scripts, connectors and other non-bundled items. Support for these non-bundled items is limited. Generally speaking, those non-bundled items are supported only for platform subscribers and those that explicitly negotiated the support in their contract.

  • MidPoint contains a basic case management user interface. This part of midPoint user interface is not finished. The only supported parts of this user interface are those that are used to process requests, approvals, and manual correlation. Other parts of case management user interface are considered to be experimental, especially the parts dealing with manual provisioning cases.

This list is just an overview, it may not be complete. Please see the documentation regarding detailed limitations of individual features.


MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested with this release. The version numbers in parentheses are the actual version numbers used for the tests.

It is very likely that midPoint will also work in similar environments. But only the versions specified below are supported as part of midPoint subscription and support programs - unless a different version is explicitly agreed in the contract.

Operating System

MidPoint is likely to work on any operating system that supports the Java platform. However, for production deployment, only some operating systems are supported:

  • Linux (x86_64)

  • Windows Server (2022)

We are positive that midPoint can be successfully installed on other operating systems, especially macOS and Microsoft Windows desktop. Such installations can be used to for evaluation, demonstration or development purposes. However, we do not support these operating systems for production environments. The tooling for production use is not maintained, such as various run control (start/stop) scripts, low-level administration and migration tools, backup and recovery support and so on. Please see for details.

Note that production deployments in Windows environments are supported only for LTS releases.


Following Java platform versions are supported:

  • Java 21. This is a recommended platform.

  • Java 17.

OpenJDK 21 is the recommended Java platform to run midPoint.

Support for Oracle builds of JDK is provided only for the period in which Oracle provides public support (free updates) for their builds.

MidPoint is an open source project, and as such it relies on open source components. We cannot provide support for platform that do not have public updates as we would not have access to those updates, and therefore we cannot reproduce and fix issues. Use of open source OpenJDK builds with public support is recommended instead of proprietary builds.


Since midPoint 4.4, midPoint comes with two repository implementations: native and generic. Native PostgreSQL repository implementation is strongly recommended for all production deployments.

See Repository Database Support for more details.

Since midPoint 4.0, PostgreSQL is the recommended database for midPoint deployments. Our strategy is to officially support the latest stable version of PostgreSQL database (to the practically possible extent). PostgreSQL database is the only database with clear long-term support plan in midPoint. We make no commitments for future support of any other database engines. See Repository Database Support page for the details. Only a direct connection from midPoint to the database engine is supported. Database and/or SQL proxies, database load balancers or any other devices (e.g. firewalls) that alter the communication are not supported.

Native Database Support

Native PostgreSQL repository implementation is developed and tuned specially for PostgreSQL database, taking advantage of native database features, providing improved performance and scalability.

This is now the primary and recommended repository for midPoint deployments. Following database engines are supported:

  • PostgreSQL 16, 15, 14

PostgreSQL 16 is recommended.

Generic Database Support (deprecated)

Generic repository implementation is based on object-relational mapping abstraction (Hibernate), supporting several database engines with the same code. Following database engines are supported with this implementation:

  • H2 (embedded). Supported only in embedded mode. Not supported for production deployments. Only the version specifically bundled with midPoint is supported.
    H2 is intended only for development, demo and similar use cases. It is not supported for any production use. Also, upgrade of deployments based on H2 database are not supported.

  • Oracle 21c

  • Microsoft SQL Server 2019

Support for generic repository implementation together with all the database engines supported by this implementation is deprecated. It is strongly recommended to migrate to native PostgreSQL repository implementation as soon as possible. See Repository Database Support for more details.

Supported Browsers

  • Firefox

  • Safari

  • Chrome

  • Edge

  • Opera

Any recent version of the browsers is supported. That means any stable stock version of the browser released in the last two years. We formally support only stock, non-customized versions of the browsers without any extensions or other add-ons. According to the experience most extensions should work fine with midPoint. However, it is not possible to test midPoint with all of them and support all of them. Therefore, if you chose to use extensions or customize the browser in any non-standard way you are doing that on your own risk. We reserve the right not to support customized web browsers.

Important Bundled Components

Table 1. Important bundled components
Component Version Description



Web container


ConnId Connector Framework

LDAP connector bundle


LDAP and Active Directory

CSV connector


Connector for CSV files

DatabaseTable connector

Connector for simple database tables


MidPoint is a software designed with easy upgradeability in mind. We do our best to maintain strong backward compatibility of midPoint data model, configuration and system behavior. However, midPoint is also very flexible and comprehensive software system with a very rich data model. It is not humanly possible to test all the potential upgrade paths and scenarios. Also, some changes in midPoint behavior are inevitable to maintain midPoint development pace. Therefore, there may be some manual actions and configuration changes that need to be done during upgrades, mostly related to feature lifecycle.

This section provides overall overview of the changes and upgrade procedures. Although we try to our best, it is not possible to foresee all possible uses of midPoint. Therefore, the information provided in this section are for information purposes only without any guarantees of completeness. In case of any doubts about upgrade or behavior changes please use services associated with midPoint subscription programs.

Please refer to the MidPoint Upgrade Guide for general instructions and description of the upgrade process. The guide describes the steps applicable for upgrades of all midPoint releases. Following sections provide details regarding release 4.8.3.

Upgrade From MidPoint 4.8.x

Please check if there is a need to add authorizations to specific users due to behavior changes since 4.8.1.

Upgrade From MidPoint 4.7.x

MidPoint 4.8.3 data model is backwards compatible with previous midPoint version. Please follow our Upgrade guide carefully.

Be sure to be on the latest maintenance version for 4.7, at least version 4.7.2, otherwise you will not be warned about all the necessary schema changes and other possible incompatibilities.

Note that:

  • There are database schema changes (see Database schema upgrade).

  • Version numbers of some bundled connectors have changed. Connector references from the resource definitions that are using the bundled connectors need to be updated.

  • See also the Actions required information below.

It is strongly recommended migrating to the new native PostgreSQL repository implementation for all deployments that have not migrated yet. However, it is not recommended upgrading the system and migrating the repositories in one step. It is recommended doing it in two separate steps. Please see Migration to Native PostgreSQL Repository for the details.

Upgrade From MidPoint 4.4.x LTS

Both midPoint 4.4 and midPoint 4.8 are long-term support (LTS) releases. Therefore, there is a direct upgrade path from midPoint 4.4 to midPoint 4.8. Please follow our upgrade guide carefully.

Be sure to be on the latest maintenance version for 4.4 LTS, at least version 4.4.6, otherwise you will not be warned about all the necessary schema changes and other possible incompatibilities.

Upgrade of midPoint 4.4 to midPoint 4.8 is effectively upgrade of four midPoint versions in one step. Although the upgrade scripts and instructions will do the "technical" part of the upgrade, updating the database schema and the software in a single step, there still may be functionality changes in all the intermediary midPoint releases. Therefore, it is strongly recommended reading all the release notes for all the intermediary releases (4.5, 4.6, 4.7 and 4.8), adjusting your configuration as necessary.

The most important changes are summarized in Changes With Respect to Version 4.4 section.

Upgrade From Other MidPoint Versions

Upgrade from midPoint versions other than 4.4.x or 4.7.x to midPoint 4.8.3 is not supported directly. Please upgrade to one of these versions (at least 4.4.6 or 4.7.2) first.

Deprecation, Feature Removal And Major Incompatible Changes Since 4.7

This section is relevant to the majority of midPoint deployments. It refers to the most significant functionality removals and changes in this version.
  • The mailNonce and securityQuestionsForm authentication modules were re-worked. Since 4.8, we won’t support authentication sequences with only mailNonce or only securityQuestionsForm module defined for password reset flow. These modules have to be used together with focusIdentification module. So, once the mailNonce or securityQuestionsForm module is executed, we already have information about the user who’s trying to perform action (either password reset or login or anything else using flexible authentication sequence except registration/invitation flows). These modules cannot be first in the sequence and cannot be alone. Also added support to automatically remove nonce after successful authentication.

  • Another change concerns reset password functionality. Since 4.8, the user should be granted with http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#resetPassword authorization to be able to use Reset password feature.

  • The support for XML filters was removed from the GUI. Since 4.8 we recommend to use midPoint (axiom) query language instead. Query converter was improved to provide the possibility to convert XML filters to midPoint query language.

  • Ninja command line options were consolidated, some options were renamed. More info here and in MID-7483.

Changes In Initial Objects Since 4.7

This section is relevant to the majority of midPoint deployments.

MidPoint has a built-in set of "initial objects" that it will automatically create in the database if they are not present. This includes vital objects for the system to be configured (e.g., the role Superuser and the user administrator). These objects may change in some midPoint releases. However, midPoint is conservative and avoids overwriting customized configuration objects. Therefore, midPoint does not overwrite existing objects when they are already in the database. This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version.

The following list contains a description of changes to the initial objects in this midPoint release. The complete new set of initial objects is in the config/initial-objects directory in both the source and binary distributions.

Actions required: Please review the changes and apply them appropriately to your configuration. Ninja can help with updating existing initial objects during upgrade procedure using initial-objects command. For more information see here.

  • References to removed category, handlerUri, and reportOutputOid properties of tasks were deleted: from task archetypes and from GUI configurations. See 1fe4b6, b5a331, and 6887e9.

  • 230-lookup-lifecycle-state.xml: The suspended lifecycle state was added.

  • Container IDs and configuration items identifiers were added to multiple objects, see 6887e9 and 092db5 (the last commit also adds missing handlerUri mapping to 520-archetype-task-certification.xml).

  • 270-object-collection-audit.xml was adapted to internal API change in 400d78.

Please review source code history for detailed list of changes.

Copies of initial object files are located in config/initial-objects directory of midPoint distribution packages. These files can be used as a reference during upgrades. On-line version can be found in midPoint source code.

Schema Changes Since 4.7

This section is relevant to the majority of midPoint deployments. It describes what data items were marked as deprecated, or removed altogether from the schema. You should at least scan through it - or use the ninja tool to check the deprecations for you.
Table 2. Items being deprecated
Type Item or value Note



Use personalNumber instead.



The "archival" state is to be managed through the object lifecycle state instead. Since 4.8, this value will not be put into "effectiveStatus" property anymore.



Use value draft for lifecycleState property instead to disable the mapping.

ExpressionType, ScriptExecutionPolicyActionType


Use privileges/runAsRef instead.

LegacyCorrelationDefinitionType, CorrelationCasesDefinitionType

(the whole type)

Use the new correlation definition in schemaHandling container.


searchFilterTemplate, userDisplayName, autocompleteMinChars

Use autocompleteConfiguration instead.



Use rolesOfTeammate instead.


realm, issuerUri, jwkSetUri, nameOfUsernameClaim, singleSymmetricKey, trustedAlgorithm, trustingAsymmetricCertificate, keyStoreTrustingAsymmetricKey

Old configuration for resource oidc was moved to jwt.


name, displayName

Use UserInterfaceFeatureType.identifier and UserInterfaceFeatureType.display.label instead.



Use beforeItemCondition instead. (Experimental functionality.)

task extension


Use controlFlow/errorHandling with the reaction of ignore instead.



Experimental feature.

Table 3. Removed items
Type Item or value








roleCatalogRef, roleCatalogCollections, defaultCollection








objectForms, userDashboard


forms, container




defaultScope, defaultObjectType






(the whole type)


accountPasswordPolicy, accountPasswordPolicyRef




category, recurrence, modelOperationContext, policyRule, errorHandlingStrategy



Actions required:

  • Inspect your configuration for deprecated items, and replace them by their suggested equivalents. Make sure you don’t use any removed items. You can use ninja tool for this.

Behavior Changes Since 4.8.1

  • The following authorizations were added into the http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3 namespace:

    • test: test resource,

    • importFromResource: importing a single shadow or the whole object class,

    • recompute recomputing a user or other object (with limited support for now),

    • notifyChange.

    If there are users that need to execute these operations, make sure they get the appropriate authorization.

  • Invocation of "empty" modification operations, i.e. operations that make no change to the midPoint state, now require at least minimal authorizations. One of add, modify, delete, recompute, assign, unassign, delegate, changeCredentials (all in the http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3 namespace) suffices to start such "empty" modification operation.

    The rationale behind this change is that execution of even a seemingly "empty" operation is a complex process. In order to minimize the possibility of interfering with it, we restricted the set of users that are able to start such an operation. This change should not affect standard midPoint users, as usually they should have at least one of these authorizations to carry out any meaningful work in midPoint.

Behavior Changes Since 4.8

  • The behavior of disableTimestamp and disableReason in the shadow activation container was changed. Before 4.8.1, these properties were updated only if there was an actual change in the administrative status from something to DISABLED. Since 4.8.1, both of these properties are updated even if the administrative status is already DISABLED: the disableReason is determined anew, and the disableTimestamp is updated if the status and/or the reason are modified. See MID-9220 and commit c2dbfa.

Behavior Changes Since 4.7

This section describes changes in the behavior that existed before this release. New behavior is not mentioned here. Plain bugfixes (correcting incorrect behavior) are skipped too. Only things that cannot be described as simple "fixing" something are described here.

The changes since 4.7 are of interest probably for "advanced" midPoint deployments only. You should at least scan through them, though.

  • Mappings created by resource and role wizards are now by default strong (MID-8756).

  • The resolution of a function library object in <function> expression is now handled by a lower-level component (FunctionLibraryManager) without checking for authorizations. If needed, the access to the functionality provided by these libraries can be restricted by expression profiles. (Note that the calls to functions from withing scripts ignored authorizations from the beginning.) See commit c9b1ce.

  • Using a task template (e.g., to implement custom GUI actions) no longer requires #read authorization for the task template object. Instead, a new model-3#use authorization was created to cover this use case. See also MidPoint Authorization Configuration and commit 58096e.

  • The new bulk-3# authorizations replace (now deprecated and long-time confusing) #executeScript one. See also commits 291313 and 3c50c9.

  • Some authorizations were deprecated and removed, please see here.

  • The assignee authorization clause now covers all assignees, not only assignees of open work items (commit c97e31dc).

  • The simulation results are created for simulation (preview) activities by default (commit da2312).

  • The archived activation status value is no longer propagated to effectiveStatus and onto resources. The default "magic" computed status in projection administrative status outbound mapping no longer contains this value. See MID-9026 and commit 0a384b.

  • Before 4.8, when assignments were inactivated because of focus lifecycle state change (e.g. active → archived), related projections were not removed under the default enforcement policy. This is now changed - when the focus lifecycle state causes the inactivation of assignments, related projections are removed.

    Also, archetype assignments were "always enabled". This behavior changed: only the part of the assignments that sets the archetype is permanently enabled. Other functionalities, like induced mappings, authorizations, constructions, providing values to roleMembershipRef now behave for archetypes in the same way as for roles, i.e., they are inactive for inactive archetype assignments.

    See MID-9061 and commit a97e08.

  • When report tasks are started from GUI, they are created through full clockwork processing. This means that e.g. focus mappings defined in the "Report task" archetype are applied. Also, the default names for these tasks were changed. See bug:MID-8364 and commit 576675.

  • Incomplete accounts are now marked by purpose = incomplete, instead of lifecycle = proposed. Deployments using account activation feature should activate all pending shadows before doing the upgrade, or migrate the data manually - by setting purpose property for those pending shadows appropriately. If custom lifecycle state mappings are used, they need to be adapted. Please see commit b2d334.

  • Shadow metadata/createTimestamp and metadata/modifyTimestamp is now being added for all shadow objects at all times. This changes behaviour for resources which have non-zero deadShadowRetentionPeriod in consistency defined. Previously shadows without such timestamps were removed right away if there were no pending operations, since midPoint couldn’t compute last activity timestamp.

Java and REST API Changes Since 4.7

As for the Java API, this section describes changes in midpoint and basic function libraries. (MidPoint does not have explicitly defined Java API, yet. But these two objects are something that can be unofficially considered to be the API of midPoint, usable e.g. from scripts.)
  • Some of javax namespaces were migrated to jakarta namespaces, due to upgrade of Spring and Groovy 4. This may affect your scripts / overlays if you were using them. Most notable is javax.xml.bind, which was migrated to jakarta.xml.bind.

    • Most notable rename for Groovy scripts is javax.xml.bind.JAXBElement to jakarta.xml.bind.JAXBElement.

  • Groovy was updated to version 4, which changed some of exposed java package names. See Groovy 4.0 Release Notes for more details.

  • The following methods were not checking authorizations of currently logged-in user, and were fixed to do so: midpoint.countAccounts, midpoint.getObjectsInConflictOnPropertyValue, midpoint.isUniquePropertyValue. See MID-6241 and commit 1471bb.

Internal Changes Since 4.7

These changes should not influence people that use midPoint "as is". They should also not influence the XML/JSON/YAML-based customizations or scripting expressions that rely just on the provided library classes. These changes will influence midPoint forks and deployments that are heavily customized using the Java components.
  • The post-processing of retrieved objects in the IDM Model subsystem (sometimes called "apply schemas and security") was simplified.

  • Internal SearchBasedActivityRunSpecifics interface was changed. This may affect those deployments that provide their own activity handlers. See 12f6f66d.

Notes for Upgraders

Update from midPoint 4.4 LTS to midPoint 4.8 LTS is not only about upgrading the software and data. It is also about upgrading the deployment mindset. Many things that needed to be done as workaround during midPoint deployment are now integral parts of midPoint. You should consider them when deploying new projects with midPoint.

Simulations Instead of Custom Data Comparison Tools

Customers and partners deploying midPoint in the past have struggled with the data in the existing target systems being integrated with midPoint. As midPoint’s policy attempts to set things right, especially with the usage of strong mappings and non-tolerant attribute configurations, there was always a change in overwriting data in target systems, which were not previously set according to the policies that midPoint applies to data. To avoid this, customers and partners have created their own methodology using copies of target systems to which midPoint would provision and then the copy would be compared with the real target system data. This works (it has to as there were previously no alternatives), but takes time to prepare the environment and comparison tools.

One of the biggest challenges when preparing midPoint 4.8 was this: prepare midPoint in a way that such tools will not be necessary. This required not just midPoint development, but also creation of the new deployment methodology which we named Methodology: First Steps With MidPoint. Using the new midPoint features such as Simulations, Object Marks you can now deploy midPoint safely even if the target system data quality is low. midPoint allows you to see "what would happen if you turn this configuration on" and avoid any unexpected data modification or even deletion.

Custom data comparison tools should be no more needed.

You should familiarize yourselves with the concept of simulations to simplify your new resources integration from now on.

Resource Wizard

In previous versions of midPoint, administrators needed to define the resource configuration in midPoint XML language. Even though there were numerous samples for many resources, creating the first resources was definitely not an easy process.

Starting with midPoint 4.8, Resource wizard is at help. It allows creation and subsequent editing of midPoint resource configuration using only GUI and no XML language. This is especially helpful when you are starting with midPoint or want just to try if midPoint would fit in your environment.

You should familiarize yourselves with the resource wizard and try its features in order to simplify your resource creation and configuration.

The XML language can be still used for midPoint configuration. Resource wizard should not remove any configuration which is not supported in the wizard yet.

Object Marks

In previous version of midPoint, it was possible to define Protected accounts that midPoint should never update or delete and that should be ignored during synchronization. The definition of protected accounts was in the resource, which required knowledge of midPoint XML language and proper midPoint authorizations for anyone who would like to add new protected account definitions.

This changes with midPoint 4.8. The protected accounts can be now defined in GUI: either in the list of resource objects or in the simulation results. And that’s not all: midPoint now supports much more than "just" Protected accounts. Object marks can be used to configure any of midPoint built-in marks, e.g. "Protected", "Do not touch", "Correlate later". Custom object marks can be added as well. This is how midPoint allows definition of exceptions for existing resource data that should be processed only partially or not at all, just like the original Protected accounts.

The object marks references are stored in midPoint Shadow objects in addition to the protected accounts policy defined in the resource.

You should familiarize yourselves with the concept of object marks to significantly simplify definition of the provisioning exceptions for your resource objects.

Object Lifecycle Status

In previous versions of midPoint, multiple properties were used to activate/deactivate users or other parts of configuration. For example, activation/administrativeStatus was used to enable/disable users; resource mappings had enabled property etc. Starting with midPoint 4.8, object lifecycle state becomes more prominent as it is used in simulations. The same lifecycle state is used to enable/disable mappings (lifecycleState=draft). It is also used for activation and deactivation of users in the Methodology: First Steps With MidPoint, perhaps even more concrete for Automation.

We plan to extend the usage of lifecycle state even more in the upcoming versions of midPoint.

You should familiarize yourselves with the concept of object lifecycle if you have not yet used it and also with its usage in the Methodology: First Steps With MidPoint.

Archetypes vs Object Templates for Birthright Provisioning

Starting with midPoint 4.8, we emphasize the usage of archetypes for birthright provisioning over object templates. Using archetypes is simpler from GUI perspective: archetype can be assigned to users automatically during synchronization from source system without mappings (refer to Resource wizard - part Basic Configuration for more information).

midPoint 4.8 contains a new built-in Person archetype which you can use, customize or create a new archetype based on it.

As the archetypes behave as roles, editing archetype to specify the birthrights is similar to editing of a role inducement(s); actually part of the role wizard is used for access specification.

Object templates currently lack a wizard to create new mappings with assignments. Of course, they can be still used. They are suitable for mappings which generate username (with iteration) or other properties. But please consider using inducements in archetypes instead of assignments in object templates for your new deployments to specify the birthrights.

Also, if you plan to use object templates, consider using object templates references from the archetypes instead of global object templates references from System Configuration object. In midPoint 4.8, Person object template built-in object is referenced from Person archetype.

Emphasis on Iterative Approach

We have always recommended the iterative approach to identity projects with midPoint. With the First Steps Methodology this is now much more than just a recommendation. The new midPoint features as simulations, object marks and resource wizard encourage you to work in iterations and update your configurations based on results of simulations.

Known Issues and Limitations

As all real-world software midPoint 4.8.3 has some known issues. Full list of the issues is maintained in bug tracking system. As far as we know at the time of the release there was no known critical or security issue.

There is currently no plan to fix the known issues of midPoint 4.8.3 en masse. These issues will be fixed in future maintenance versions of midPoint only if the fix is covered by a support agreement or subscription. No other issues will be fixed - except for severe security issues that may be found in the future.

The known issues of midPoint 4.8.3 may or may not be fixed in following releases. This depends on the available time, issue severity and many variables that are currently difficult to predict. The only reliable way how to make sure that an issue is fixed is to purchase midPoint support. Or you can fix the bug yourself. MidPoint is always open to contributions.

This may seem a little bit harsh at a first sight. But there are very good reasons for this policy. And in fact it is no worse than what you get with most commercial software. We are just saying that with plain language instead of scrambling it into a legal mumbo-jumbo.


Majority of the work on the Curie release was done by the Evolveum team. However, this release would not be possible without the help of our partners, customers, contributors, friends and families. We would like to express our thanks to all the people that contributed to the midPoint project both by providing financial support, their own time or those that maintain a pleasant and creative environment for midPoint team. However, midPoint project would not exist without proper funding. Therefore we would like to express our deepest gratitude to all midPoint subscribers that made midPoint project possible.


Planned release dates are just that: they are planned. We do not promise or guarantee release dates. Software development is a creative activity that includes a lot of inherent risk. We are trying really hard to provide the best estimates. We are not able to provide precise dates for releases or deliveries. Do not rely on midPoint release dates. Plan your project properly to address the risk of delayed midPoint releases.

Planned scope of midPoint releases is also an estimate. MidPoint development process always includes the balancing of the iron triangle. Therefore planned release scope may change at any time. There is a method to make sure that midPoint releases will work well for your project and that method is platform subscription.

We do not make any claims that midPoint is perfect. Quite the contrary. MidPoint is a practical software, developed by living and breathing developers and deployed in a real world. There are both known and unknown issues in midPoint. Also, midPoint is not feature-complete. New features are introduced in midPoint all the time. But not all of them are completed. There are always some limitations. As the license states, midPoint is provided "AS IS". Please do not rely on midPoint functionality that you have not tested to make sure that it works. MidPoint support and subscription programs are a way how to handle those issues. But even with support service, do not rely on functionality that is not documented. If you plan to use undocumented or non-existing functionality, platform subscription is the right service for you.

Was this page helpful?
Thanks for your feedback