MidPoint 4.9 "TODO"
Last modified 23 Apr 2024 17:09 +02:00
Table of Contents
This is a planned release. It is not complete yet. Therefore the information presented here is likely to be incomplete and inaccurate. For information regarding the latest stable release please see MidPoint 4.8.2 LTS (Curie Update 2) .

Release 4.9 is a fifty-TODO midPoint release, code-named TODO. The 4.9 release brings TODO.

Planned releaseOctober 2024
Release type Feature release

TODO

TODO

Changes With Respect To Version 4.8

New Features and Major Improvements

  • Shadow caching

  • Native Repository Support for searchContainersIteratively for all container types

    • Removed upper record limit for reports for Assignments, Certfication Cases, Certification Work items and others.

    • Changed transaction isolation from READ_COMMITED to REPEATABLE_READ.

    • Changed storage strategy for complex container types - actual data stored inside their own table istead of parent object JSON.

  • Added support for external data in protected strings, that can be resolved via secrets providers. This allows to store secrets in external systems, such as HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, etc. For more information see .

    • Adding support for GUI of passwords in connector configuration and password of focus (visible only when it is configured in xml)

  • Improvements regard shadow associations (work in progress)

    • Draft of the native associations support in ConnId (1.5.3.0-M1).

    • Draft of the new style of configuring simulated associations (via capabilities).

    • Draft of the new style of configuring associations handling: mapping from associations to assignments using specific correlation and synchronization rules.

  • Query Support for searching in value metadata of objects

    • Native Repository: Object metadata stored in metadata property of MetadataType are also indexed and searchable as value metadata. Eg. original metadata/creatorRef is @metadata/storage/creatorRef as value metadata path.

    • Value metadata storage and process are indexed for assignments and available for search using assignment/@metadata/storage.

  • Ninja

    • Added support for new verification categories: MULTI_VALUE_REF_WITHOUT_OID, MISSING_NATURAL_KEY, MULTIVALUE_BYTE_ARRAY, PROTECTED_DATA_NOT_EXTERNAL. For more information see Verify.

  • Role mining

    • Attribute Clustering Support:

      • Enabled attribute clustering with customizable conditions, providing flexibility in defining attribute rules for clustering procedures. Available in advanced mode.

    • Attribute Analysis Functionality:

      • Attribute analysis capabilities allowing the definition of attributes used for cluster and detected pattern analysis. Available in advanced mode.

    • Indirect Access Right Clustering:

      • Added support for clustering over indirect access rights.

    • Detected Pattern Migration Improvements:

      • Streamlined detected pattern migration process, enabling the creation of candidates from detected patterns. This allows the role definition to be refined.

    • User Permission Table Enhancements:

      • Expanded user permission table settings, providing administrators with additional control and customization options.

    • Performance and GUI Enhancements:

      • Performance optimizations and user interface enhancements to improve overall user experience and efficiency.

Other Improvements

TODO

  • The indication of official vs. unofficial build was added to the About page. See MidPoint JAR Signature Status for details.

  • We have added a new algorithm to detect which users are in the production-like environment. It would have the following impact, depending on your subscription status.

    • active subscribers: none

    • subscribers who are in the renewal period: none during the grace period of 90 days

    • non-subscribers: disabled cluster communication; if a non-H2 generic repository is used, the GUI would be disabled and the only option would be to set a subscription ID

    • For more information, feel free to read this blog post.

  • Duplication function of object or container showed in table.

  • Adding panel in gui, that support of creating new archetype for reference in resource object type.

  • Changing of input field for documentation element to multi-line text field.

  • Adding possibility for use 'Preview' button with development configuration on page details.

  • Adding 'Shadow reclassification' task as a new separate activity of the task type.

    • Adding button for creating simulated/production 'Reclassification' task on unrecognized resource objects panel.

  • New implementation and look of date time picker.

  • Support for item deltas targeting value metadata only (without need to replace whole container value)

  • Resolving the issue for creating a new member object with predefined by archetype options on members panel.

  • Resolving several issues for Self Service → Credentials page.

Releases Of Other Components

Purpose and Quality

Release 4.9 is intended for full production use. It belongs to a feature release family, supported only for a reduced time period. Therefore it is intended for users that prefer new features over long-term stability.

All features are stable and well tested - except the features that are explicitly marked as experimental or partially implemented. Those features are supported only with special subscription contract.

Limitations

Following list provides summary of limitation of this midPoint release.

  • Functionality that is marked as Experimental Functionality is not supported for general use (yet). Such features are not covered by midPoint support. They are supported only for those subscribers that funded the development of this feature by the means of subscriptions and sponsoring or for those that explicitly negotiated such support in their support contracts.

  • MidPoint comes with bundled LDAP Connector. Support for LDAP connector is included in standard midPoint support service, but there are limitations. This "bundled" support only includes operations of LDAP connector that 100% compliant with LDAP standards. Any non-standard functionality is explicitly excluded from the bundled support. We strongly recommend to explicitly negotiate support for a specific LDAP server in your midPoint support contract. Otherwise, only standard LDAP functionality is covered by the support. See LDAP Connector page for more details.

  • MidPoint comes with bundled Active Directory Connector (LDAP). Support for AD connector is included in standard midPoint support service, but there are limitations. Only some versions of Active Directory deployments are supported. Basic AD operations are supported, but advanced operations may not be supported at all. The connector does not claim to be feature-complete. See Active Directory Connector (LDAP) page for more details.

  • MidPoint user interface has flexible (responsive) design, it is able to adapt to various screen sizes, including screen sizes used by some mobile devices. However, midPoint administration interface is also quite complex, and it would be very difficult to correctly support all midPoint functionality on very small screens. Therefore, midPoint often works well on larger mobile devices (tablets), but it is very likely to be problematic on small screens (mobile phones). Even though midPoint may work well on mobile devices, the support for small screens is not included in standard midPoint subscription. Partial support for small screens (e.g. only for self-service purposes) may be provided, but it has to be explicitly negotiated in a subscription contract.

  • There are several add-ons and extensions for midPoint that are not explicitly distributed with midPoint. This includes Java client library, various samples, scripts, connectors and other non-bundled items. Support for these non-bundled items is limited. Generally speaking, those non-bundled items are supported only for platform subscribers and those that explicitly negotiated the support in their contract.

  • MidPoint contains a basic case management user interface. This part of midPoint user interface is not finished. The only supported parts of this user interface are those that are used to process requests, approvals, and manual correlation. Other parts of case management user interface are considered to be experimental, especially the parts dealing with manual provisioning cases.

This list is just an overview, it may not be complete. Please see the documentation regarding detailed limitations of individual features.

Platforms

MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested with this release. The version numbers in parentheses are the actual version numbers used for the tests.

It is very likely that midPoint will also work in similar environments. But only the versions specified below are supported as part of midPoint subscription and support programs - unless a different version is explicitly agreed in the contract.

Operating System

MidPoint is likely to work on any operating system that supports the Java platform. However, for production deployment, only some operating systems are supported:

  • Linux (x86_64)

  • Windows Server (2022)

We are positive that midPoint can be successfully installed on other operating systems, especially macOS and Microsoft Windows desktop. Such installations can be used to for evaluation, demonstration or development purposes. However, we do not support these operating systems for production environments. The tooling for production use is not maintained, such as various run control (start/stop) scripts, low-level administration and migration tools, backup and recovery support and so on. Please see for details.

Note that production deployments in Windows environments are supported only for LTS releases.

Java

Following Java platform versions are supported:

  • Java 21. This is a recommended platform.

  • Java 17.

OpenJDK 21 is the recommended Java platform to run midPoint.

Support for Oracle builds of JDK is provided only for the period in which Oracle provides public support (free updates) for their builds.

MidPoint is an open source project, and as such it relies on open source components. We cannot provide support for platform that do not have public updates as we would not have access to those updates, and therefore we cannot reproduce and fix issues. Use of open source OpenJDK builds with public support is recommended instead of proprietary builds.

Databases

Since midPoint 4.4, midPoint comes with two repository implementations: native and generic. Native PostgreSQL repository implementation is strongly recommended for all production deployments.

See Repository Database Support for more details.

Since midPoint 4.0, PostgreSQL is the recommended database for midPoint deployments. Our strategy is to officially support the latest stable version of PostgreSQL database (to the practically possible extent). PostgreSQL database is the only database with clear long-term support plan in midPoint. We make no commitments for future support of any other database engines. See Repository Database Support page for the details. Only a direct connection from midPoint to the database engine is supported. Database and/or SQL proxies, database load balancers or any other devices (e.g. firewalls) that alter the communication are not supported.

Native Database Support

Native PostgreSQL repository implementation is developed and tuned specially for PostgreSQL database, taking advantage of native database features, providing improved performance and scalability.

This is now the primary and recommended repository for midPoint deployments. Following database engines are supported:

  • PostgreSQL 16, 15, 14

PostgreSQL 16 is recommended.

Generic Database Support (deprecated)

Generic repository implementation is based on object-relational mapping abstraction (Hibernate), supporting several database engines with the same code. Following database engines are supported with this implementation:

  • H2 (embedded). Supported only in embedded mode. Not supported for production deployments. Only the version specifically bundled with midPoint is supported.
    H2 is intended only for development, demo and similar use cases. It is not supported for any production use. Also, upgrade of deployments based on H2 database are not supported.

  • Oracle 21c

  • Microsoft SQL Server 2019

Support for generic repository implementation together with all the database engines supported by this implementation is deprecated. It is strongly recommended to migrate to native PostgreSQL repository implementation as soon as possible. See Repository Database Support for more details.

Supported Browsers

  • Firefox

  • Safari

  • Chrome

  • Edge

  • Opera

Any recent version of the browsers is supported. That means any stable stock version of the browser released in the last two years. We formally support only stock, non-customized versions of the browsers without any extensions or other add-ons. According to the experience most extensions should work fine with midPoint. However, it is not possible to test midPoint with all of them and support all of them. Therefore, if you chose to use extensions or customize the browser in any non-standard way you are doing that on your own risk. We reserve the right not to support customized web browsers.

Important Bundled Components

Table 1. Important bundled components
Component Version Description

Tomcat

10.1.12

Web container

ConnId

1.5.1.10

ConnId Connector Framework

LDAP connector bundle

3.7

LDAP and Active Directory

CSV connector

2.7

Connector for CSV files

DatabaseTable connector

1.5.1.0

Connector for simple database tables

Download and Install

Release Form Download Install Instructions

Binary

https://evolveum.com/downloads/midpoint/4.9/midpoint-4.9-dist.zip

Installing MidPoint 4.9

Source

Evolveum/midpoint repository at github, tag v4.9

Building MidPoint From Source Code

Java API JavaDoc

https://www.evolveum.com/downloads/midpoint/4.9/midpoint-api-4.9-javadoc/

JAR

SchemaDoc

https://www.evolveum.com/downloads/midpoint/4.9/midpoint-4.9-schemadoc/

ZIP

Upgrade

MidPoint is a software designed with easy upgradeability in mind. We do our best to maintain strong backward compatibility of midPoint data model, configuration and system behavior. However, midPoint is also very flexible and comprehensive software system with a very rich data model. It is not humanly possible to test all the potential upgrade paths and scenarios. Also, some changes in midPoint behavior are inevitable to maintain midPoint development pace. Therefore, there may be some manual actions and configuration changes that need to be done during upgrades, mostly related to feature lifecycle.

This section provides overall overview of the changes and upgrade procedures. Although we try to our best, it is not possible to foresee all possible uses of midPoint. Therefore, the information provided in this section are for information purposes only without any guarantees of completeness. In case of any doubts about upgrade or behavior changes please use services associated with midPoint subscription programs.

Please refer to the MidPoint Upgrade Guide for general instructions and description of the upgrade process. The guide describes the steps applicable for upgrades of all midPoint releases. Following sections provide details regarding release 4.9.

Upgrade From MidPoint 4.8

MidPoint 4.9 data model is backwards compatible with previous midPoint version. Please follow our Upgrade guide carefully.

Be sure to be on the latest maintenance version for 4.8, otherwise you will not be warned about all the necessary schema changes and other possible incompatibilities.

Upgrade From Other MidPoint Versions

Upgrade from midPoint versions other than 4.8.x to midPoint 4.9 is not supported directly. Please upgrade to one of these versions (at least TODO) first.

Deprecation, Feature Removal And Major Incompatible Changes Since 4.8

This section is relevant to the majority of midPoint deployments. It refers to the most significant functionality removals and changes in this version.

Changes In Initial Objects Since 4.8

This section is relevant to the majority of midPoint deployments.

MidPoint has a built-in set of "initial objects" that it will automatically create in the database if they are not present. This includes vital objects for the system to be configured (e.g., the role Superuser and the user administrator). These objects may change in some midPoint releases. However, midPoint is conservative and avoids overwriting customized configuration objects. Therefore, midPoint does not overwrite existing objects when they are already in the database. This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version.

The following list contains a description of changes to the initial objects in this midPoint release. The complete new set of initial objects is in the config/initial-objects directory in both the source and binary distributions.

Actions required: Please review the changes and apply them appropriately to your configuration. Ninja can help with updating existing initial objects during upgrade procedure using initial-objects command. For more information see here.

Please review source code history for detailed list of changes.

Copies of initial object files are located in config/initial-objects directory of midPoint distribution packages. These files can be used as a reference during upgrades. On-line version can be found in midPoint source code.

Schema Changes Since 4.8

This section is relevant to the majority of midPoint deployments. It describes what data items were marked as deprecated, or removed altogether from the schema. You should at least scan through it - or use the ninja tool to check the deprecations for you.
Table 2. Items being deprecated
Type Item or value Note
Table 3. Removed items
Type Item or value

Actions required:

  • Inspect your configuration for deprecated items, and replace them by their suggested equivalents. Make sure you don’t use any removed items. You can use ninja tool for this.

Behavior Changes Since 4.8

This section describes changes in the behavior that existed before this release. New behavior is not mentioned here. Plain bugfixes (correcting incorrect behavior) are skipped too. Only things that cannot be described as simple "fixing" something are described here.

The changes since 4.8 are of interest probably for "advanced" midPoint deployments only. You should at least scan through them, though.

  • The default configuration for caching was changed. Currently, only mapped attributes are cached by default. (Except for the situation when the caching is enabled by cachingOnly property in the read capability.) See commits [4775c1](https://github.com/Evolveum/midpoint/commit/4775c14884d42aa758c19b5693ec07dcacdeb147) and the following one - TODO.

  • When processing live sync and asynchronous update changes that contain only the object identifiers, a more aggressive approach to fetching actual objects was adopted: We now always fetch the actual object, if possible. The reason is that the cached version may be incomplete or outdated. (This may still change before 4.9 the release, though.) See commits [4775c1](https://github.com/Evolveum/midpoint/commit/4775c14884d42aa758c19b5693ec07dcacdeb147) and the following one - TODO.

  • The behavior of disableTimestamp and disableReason in the shadow activation container was changed. Before 4.9/4.8.1, these properties were updated only if there was an actual change in the administrative status from something to DISABLED. Since 4.9/4.8.1, both of these properties are updated even if the administrative status is already DISABLED: the disableReason is determined anew, and the disableTimestamp is updated if the status and/or the reason are modified. See MID-9220.

  • Automatic caching of association binding attributes (the "value" side, i.e. valueAttribute in the association definition) is no longer provided. It is recommended to mark them as secondary identifiers.

  • The filtering of associations was changed slightly. In particular, even if the required auxiliary object class is not present for the subject, the association values are still shown - if they exist on the resource. (They were hidden before.) TODO reconsider this

  • "<a:indexed/>" and "<a:indexOnly/>" annotations - when present but without any value - was interpreted as "false". This was now changed to a more intuitive interpretation (similar to a:object, a:container, etc), where annotation present but without value means "true". Also, "a:container" and other markers were interpreted as "true", even if the value was actually "false". This is now fixed as well.

  • Years-old ref-style schema annotations like <r:identifier ref="icfs:uid"/> are no longer supported. They are not used since midPoint 2.0. If you happen to use them in your manually configured resource XSD schemas, please replace them with the supported <r:identifier>icfs:uid</r:identifier> style.

  • Support for getting/setting objects embedded in references marked as a:objectReference directly, like LensElementContext.getObjectOld(). This feature was used only internally by midPoint.

  • TODO Either bring back the support of <xsd:documentation> in resource schemas (not used by ConnId, but may be used for manually entered schemas), or document the feature drop here. === Java and REST API Changes Since 4.8

As for the Java API, this section describes changes in midpoint and basic function libraries. (MidPoint does not have explicitly defined Java API, yet. But these two objects are something that can be unofficially considered to be the API of midPoint, usable e.g. from scripts.)

Internal Changes Since 4.8

These changes should not influence people that use midPoint "as is". They should also not influence the XML/JSON/YAML-based customizations or scripting expressions that rely just on the provided library classes. These changes will influence midPoint forks and deployments that are heavily customized using the Java components.

  • Internal APIs were massively changed with regard to passing prismContext object between methods. This object has been statically available for quite a long time. Now it was definitely removed from methods' signatures.

    The official APIs (like midpoint and basic objects) were not touched by this change. However, if you use some of the unofficial or undocumented APIs, please make sure you migrate your code appropriately.

    The change itself is very simple: basically, the PrismContext parameter was removed from methods' signatures.

  • Likewise, the internals of prism definitions were changed in 12808d. You should not be affected by this; however, if you use some of the unofficial/undocumented APIs, please check your code.

Known Issues and Limitations

As all real-world software midPoint 4.9 has some known issues. Full list of the issues is maintained in bug tracking system. As far as we know at the time of the release there was no known critical or security issue.

There is currently no plan to fix the known issues of midPoint 4.9 en masse. These issues will be fixed in future maintenance versions of midPoint only if the fix is covered by a support agreement or subscription. No other issues will be fixed - except for severe security issues that may be found in the future.

The known issues of midPoint 4.9 may or may not be fixed in following releases. This depends on the available time, issue severity and many variables that are currently difficult to predict. The only reliable way how to make sure that an issue is fixed is to purchase midPoint support. Or you can fix the bug yourself. MidPoint is always open to contributions.

This may seem a little bit harsh at a first sight. But there are very good reasons for this policy. And in fact it is no worse than what you get with most commercial software. We are just saying that with plain language instead of scrambling it into a legal mumbo-jumbo.

Credits

Majority of the work on the release was done by the Evolveum team. However, this release would not be possible without the help of our partners, customers, contributors, friends and families. We would like to express our thanks to all the people that contributed to the midPoint project both by providing financial support, their own time or those that maintain a pleasant and creative environment for midPoint team. However, midPoint project would not exist without proper funding. Therefore we would like to express our deepest gratitude to all midPoint subscribers that made midPoint project possible.

Disclaimer

Planned release dates are just that: they are planned. We do not promise or guarantee release dates. Software development is a creative activity that includes a lot of inherent risk. We are trying really hard to provide the best estimates. We are not able to provide precise dates for releases or deliveries. Do not rely on midPoint release dates. Plan your project properly to address the risk of delayed midPoint releases.

Planned scope of midPoint releases is also an estimate. MidPoint development process always includes the balancing of the iron triangle. Therefore planned release scope may change at any time. There is a method to make sure that midPoint releases will work well for your project and that method is platform subscription.

We do not make any claims that midPoint is perfect. Quite the contrary. MidPoint is a practical software, developed by living and breathing developers and deployed in a real world. There are both known and unknown issues in midPoint. Also, midPoint is not feature-complete. New features are introduced in midPoint all the time. But not all of them are completed. There are always some limitations. As the license states, midPoint is provided "AS IS". Please do not rely on midPoint functionality that you have not tested to make sure that it works. MidPoint support and subscription programs are a way how to handle those issues. But even with support service, do not rely on functionality that is not documented. If you plan to use undocumented or non-existing functionality, platform subscription is the right service for you.

Was this page helpful?
YES NO
Thanks for your feedback