MidPoint 4.10

The self-service user interface is now very close to WCAG 2.2 AA compliance.

The experience around background tasks has been improved in various aspects:

Added compliance dashboard.

You can now tighten security guardrails around expressions:

Improved displaying changes (deltas) in both the audit GUI and reports.

Improved indexing these deltas, especially when objects are added. See MID-10413 Improved indexing of audit records with "add object" deltas. See MID-10413.

Added lastLoginTimestamp capability. See MID-10147.

Implemented default list view panel configuration which brings a possibility to set the common pagination options for list panels. See MID-10414.

Summary panel for roles now uses display name and identifier (same as for organizations and services). See MID-10270.

Task execution constraints added to the "advanced options" tab. See MID-10218.

Removed maximum password length constraint from the default password policy. See MID-10305.

Added support for metadata exclusion in get/search rest API operations. See MID-10216.

Implemented shadow password caching, with the possibility of storing them in reversible encrypted form.

Improved handling of volatile shadow attributes.

Update GUI views after changing the archetype used in the particular view. See MID-9776.

Added support for PKCE (Proof Key for Code Exchange) as an additional security measure for the OIDC authentication module. See MID-10155.

Added a new configuration attribute for OIDC authentication module that is used for the ID Token signing algorithm. See Oidc Module.

Used 'honeypot' instead of captcha on self-registration and post-authentication pages to protect against spam bots.

Improved the documentation of resource configuration. See MID-10176.

Allowed volatility configuration per mapping through the Resource Wizard. See MID-10170.

Changed the CSS style of sub-containers in the vertical form panel to create a new object for reference. See MID-10030.

Documented shadow purpose. See MID-10419.

Some policy rule constraints allow to the targetArchetypeRef to specify objects by archetype. See MID-10647.

StartupConfiguration incorporates midpoint. properties from Spring environment sources.

Assignment modification constraint of policy rules allows scope specification. This can be used for approval of indirect role assignments and similar cases. See MID-10663.

There are two new functions in midPoint function library for access to "governance" users (approvers/owners): getRoleMemberUsers, getServiceMemberUsers.

Improved notifications in various aspects, such as by enabling you to use the GUI delta visualizer in notification. See MID-6112, MID-10633, MID-10632, MID-10635, MID-10372, MID-10634, MID-10636.

Built-in archetypes for organizational structures and locations.

Compliance-related marks (no classification, unowned, privileged access), object collections and policies.

Privileged access classification automatically sets Privileged access mark for directly affected roles and users.

Updated various libraries, such as Spring Boot, Tomcat, PostgresSQL JDBC driver.

Added OAuth 2 credential flow to mail server notification configuration

Added languages, specifically Korean, Dutch, and Ukrainian.

Removed support for deprecated generic repository implementation (Oracle, SQL Server). See MID-10866.

The date & time picker now can use adminGuiConfiguration/displayFormats/longDateTimeFormat setting if available.

Using private schema in PostgresSQL instead of the public schema. See MID-9300.

MID-10213 Fixed synchronization of large number of tasks (>10 000).

MID-10204 Fixed error during preview of changes.

MID-10319 Fixed incorrect error message displayed when performing "Unlock" action on the user list page.

MID-10317 Fixed missing message when user disable fails.

MID-10320 Fixed ninja zip option used during export/import.

MID-10048 Fixed ClassCastException when creating duplicates of object types with new archetype

MID-10278 Fixed non-clickable part of a button in the Edit Schema popup modal.

MID-10513 Fixed CSS issues with popup modal background in Safari.

MID-10496 Fixed issue of tasks not starting at next scheduled time.

Fixed boolean column values for Quartz tables in Oracle 23 - "Quartz broken after DB upgrade". See MID-10715.

Fixed "Couldn’t get assignments conflicts" error occurring during Request access. See MID-10124.

Fixed "No definition for item …​ in outbound mapping for association" error. See MID-10214.

Fixed the issue with policy rules minAssignees/maxAssignees not being triggered. See MID-9869.

Fixed retrieving referenced objects with their own references when caching is enabled. See MID-10271.

Fixed inconsistent behaviour for deleted situation in combination with deleteFocus reaction. See MID-10195.

Fixed midPoint freezing when shadow partitioning, referenced objects, and shadow caching was used. See MID-10231.

Added support for removing "dangling" non-tolerant reference attribute values (i.e., those that do not match any association). See MID-10285.

Changes in default shadow caching policy are now correctly applied, without requiring any action on the user side. See MID-10126.

Fixed NullPointerException occurring in mappings when the source reference value pointed to non-existing object. See MID-10162.

"Native references" capability is now correctly shown in GUI. See MID-10194.

Fixed handling of multi-valued resource configuration properties defined using const expression. See the last comment in MID-7918.

Fixed repeated modifications of objects when manually attached object marks were used. See MID-10121.

Fixed preview changes when auto-assigned roles with approvals were used. See MID-10345.

Stopped generating passwords with "problematic" characters, like comma, apostrophe, ampersand, and so on. Now it’s possible to define characters that are accepted in the password, but not used when generating a new password value. The default password policy was updated in this regard. See MID-9541 and the docs.

Stopped displaying some shadow operational properties (like the synchronization timestamp, iteration, and so on) among changes in simulation results. See MID-9737 and MID-9986.

Midpoint Query Language Fixed inconsistent whitespace behavior when using not filter, modified grammar of query language. See MID-9351.

Fixed code completions & validation for @metadata language concept in Midpoint Query language. See MID-10324.

Fixed problem with handling syntax error in Midpoint Query Language. See MID-8196 and MID-9585.

Fixed removal of the shadow transition mark in the mark table panel. See MID-10228.

Fixed refresh names, help texts and search items for all saved search configurations. See MID-10321.

Fixed phantom changes when displaying an existing object type in the resource wizard. See MID-10284.

Added a popup to create a new item for the Schema Extension panel. See MID-10283.

Harmonize the design of the mapping table panel for object template and resource object type mapping. See MID-10291.

Removed the use of page parameters for view collection in popup tables. See MID-10254.

Fixed display of row without object name for Task Errors panel. See MID-10354.

Fixed the display of the 'User Dashboard Links' panel in the System Configuration panel. See MID-10133.

Fixed the object class name column in the Resource Details panel. See MID-10005.

Fixed saving of audit record with malformed username as parameter during login (User-Enumeration attack). See MID-10383.

Add a save button to the wizard’s table of object and association types. See MID-10046.

Add an error message when the 'securityQuestionsForm' authentication module is the first in the authentication sequence. See MID-10149.

MID-10225 Fix issue where opening of certification campaign stage hangs indefinitely.

Fixed "preview changes" and "access request" functionality when some projections are hidden by authorizations. See MID-10397.

MID-10739 Use SecureRandom instead of Random.

Fixed different certification bugs. See MID-10208, MID-10190, MID-10134, MID-10262, MID-10261, MID-10373, MID-10376, MID-10469, MID-10520 and others.

Fixed organizations list display bug. See MID-10150.

Fixed the icon for Case type objects that was not displayed. See MID-10164.

Fixed the issue with date field update. See MID-10107.

Fixed the issue with wrong redirection after unassigning the object. See MID-10151.

Fixed the issue with displaying Service type objects in the role catalog. See MID-10206.

Password policy checks are being applied to an extension attribute of the ProtectedStringType. See MID-10129.

Fixed empty required fields validation in UI in case the parent container is empty. See MID-10210.

Fixed the issue with password policy check popover. See MID-10128.

Fixed the sorting of the organisation tree in the Role catalog (from now, sorted by display name). See MID-10246.

Fixed filtering of the work items in UI. See MID-10167.

Fixed input string validation in the Flexible Authentication module. See MID-10123.

Fixed the displaying of the historical user data. See MID-10153.

Fixed error in logs during the work in the resource wizard. See MID-10233.

Hided password strength bar for the protected string panel. See MID-10129.

Fixed the error while creating new application service object with manager. See MID-10277.

Fixed the error during self password update. See MID-10316.

Fixed the usage of the MidpointFormValidator during object updates. See MID-10127.

Fixed authorization check in GUI by using EndPointsUrlMapping actions check. See MID-10336.

Fixed the displaying of the Policy rule panel. See MID-10343.

Fixed the issue with duplicated error message displaying on the Repository objects page. See MID-10344.

Made authorization error message more user-friendly. See MID-10206.

Fixed default panels configuration of the details pages for start campaign and reiterate campaign tasks. See MID-10205.

Fixed error on the Task Internal performance panel. See MID-10445.

Fixed error on the task details page. See MID-10395.

Fixed defaultAssignmentConstraints configuration usage during Request Access. See MID-10425.

Fixed Person of interests step in Access Request to take into account objects filter and to analyze more carefully changing the persons of interest. See MID-10398.

Fixed changing the mark for user object. See MID-10423.

Fixed session storage for Cases table. See MID-10473.

Fixed the issue with the displaying the value of the work item Name column. See MID-10427.

Fixed the issue with dashboard resource widget. See MID-10497.

Fixed the sorting of the first column in the collection view table. See MID-10486.

Removed the button for credentials change on the Password panel of the object details page to be hidden without proper authorization. See MID-10507.

Fixed error when setting read permission with filter on ReportDataType. See MID-10498.

Fixed localization error while changing the password. See MID-10471.

Fixed the accumulation of the authentication attempts. See MID-10502.

Fixed loading the fresh user object on the Self Service Credentials page. See MID-10544.

Fixed saving schema extension. See MID-10437.

Fixed creation of the new generic PolicyType. See MID-10463.

Fixed Access Request checkout step when validity is set to mandatory. See MID-10459.

Fixed import object with ObjectReferenceType extension attribute. See MID-10503.

Fixed deny rule for task delete operation. See MID-10625.

Fixed setting of the assignment subtype. See MID-10624.

Fixed sorting in the All Tasks table. See MID-10640.

Fixed incorrect message while approving a work item. See MID-10629.

Fixed Reconciliation report running. See MID-10436.

Fixed displaying the list of the application classifications. See MID-10638.

Fixed Object collection search item visibility on object list pages. See MID-10648.

Fixed mark (*) visibility on the custom forms. See MID-10656.

Fixed manual unlock of the user. See MID-9856.

Improved the message on the mail nonce module panel during Reset password flow. See MID-10679.

Fixed case details page displaying. See MID-10690.

Fixed schema fetch error. See MID-10665.

Connid version was upgraded to 1.6.0.0. See MID-10552.

Fixed the error during saving the extension schema if there is ObjectReferenceType item. See MID-10693.

Fixed the search with upper case letters on the Projections panel. See MID-10713.

Fixed the initialization process of resource connector capabilities. See MID-10644, MID-10676.

Fixed the usage and application of the archetype filter within authentication definition. See MID-10683.

Fixed the reflexion of the custom system name on different pages. See MID-10696.

Fixed the query for the certification items while loading self dashboard page. See MID-10753.

Refactored container properties panel (e.g. object details page) not to wrap each property value field into a form. This reduced the number of the csrf fields which is sent by request after the form submitting. Also, increased the size of the http request header size to cope with big headers. Important: be aware of overriding total request size (e.g. header size or multipart parts) in your environment in case of using custom settings (e.g. in custom application.yml or through JVM arguments). The recommended values are: max-part-header-size: 768; max-part-count: 100. See MID-10748.

Extended multi-parts request configuration for AJP server. It is possible to set custom max-part-header-size and max-part-count properties to AJP connector in application.yml. If no multi-parts request configuration is set for AJP server, these properties will be taken from Tomcat server configuration. See MID-10824.

Fixed "Select all" functionality in the assignment restriction popup while creating a delegation. See MID-10757.

Fixed loading and displaying the data on the Errors panel of the Task page. See MID-10682.

Fixed NPE on the Internals configuration page. See MID-10749.

Fixed "Matching rule" dropdown in Attribute override settings. See MID-10710.

Fixed 500 error while creating an application role with a lack of permission. See MID-10778.

Fixed intent dropdown on Accounts/Entitlements page to persist after navigation . See MID-10697.

Fixed default sort property for "My requests" widget on Self Dashboard page. See MID-10772.

Fixed authorization re-initialization during CompiledGuiProfile refresh functionality. Authorizations list is wrapped into atomic reference in order to avoid calls to cleaned up authorizations list while refreshing the principal. See MID-10781.

Fixed inconsistent type of input variable after passing ObjectTemplate validation. See MID-10773.

Fixed the possibility to modify the filter in the marking rule. See MID-10405.

Fixed the title for the edit button on the reference autocomplete panel. See MID-10807.

Fixed filter configuration panel on the Object collection details page. The behavior of the filter configuration panel was changed to switch automatically to midPoint query (from xml query if was defined before) after filter configuration popup was used and configuration changes were confirmed there. See MID-10800.

Fixed the icon and missing description for object mark icons assignments. See MID-10255.

Fixed resolving of the object reference while report preview. See MID-9632.

Improved displaying of the container header while delta visualization. See MID-10630.

Fixed mouse hover tooltip in object reference selection menu. See MID-10807.

Fixed authorization check for the objects displayed in GUI during approval process. See MID-10232.

Removed unnecessary blank row from Certification items export dialog. See MID-10809.

Fixed name and display name columns' values on the Certification items page. See MID-10806.

Fixed full-text search in the role catalog. See MID-10819.

Fixed case-insensitive search for shadow association definitions. See MID-10477.

Improved the time of the certification items list processing (e.g. during cert. items report creating or during displaying in the GUI). See MID-10811, MID-10812.

Fixed some bugs in the Role mining GUI. See MID-10842.

Fixed the error while creating a new resource as a copy of the template resource. See MID-10476.

Fixed the relation dependent behavior while adding an item into shopping cart. See MID-10851.

Fixed the extension attribute update behavior within Shopping cart step in the Request access wizard. See MID-10861.

Fixed allowToConfigureSearchItems configuration usage on the search panel. See MID-10883.

Fixed style issue on the task summary panel. See MID-10884.

Fixed reloading of the certification (responses) statistics model. See MID-10882.

Fixed Back button behavior from the Certification items page. See MID-10879.

Improved exception handling while parsing incorrect filter on the search panel. From now, if the user selects the filter saved for Advanced mode, and this filter has xml query configured instead of midPoint query, midPoint will parse such a (correct xml) query and apply it to the search. Warning message that the filter should be reconfigured with a midPoint (Advanced) query will be displayed on the panel. If the xml query cannot be parsed, the error message will be shown on the page. See MID-10876.

Fixed creating an object with <dummy> tag. See MID-10853.

Fixed visibility of the Certification items table in case there is only one row on the Self Dashboard page. Previously, the implementation didn’t show table’s row in case there was only one active campaign. It was decided that even one row can be informative for the user so that the user sees the name of the campaign from the Dashboard page, also sees its deadline and progress. Therefore, the visibility for the Certification items table was changed from false to true in case of just one row in the table. See MID-10889.

Fixed runPrivileged configuration usage for scripting policy actions. See MID-10820.

Upgraded chartjs version to 0.6.

Fixed slow authentication issue. See MID-10885.

Fixed global policy rules not being triggered under some circumstances, see MID-10779.

Updated dependencies, mainly spring boot (3.5.6), removed wss4j.

Improved pre upgrade check for node version in ninja, MID-10829.

Fixed projection not deleted when lifecycleState is set to archived. See MID-10813.

Optimized repeated logins for policy scripting rules, MID-10864.

Fixed missing messages for "More…​" items in Access Certification search boxes. See MID-10898.

Improved campaign operation button behavior not to start campaign action while running previous action task. See MID-10897.

Fixed startTimestamp filter on campaign list page. See MID-10900.

Fixed campaigns filtering by created timestamp. Create metadata were added to campaign object while its creation. See MID-10901.

Fixed datetime filter clear function in search box. See MID-10899.

Fixed pie chart style on the Certification items page. See MID-10916.

Current reviewers now displayed even for closed case items. See MID-10935.

Unable to display report preview fixed. See MID-10929.

Fixed shopping cart icon number does not decrease when resolving conflicts. See MID-10925.

Fixed first and last links enable behavior on paging panel. See MID-10945.

Fixed creating a duplicated container value while adding new value. See MID-10926.

Fixed saving and displaying of the policy actions empty containers. See MID-10928.

Fixed displaying of the certification campaign deadline value for Reviewer role. See MID-10931.

Fixed displaying of the warning messages on the Shopping cart page. See MID-10924.

Fixed behavior of Comment column in the Certification items table. See MID-10912.

Improved loading time for Certification items and Campaigns tables. See MID-10887.

Fixed "all tasks running" message. See MID-10958.

Fixed displaying some approved and executed changes as "Waiting to be applied". See MID-10828.

No longer evaluating timed actions on cancelled cases. See MID-10934.

New version (1.5.2.0) of DatabaseTable Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.

New version (2.8) of CSV Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.

New version (3.8) of AD/LDAP Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.

Functionality that is marked as Experimental Functionality is not supported for general use (yet). Such features are not covered by midPoint support. They are supported only for those subscribers that funded the development of this feature by the means of subscriptions and sponsoring or for those that explicitly negotiated such support in their support contracts.

MidPoint comes with bundled LDAP Connector. Support for LDAP connector is included in standard midPoint support service, but there are limitations. This "bundled" support only includes operations of LDAP connector that 100% compliant with LDAP standards. Any non-standard functionality is explicitly excluded from the bundled support. We strongly recommend to explicitly negotiate support for a specific LDAP server in your midPoint support contract. Otherwise, only standard LDAP functionality is covered by the support. See LDAP Connector page for more details.

MidPoint comes with bundled Active Directory Connector (LDAP). Support for AD connector is included in standard midPoint support service, but there are limitations. Only some versions of Active Directory deployments are supported. Basic AD operations are supported, but advanced operations may not be supported at all. The connector does not claim to be feature-complete. See Active Directory Connector (LDAP) page for more details.

MidPoint user interface has flexible (responsive) design, it is able to adapt to various screen sizes, including screen sizes used by some mobile devices. However, midPoint administration interface is also quite complex, and it would be very difficult to correctly support all midPoint functionality on very small screens. Therefore, midPoint often works well on larger mobile devices (tablets), but it is very likely to be problematic on small screens (mobile phones). Even though midPoint may work well on mobile devices, the support for small screens is not included in standard midPoint subscription. Partial support for small screens (e.g. only for self-service purposes) may be provided, but it has to be explicitly negotiated in a subscription contract.

There are several add-ons and extensions for midPoint that are not explicitly distributed with midPoint. This includes Java client library, various samples, scripts, connectors and other non-bundled items. Support for these non-bundled items is limited. Generally speaking, those non-bundled items are supported only for platform subscribers and those that explicitly negotiated the support in their contract.

MidPoint contains a basic case management user interface. This part of midPoint user interface is not finished. The only supported parts of this user interface are those that are used to process requests, approvals, and manual correlation. Other parts of case management user interface are considered to be experimental, especially the parts dealing with manual provisioning cases.

Linux (x86_64)

Windows Server (2022)

Java 21. This is a recommended platform.

Java 17.

PostgreSQL 17, 16, 15, 14

Firefox

Safari

Chrome

Edge

Opera

There are database schema changes (see Database schema upgrade).

Version numbers of some bundled connectors have changed. Connector references from the resource definitions that are using the bundled connectors need to be updated.

See also the Actions required information below.

000-system-configuration.xml: improved safe expression profile, added permissive and prohobitive profiles, renamed script-safe to script-limited permission profile, added possibility for configuration of volatility of attribute in resource wizard, added task execution constraints to advanced options tab, updated default paging options, made operation execution recording a regular feature, extended with compliance dashboard, improving help attribute values.

010-value-policy.xml: improved localization for name attributes, removed max password length constraint, added ignoreWhenGenerating value policy feature.

020-archetype-system-user.xml: fixed the color of the icon.

021-archetype-system-role.xml: fixed the color of the icon.

023-archetype-manual-provisioning-case.xml: added the color for the icon.

024-archetype-operation-request.xml: added the color for the icon.

025-archetype-approval-case.xml: added the color for the icon.

028-archetype-application-role.xml: fixed the plural label.

029-archetype-application.xml: fixed the displaying of the application classifications and governance panels.

040-role-enduser.xml: extended assignment panels configuration.

041-role-approver.xml: added manualProvisioningContext item to read authorization of the CaseType object in order to correctly display case details page; fixed authorizations.

042-role-reviewer.xml: extended certification campaign read authorization.

062-archetype-classification.xml: extended with documentation attribute.

063-archetype-clearance.xml: extended with documentation attribute.

090-report-audit.xml: queries are updated to use MidPoint Query language.

100-report-reconciliation.xml: queries are updated to use MidPoint Query language.

110-report-user-list.xml: queries are updated to use MidPoint Query language.

140-report-certification-campaigns.xml: queries are updated to use MidPoint Query language.

150-archetype-location.xml: a new one.

150-archetype-organization.xml: a new one.

150-archetype-organizational-unit.xml: a new one.

150-archetype-project.xml: a new one.

150-archetype-team.xml: a new one.

150-report-certification-cases.xml: fixed campaign name column value, queries are updated to use MidPoint Query language.

160-report-certification-work-items.xml: queries are updated to use MidPoint Query language.

200-lookup-languages.xml: extended with new languages.

210-lookup-locales.xml: extended with new locales.

200-report-indirect-assignments.xml: queries are updated to use MidPoint Query language.

250-mark-no-classification.xml: a new one.

250-mark-privileged-access.xml: a new one.

250-mark-unowned.xml: a new one.

253-object-collection-application-active.xml: a new one.

300-classification-privileged-access.xml: extended with documentation, assignment and inducement.

300-policy-require-classification.xml: a new one.

300-policy-require-owner.xml: a new one.

350-object-collection-application-suspicious.xml: a new one.

350-object-collection-application-unowned.xml: a new one.

350-object-collection-application-without-classification.xml: a new one.

350-object-collection-privileged-users.xml: a new one.

350-object-collection-role-active.xml: a new one.

350-object-collection-role-all.xml: a new one.

350-object-collection-role-unowned.xml: a new one.

350-object-collection-user-active.xml: a new one.

353-users-with-sod-violations.xml: added documentation attribute, added configuration of the default view.

354-roles-privileged.xml: added documentation attribute, added configuration of the default view.

357-suspicious-roles.xml: added documentation attribute, added configuration of the default view.

358-suspicious-users.xml: added documentation attribute, added configuration of the default view.

390-org-projects.xml: a new one.

390-org-teams.xml: a new one.

390-org-world.xml: a new one.

536-archetype-task-certification-start-campaign.xml: task activity panel was fixed to display the data from the certificationStartCampaign container.

538-archetype-task-certification-reiterate-campaign.xml: task activity panel was fixed to display the data from the certificationReiterateCampaign container.

811-exclusion-violation.xml: extended with documentation attribute.

830-suspicious.xml: extended with documentation attribute.

899-dashboard-compliance.xml: a new one.

910-task-recompute-all-users.xml: a new one.

Inspect your configuration for deprecated items, and replace them by their suggested equivalents. Make sure you don’t use any removed items. You can use ninja tool for this.

Be sure to apply the changes to initial objects 800-804 (object marks), as well as to your custom object marks to handle the membership in the expected way.

The contract for ModificationsSupplier in dynamic object modifications (repo API) was changed.

Projections with denied access no longer cause "preview changes" operation to fail.

Expression profile changes: