MidPoint 4.10

MID-10147 Added support for new capability lastLoginTimestamp.

MID-10213 Fix synchronization of large number of tasks (>10 000).

MID-10270 Summary panel for roles now uses display name and identifier (same as for organizations and services).

MID-10204 Fix error during preview of changes.

MID-10319 Fixed incorrect error message displayed when performing "Unlock" action on user list page.

MID-10317 Fixed missing message when user disable fails.

MID-10320 Fixed ninja zip option used during export/import.

MID-10218 Task execution constraints added to advanced options tab.

MID-10216 Support exclusion of metadata in get/search rest APIs.

MID-10305 Remove max password length constraint.

MID-10048 Fix ClassCastException when creating duplicates of object types with new archetype

MID-9300 Secure schema usage in PostgresSQL (not using public schema).

MID-10278 Fix non-clickable part of a button in Edit Schema popup panel.

MID-10513 Fixed css issues with popup modal background in Safari.

MID-10410 Better indication for failed tasks and their subtasks.

MID-10412 Implemented configurable thresholds for task activities.

MID-10496 Task doesn’t start at next scheduled time.

MID-10414 Page size global configuration for object collection views.

MID-10411 Improved task run history errors search.

Compliance dashboard

StartupConfiguration incorporates 'midpoint.' properties from Spring environment sources.

Implemented shadow password caching, with the possibility of storing them in reversible encrypted form.

Improved handling of volatile shadow attributes.

Update GUI views after changing of the archetype, that is used in the view. See MID-9776.

Adding support for PKCE (Proof Key for Code Exchange) as additional security for OIDC authentication module. See MID-10155.

Adding new configuration attribute for OIDC authentication module, that is used for ID Token signing algorithm. See Oidc Module.

Apply the Web Content Accessibility Guidelines (WCAG) to all login pages and self-service pages. See MID-9847.

Improved the documentation on the resource configuration. See MID-10176.

Allow volatility configuration per mapping through the Resource Wizard. See MID-10170.

Change the CSS style of sub-containers in the vertical form panel to create a new object for reference. See MID-10030.

Documentation of shadow purpose was added. See MID-10419.

Some policy rule constraints allow to the targetArchetypeRef to specify objects by archetype. See MID-10647.

Assignment modification constraint of policy rules allows specification of scope. This can be used for approval of indirect role assignments and similar cases. See MID-10663.

There are two new functions in midPoint function library for access to "governance" users (approvers/owners): getRoleMemberUsers, getServiceMemberUsers.

Use delta’s "visualizer" used by GUI also in notifications and other improvements in notifications. See MID-6112, MID-10633, MID-10632, MID-10635, MID-10372, MID-10634, MID-10636.

Built-in archetypes for organizational structures and locations.

Compliance-related marks (no classification, unowned, privileged access), object collections and policies.

Privileged access classification automatically sets Privileged access mark for directly affected roles and users.

Updated various libraries, mainly: Spring Boot, Tomcat, Hibernate, PostgresSQL JDBC driver.

Add OAuth 2 credential flow to mail servers notification configuration

Fixed boolean column values for Quartz tables in Oracle 23 - "Quartz broken after DB upgrade". See MID-10715.

Fixed "Couldn’t get assignments conflicts" error occurring during Request access. See MID-10124.

Fixed "No definition for item …​ in outbound mapping for association" error. See MID-10214.

Fixed the issue with policy rules minAssignees/maxAssignees not being triggered. See MID-9869.

Fixed retrieving referenced objects with their own references when caching is enabled. See MID-10271.

Fixed inconsistent behaviour for deleted situation in combination with deleteFocus reaction. See MID-10195.

Fixed midPoint freezing when shadow partitioning, referenced objects, and shadow caching was used. See MID-10231.

Added support for removing "dangling" non-tolerant reference attribute values (i.e., those that do not match any association). See MID-10285.

Changes in default shadow caching policy are now correctly applied, without requiring any action on the user side. See MID-10126.

Fixed NullPointerException occurring in mappings when the source reference value pointed to non-existing object. See MID-10162.

"Native references" capability is now correctly shown in GUI. See MID-10194.

Fixed handling of multi-valued resource configuration properties defined using const expression. See the last comment in MID-7918.

Fixed repeated modifications of objects when manually attached object marks were used. See MID-10121.

Fixed preview changes when auto-assigned roles with approvals were used. See MID-10345.

Stopped generating passwords with "problematic" characters, like comma, apostrophe, ampersand, and so on. Now it’s possible to define characters that are accepted in the password, but not used when generating a new password value. The default password policy was updated in this regard. See MID-9541 and the docs.

Stopped displaying some shadow operational properties (like the synchronization timestamp, iteration, and so on) among changes in simulation results. See MID-9737 and MID-9986.

Midpoint Query Language Fixed inconsistent whitespace behavior when using not filter, modified grammar of query language. See MID-9351.

Fixed code completions & validation for @metadata language concept in Midpoint Query language. See MID-10324.

Fixed problem with handling syntax error in Midpoint Query Language. See MID-8196 and MID-9585.

Fixed removal of the shadow transition mark in the mark table panel. See MID-10228.

Fixed refresh names, help texts and search items for all saved search configurations. See MID-10321.

Fixed phantom changes when displaying an existing object type in the resource wizard. See MID-10284.

Added a popup to create a new item for the Schema Extension panel. See MID-10283.

Harmonize the design of the mapping table panel for object template and resource object type mapping. See MID-10291.

Removed the use of page parameters for view collection in popup tables. See MID-10254.

Fixed display of row without object name for Task Errors panel. See MID-10354.

Fixed the display of the 'User Dashboard Links' panel in the System Configuration panel. See MID-10133.

Fixed the object class name column in the Resource Details panel. See MID-10005.

Fixed saving of audit record with malformed username as parameter during login (User-Enumeration attack). See MID-10383.

Add a save button to the wizard’s table of object and association types. See MID-10046.

Add an error message when the 'securityQuestionsForm' authentication module is the first in the authentication sequence. See MID-10149.

MID-10225 Fix issue where opening of certification campaign stage hangs indefinitely.

Fixed "preview changes" and "access request" functionality when some projections are hidden by authorizations. See MID-10397.

MID-10739 Use SecureRandom instead of Random.

Fixed different certification bugs. See MID-10208, MID-10190, MID-10134, MID-10262, MID-10261, MID-10373, MID-10376, MID-10469, MID-10520 and others.

Fixed organizations list display bug. See MID-10150.

Fixed the icon for Case type objects that was not displayed. See MID-10164.

Fixed the issue with date field update. See MID-10107.

Fixed the issue with wrong redirection after unassigning the object. See MID-10151.

Fixed the issue with displaying Service type objects in the role catalog. See MID-10206.

Password policy checks are being applied to an extension attribute of the ProtectedStringType. See MID-10129.

Fixed empty required fields validation in UI in case the parent container is empty. See MID-10210.

Fixed the issue with password policy check popover. See MID-10128.

Fixed the sorting of the organisation tree in the Role catalog (from now, sorted by display name). See MID-10246.

Fixed filtering of the work items in UI. See MID-10167.

Fixed input string validation in the Flexible Authentication module. See MID-10123.

Fixed the displaying of the historical user data. See MID-10153.

Fixed error in logs during the work in the resource wizard. See MID-10233.

Hided password strength bar for the protected string panel. See MID-10129.

Fixed the error while creating new application service object with manager. See MID-10277.

Fixed the error during self password update. See MID-10316.

Fixed the usage of the MidpointFormValidator during object updates. See MID-10127.

Fixed authorization check in GUI by using EndPointsUrlMapping actions check. See MID-10336.

Fixed the displaying of the Policy rule panel. See MID-10343.

Fixed the issue with duplicated error message displaying on the Repository objects page. See MID-10344.

Made authorization error message more user-friendly. See MID-10206.

Fixed default panels configuration of the details pages for start campaign and reiterate campaign tasks. See MID-10205.

Fixed error on the Task Internal performance panel. See MID-10445.

Fixed error on the task details page. See MID-10395.

Fixed defaultAssignmentConstraints configuration usage during Request Access. See MID-10425.

Fixed Person of interests step in Access Request to take into account objects filter and to analyze more carefully changing the persons of interest. See MID-10398.

Fixed changing the mark for user object. See MID-10423.

Fixed session storage for Cases table. See MID-10473.

Fixed the issue with the displaying the value of the work item Name column. See MID-10427.

Fixed the issue with dashboard resource widget. See MID-10497.

Fixed the sorting of the first column in the collection view table. See MID-10486.

Removed the button for credentials change on the Password panel of the object details page to be hidden without proper authorization. See MID-10507.

Fixed error when setting read permission with filter on ReportDataType. See MID-10498.

Fixed localization error while changing the password. See MID-10471.

Fixed the accumulation of the authentication attempts. See MID-10502.

Fixed loading the fresh user object on the Self Service Credentials page. See MID-10544.

Fixed saving schema extension. See MID-10437.

Fixed creation of the new generic PolicyType. See MID-10463.

Fixed Access Request checkout step when validity is set to mandatory. See MID-10459.

Fixed import object with ObjectReferenceType extension attribute. See MID-10503.

Fixed deny rule for task delete operation. See MID-10625.

Fixed setting of the assignment subtype. See MID-10624.

Fixed sorting in the All Tasks table. See MID-10640.

Fixed incorrect message while approving a work item. See MID-10629.

Fixed Reconciliation report running. See MID-10436.

Fixed displaying the list of the application classifications. See MID-10638.

Fixed Object collection search item visibility on object list pages. See MID-10648.

Fixed mark (*) visibility on the custom forms. See MID-10656.

Fixed manual unlock of the user. See MID-9856.

Improved the message on the mail nonce module panel during Reset password flow. See MID-10679.

Fixed case details page displaying. See MID-10690.

Fixed schema fetch error. See MID-10665.

Connid version was upgraded to 1.6.0.0. See MID-10552.

Fixed the error during saving the extension schema if there is ObjectReferenceType item. See MID-10693.

Fixed the search with upper case letters on the Projections panel. See MID-10713.

Fixed the initialization process of resource connector capabilities. See MID-10644, MID-10676.

Fixed the usage and application of the archetype filter within authentication definition. See MID-10683.

Fixed the reflexion of the custom system name on different pages. See MID-10696.

Fixed the query for the certification items while loading self dashboard page. See MID-10753.

Refactored container properties panel (e.g. object details page) not to wrap each property value field into a form. This reduced the number of the csrf fields which is sent by request after the form submitting. Also, increased the size of the http request header size to cope with big headers. Important: be aware of overriding total request size (e.g. header size or multipart parts) in your environment in case of using custom settings (e.g. in custom application.yml or through JVM arguments). The recommended values are: max-part-header-size: 768; max-part-count: 100. See MID-10748.

Extended multi-parts request configuration for AJP server. It is possible to set custom max-part-header-size and max-part-count properties to AJP connector in application.yml. If no multi-parts request configuration is set for AJP server, these properties will be taken from Tomcat server configuration. See MID-10824.

Fixed "Select all" functionality in the assignment restriction popup while creating a delegation. See MID-10757.

Fixed loading and displaying the data on the Errors panel of the Task page. See MID-10682.

Fixed NPE on the Internals configuration page. See MID-10749.

Fixed "Matching rule" dropdown in Attribute override settings. See MID-10710.

Fixed 500 error while creating an application role with a lack of permission. See MID-10778.

Fixed intent dropdown on Accounts/Entitlements page to persist after navigation . See MID-10697.

Fixed default sort property for "My requests" widget on Self Dashboard page. See MID-10772.

Fixed authorization re-initialization during CompiledGuiProfile refresh functionality. Made a restructuring of the code. The goal is to decrease the time period between clearing the authorizations (and other privileges limitations) and filling them in. See MID-10781.

Fixed inconsistent type of input variable after passing ObjectTemplate validation. See MID-10773.

Fixed the possibility to modify the filter in the marking rule. See MID-10405.

Fixed the title for the edit button on the reference autocomplete panel. See MID-10807.

Fixed filter configuration panel on the Object collection details page. The behavior of the filter configuration panel was changed to switch automatically to midPoint query (from xml query if was defined before) after filter configuration popup was used and configuration changes were confirmed there. See MID-10800.

Fixed the icon and missing description for object mark icons assignments. See MID-10255.

Fixed resolving of the object reference while report preview. See MID-9632.

Improved displaying of the container header while delta visualization. See MID-10630.

Fixed mouse hover tooltip in object reference selection menu. See MID-10807.

Fixed authorization check for the objects displayed in GUI during approval process. See MID-10232.

Removed unnecessary blank row from Certification items export dialog. See MID-10809.

Fixed name and display name columns' values on the Certification items page. See MID-10806.

Fixed full-text search in the role catalog. See MID-10819.

Fixed case-insensitive search for shadow association definitions. See MID-10477.

New version (1.5.2.0) of DatabaseTable Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.

New version (2.8) of CSV Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.

New version (3.8) of AD/LDAP Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.

Functionality that is marked as Experimental Functionality is not supported for general use (yet). Such features are not covered by midPoint support. They are supported only for those subscribers that funded the development of this feature by the means of subscriptions and sponsoring or for those that explicitly negotiated such support in their support contracts.

MidPoint comes with bundled LDAP Connector. Support for LDAP connector is included in standard midPoint support service, but there are limitations. This "bundled" support only includes operations of LDAP connector that 100% compliant with LDAP standards. Any non-standard functionality is explicitly excluded from the bundled support. We strongly recommend to explicitly negotiate support for a specific LDAP server in your midPoint support contract. Otherwise, only standard LDAP functionality is covered by the support. See LDAP Connector page for more details.

MidPoint comes with bundled Active Directory Connector (LDAP). Support for AD connector is included in standard midPoint support service, but there are limitations. Only some versions of Active Directory deployments are supported. Basic AD operations are supported, but advanced operations may not be supported at all. The connector does not claim to be feature-complete. See Active Directory Connector (LDAP) page for more details.

MidPoint user interface has flexible (responsive) design, it is able to adapt to various screen sizes, including screen sizes used by some mobile devices. However, midPoint administration interface is also quite complex, and it would be very difficult to correctly support all midPoint functionality on very small screens. Therefore, midPoint often works well on larger mobile devices (tablets), but it is very likely to be problematic on small screens (mobile phones). Even though midPoint may work well on mobile devices, the support for small screens is not included in standard midPoint subscription. Partial support for small screens (e.g. only for self-service purposes) may be provided, but it has to be explicitly negotiated in a subscription contract.

There are several add-ons and extensions for midPoint that are not explicitly distributed with midPoint. This includes Java client library, various samples, scripts, connectors and other non-bundled items. Support for these non-bundled items is limited. Generally speaking, those non-bundled items are supported only for platform subscribers and those that explicitly negotiated the support in their contract.

MidPoint contains a basic case management user interface. This part of midPoint user interface is not finished. The only supported parts of this user interface are those that are used to process requests, approvals, and manual correlation. Other parts of case management user interface are considered to be experimental, especially the parts dealing with manual provisioning cases.

Linux (x86_64)

Windows Server (2022)

Java 21. This is a recommended platform.

Java 17.

Firefox

Safari

Chrome

Edge

Opera

There are database schema changes (see Database schema upgrade).

Version numbers of some bundled connectors have changed. Connector references from the resource definitions that are using the bundled connectors need to be updated.

See also the Actions required information below.

536-archetype-task-certification-start-campaign.xml: task activity panel was fixed to display the data from the certificationStartCampaign container.

538-archetype-task-certification-reiterate-campaign.xml: task activity panel was fixed to display the data from the certificationReiterateCampaign container.

029-archetype-application.xml: fixed the displaying of the application classifications.

028-archetype-application-role.xml: fixed the plural label.

041-role-approver.xml: added manualProvisioningContext item to read authorization of the CaseType object in order to correctly display case details page.

010-value-policy.xml: improved localization

Inspect your configuration for deprecated items, and replace them by their suggested equivalents. Make sure you don’t use any removed items. You can use ninja tool for this.

Be sure to apply the changes to initial objects 800-804 (object marks), as well as to your custom object marks to handle the membership in the expected way.

The contract for ModificationsSupplier in dynamic object modifications (repo API) was changed.

Projections with denied access no longer cause "preview changes" operation to fail.

Checking for conflicts for single-valued items was fixed (strengthened). In 4.8.3 and before, there were situations that two strong mappings produced different values for a given single-valued item, yet no error was produced. (If the item contained the same value that was produced by one of these mappings.) Such configurations are in principle unstable, so this kind of errors should be identified and fixed. Please see MID-9621 and this commit.

The default configuration for caching was changed. Currently, only the attributes defined in schemaHandling are cached by default. (Except for the situation when the caching is enabled by cachingOnly property in the read capability.)

When processing live sync changes that contain only the object identifiers, a more aggressive approach to fetching actual objects was adopted: We now always fetch the actual object, if possible. The reason is that the cached version may be incomplete or outdated.

The behavior of disableTimestamp and disableReason in the shadow activation container was changed. Before 4.9/4.8.1, these properties were updated only if there was an actual change in the administrative status from something to DISABLED. Since 4.9/4.8.1, both of these properties are updated even if the administrative status is already DISABLED: the disableReason is determined anew, and the disableTimestamp is updated if the status and/or the reason are modified. See MID-9220.

Automatic caching of association binding attributes (the "value" side, i.e. valueAttribute in the association definition) is no longer provided. It is recommended to mark them as secondary identifiers.

The filtering of associations was changed slightly. In particular, even if the required auxiliary object class is not present for the subject, the association values are still shown - if they exist on the resource. (They were hidden before.)

To address MID-9638 and MID-9670 (leaking data via searching objects by filters), the handling of items allowed for search operations was changed.

The effectiveMarkRef item now has value metadata to determine the values' origin. See commit 351d7e.

The mapping specification in provenance metadata now contains also object type name, association type name, and the shadow tag. See Mapping Maintenance Tasks, commit 0dd1c0, and commit 8557f5.

"<a:indexed/>" and "<a:indexOnly/>" annotations - when present but without any value - was interpreted as "false". This was now changed to a more intuitive interpretation (similar to a:object, a:container, etc), where annotation present but without value means "true". Also, "a:container" and other markers were interpreted as "true", even if the value was actually "false". This is now fixed as well.

Years-old ref-style schema annotations like <r:identifier ref="icfs:uid"/> are no longer supported. They are not used since midPoint 2.0. If you happen to use them in your manually configured resource XSD schemas, please replace them with the supported <r:identifier>icfs:uid</r:identifier> style.

Support for getting/setting objects embedded in references marked as a:objectReference directly, like LensElementContext.getObjectOld(). This feature was used only internally by midPoint.

The <xsd:documentation> element in resource schemas is now ignored. It was never used by ConnId connectors, but, in theory, it might be used for manually entered schemas.

Default target set for mappings emitting multivalue properties is based on provenance metadata, mapping can only remove values, it added.

Internal APIs were massively changed with regard to passing prismContext object between methods. This object has been statically available for quite a long time. Now it was definitely removed from methods' signatures.

Likewise, the internals of prism definitions were changed in 12808d. You should not be affected by this; however, if you use some of the unofficial/undocumented APIs, please check your code.