| layout | release |
|---|---|
| release-version | 4.11 |
| visibility | hidden |
Release 4.11 is a seventy-second midPoint release, code-named Braille. The 4.11 release brings accessibility improvements, compliance features as well as many incremental improvements and bugfixes.
Louis Braille (1809-1852) was a French educator. He invented a reading and writing system named after him, intended for use by visually impaired people. Braille invented the system at an early age, and dedicated most of his life to improve his system. The system invented by Braille opened up the world of knowledge and learning to the visually impaired people.
Similarly to Braille's system, midPoint 4.10 brings major improvements in accessibility. Self-service part of midPoint user interface was meticulously reviewed and improved to correctly support tools used by the visually impaired people. Moreover, midPoint 4.10 brings many incremental improvements and new features in various areas, reminiscent of Braille's relentless improvements of his system through his life. Overall, midPoint 4.10 opens up the world of identity management and governance to everybody.
{% endcapture %} {% include release-dedication.html content=dedicationContent %}-
xrefv:/midpoint/reference/master/expressions/expressions/script/mel/[MidPoint expression language]: secure expression language for use in mappings and customization.
-
bug:MID-10965[] Fast correlators simulation.
TODO
-
Added support for Slovenian (sl), Latvian (lv) language.
-
Multiple libraries updated, including spring boot.
-
Many improvements in accessibility of the self-service, approval process and identity recovery user interface (WCAG 2.2 compliance).
-
bug:MID-10997[] Added support for additional footer.
-
bug:MID-11036[] Implemented export to XLSX.
-
bug:MID-10918[] Improved audit record for skipped approval stage.
-
Fixed unassignment with relation specification from Governance members. See bug:MID-10955[].
-
Fixed object types configuration usage on the members panel. See bug:MID-10896[].
-
Fixed Comment column behavior on the certification work items panel. See bug:MID-10912[].
-
Fixed session storage for Task Errors panel. See bug:MID-10975[].
-
Fixed expression filter usage for configured search items. See bug:MID-10977[].
-
Fixed 'Duplicate' action for certification definition. See bug:MID-10456[].
-
Fixed exporting of the 'Display name' columns on the certification items page. See bug:MID-10873[].
-
Fixed required comment validation while approving certification item. See bug:MID-10974[].
-
Fixed translation of the left menu items for collection views. See bug:MID-10998[].
-
Fixed polystring translation. From now, orig value of the polystring is never translated. See bug:MID-10996[].
-
Fixed attempt to modify immutable definition. See bug:MID-11001[].
-
Fixed schema type object updates and prism context schema registry reload. See bug:MID-10983[].
-
Fixed ConcurrentModificationException in RelationUtil. See bug:MID-10940[]
-
Fixed the execution of the 'Delete all closed tasks' action. See bug:MID-11069[]
-
Fixed the usage of the multiple ProtectedStringType fields in the same panel. See bug:MID-11072[]
-
Fixed misleading information in audit log during password reset. See bug:MID-11077[]
-
Fixed authentication exception handling while user login. See bug:MID-10953[]
-
Fixed progress bar colors in the Certification items dashboard panel. See bug:MID-10930[]
-
Extended the list of the searchable items for UserType. See bug:MID-11012[]
-
Fixed report data type name and exported file name to be unique. See bug:MID-10978[]
-
Fixed the mapping for stage deadline column in certification cases table. See bug:MID-11023[]
-
Fixed the path traversal vulnerability in the report import. See bug:MID-11014[]
-
Fixed certification case stage outcome information. See bug:MID-11026[]
-
Fixed admin gui configuration merging. See bug:MID-11045[]
-
Fixed correlation work item panel. See bug:MID-10993[]
-
Fixed NPE in general notifier. See bug:MID-11038[]
-
Fixed page storage for dashboard widget collection. See bug:MID-11055[]
TODO UDPATE
-
New version (1.5.2.0) of DatabaseTable Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.
-
New version (2.8) of CSV Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.
-
Fixed NPE with multivalue attributes when delimiter is not defined. (bug:MID-8609[]).
-
Fix UTF-8 BOM character in csv file during of discovery functions. (bug:MID-9497[] and bug:MID-9498[]).
-
-
New version (3.8) of AD/LDAP Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.
-
Native association support.
-
Possibility to choose attributes that should not be returned by default.
-
Possibility to choose to encode string values in case of the presence of non standard ASCII characters.
-
Workaround for open-ldap mandatory member attribute.
-
Possibility to specify used auxiliary object classes in connector configuration.
-
Allow to send the LDAP_DIRSYNC_OBJECT_SECURITY flag in Active Directory sync request control.
-
Following list provides summary of limitation of this midPoint release.
-
Functionality that is marked as Experimental Functionality is not supported for general use (yet). Such features are not covered by midPoint support. They are supported only for those subscribers that funded the development of this feature by the means of subscriptions and sponsoring or for those that explicitly negotiated such support in their support contracts.
-
MidPoint comes with bundled LDAP Connector. Support for LDAP connector is included in standard midPoint support service, but there are limitations. This "bundled" support only includes operations of LDAP connector that 100% compliant with LDAP standards. Any non-standard functionality is explicitly excluded from the bundled support. We strongly recommend to explicitly negotiate support for a specific LDAP server in your midPoint support contract. Otherwise, only standard LDAP functionality is covered by the support. See LDAP Connector page for more details.
-
MidPoint comes with bundled Active Directory Connector (LDAP). Support for AD connector is included in standard midPoint support service, but there are limitations. Only some versions of Active Directory deployments are supported. Basic AD operations are supported, but advanced operations may not be supported at all. The connector does not claim to be feature-complete. See Active Directory Connector (LDAP) page for more details.
-
MidPoint user interface has flexible (responsive) design, it is able to adapt to various screen sizes, including screen sizes used by some mobile devices. However, midPoint administration interface is also quite complex, and it would be very difficult to correctly support all midPoint functionality on very small screens. Therefore, midPoint often works well on larger mobile devices (tablets), but it is very likely to be problematic on small screens (mobile phones). Even though midPoint may work well on mobile devices, the support for small screens is not included in standard midPoint subscription. Partial support for small screens (e.g. only for self-service purposes) may be provided, but it has to be explicitly negotiated in a subscription contract.
-
There are several add-ons and extensions for midPoint that are not explicitly distributed with midPoint. This includes xrefv:/midpoint/reference/support-4.9/interfaces/midpoint-client-java/[Java client library], various samples, scripts, connectors and other non-bundled items. Support for these non-bundled items is limited. Generally speaking, those non-bundled items are supported only for platform subscribers and those that explicitly negotiated the support in their contract.
-
MidPoint contains a basic case management user interface. This part of midPoint user interface is not finished. The only supported parts of this user interface are those that are used to process requests, approvals, and manual correlation. Other parts of case management user interface are considered to be experimental, especially the parts dealing with manual provisioning cases.
This list is just an overview, it may not be complete. Please see the documentation regarding detailed limitations of individual features.
MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested with this release. The version numbers in parentheses are the actual version numbers used for the tests.
It is very likely that midPoint will also work in similar environments. But only the versions specified below are supported as part of midPoint subscription and support programs - unless a different version is explicitly agreed in the contract.
MidPoint is likely to work on any operating system that supports the Java platform. However, for production deployment, only some operating systems are supported:
-
Linux (x86_64)
-
Windows Server (2022)
We are positive that midPoint can be successfully installed on other operating systems, especially macOS and Microsoft Windows desktop. Such installations can be used to for evaluation, demonstration or development purposes. However, we do not support these operating systems for production environments. The tooling for production use is not maintained, such as various run control (start/stop) scripts, low-level administration and migration tools, backup and recovery support and so on. Please see [/midpoint/install/bare-installation/platform-support/] for details.
Note that production deployments in Windows environments are supported only for LTS releases.
Following Java platform versions are supported:
-
Java 21. This is a recommended platform.
-
Java 17.
OpenJDK 21 is the recommended Java platform to run midPoint.
Support for Oracle builds of JDK is provided only for the period in which Oracle provides public support (free updates) for their builds.
MidPoint is an open source project, and as such it relies on open source components. We cannot provide support for platform that do not have public updates as we would not have access to those updates, and therefore we cannot reproduce and fix issues. Use of open source OpenJDK builds with public support is recommended instead of proprietary builds.
PostgreSQL is the only supported database for midPoint deployments since 4.10.
Although in previous versions of midPoint other databases were supported using object-relational mapping abstraction (Hibernate), it is no longer the case now. xrefv:/midpoint/reference/support-4.9/repository/native-postgresql/[Native PostgreSQL repository implementation] was developed and tuned specially for PostgreSQL database, taking advantage of native database features, providing improved performance and scalability. It is currently the only option.
Our strategy is to officially support the latest stable version of PostgreSQL database (to the practically possible extent). We make no commitments for future support of any other database engines. See xrefv:/midpoint/reference/support-4.9/repository/repository-database-support/[] page for the details.
Only a direct connection from midPoint to the database engine is supported. Database and/or SQL proxies, database load balancers or any other devices (e.g. firewalls) that alter the communication are not supported.
Following database engines are supported:
-
PostgreSQL 17, 16, 15, 14
PostgreSQL 17 is recommended.
-
Firefox
-
Safari
-
Chrome
-
Edge
-
Opera
Any recent version of the browsers is supported. That means any stable stock version of the browser released in the last two years. We formally support only stock, non-customized versions of the browsers without any extensions or other add-ons. According to the experience most extensions should work fine with midPoint. However, it is not possible to test midPoint with all of them and support all of them. Therefore, if you chose to use extensions or customize the browser in any non-standard way you are doing that on your own risk. We reserve the right not to support customized web browsers.
| Component | Version | Description |
|---|---|---|
Tomcat |
10.1.48 |
Web container |
ConnId |
1.6.0.0 |
ConnId Connector Framework |
3.9.2 |
LDAP and Active Directory |
|
2.9 |
Connector for CSV files |
|
1.5.3.0 |
Connector for simple database tables |
MidPoint is a software designed with easy upgradeability in mind. We do our best to maintain strong backward compatibility of midPoint data model, configuration and system behavior. However, midPoint is also very flexible and comprehensive software system with a very rich data model. It is not humanly possible to test all the potential upgrade paths and scenarios. Also, some changes in midPoint behavior are inevitable to maintain midPoint development pace. Therefore, there may be some manual actions and configuration changes that need to be done during upgrades, mostly related to feature lifecycle.
This section provides overall overview of the changes and upgrade procedures. Although we try to our best, it is not possible to foresee all possible uses of midPoint. Therefore, the information provided in this section are for information purposes only without any guarantees of completeness. In case of any doubts about upgrade or behavior changes please use services associated with midPoint subscription programs.
Please refer to the xrefv:/midpoint/reference/support-4.9/upgrade/upgrade-guide/[] for general instructions and description of the upgrade process. The guide describes the steps applicable for upgrades of all midPoint releases. Following sections provide details regarding release 4.11.
MidPoint 4.11 data model is backwards compatible with previous midPoint version. Please follow our xrefv:/midpoint/reference/support-4.9/upgrade/upgrade-guide/[Upgrade guide] carefully.
|
Important
|
Be sure to be on the latest maintenance version for 4.9, otherwise you will not be warned about all the necessary schema changes and other possible incompatibilities. |
Note that:
-
There are database schema changes (see xrefv:/midpoint/reference/support-4.9/upgrade/database-schema-upgrade/[Database schema upgrade]).
-
Version numbers of some bundled connectors have changed. Connector references from the resource definitions that are using the bundled connectors need to be updated.
-
See also the Actions required information below.
Upgrade from midPoint versions other than 4.9.x to midPoint 4.11 is not supported directly. Please upgrade to 4.9.5 first.
|
Note
|
This section is relevant to the majority of midPoint deployments. It refers to the most significant functionality removals and changes in this version. |
-
The PolyStringType.orig value is no longer treated as a translation key. Previously, due to the old PolyStringType structure, there were situations where the orig value of a polystring was interpreted as a translation key. For example, this occurred when a polystring was defined within a DisplayType object as a label for an object collection view. In such cases, if no explicit translation key was provided, midPoint attempted to translate the orig value. Starting from 4.11 version, the orig value will never be translated. Please ensure that all PolyStringType values in your environment are defined correctly. If localization is required, explicitly define translation keys or language-specific values within the polystring.
|
Note
|
This section is relevant to the majority of midPoint deployments. |
MidPoint has a built-in set of "initial objects" that it will automatically create in the database if they are not present.
This includes vital objects for the system to be configured (e.g., the role Superuser and the user administrator).
These objects may change in some midPoint releases.
However, midPoint is conservative and avoids overwriting customized configuration objects.
Therefore, midPoint does not overwrite existing objects when they are already in the database.
This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version.
The following list contains a description of changes to the initial objects in this midPoint release.
The complete new set of initial objects is in the config/initial-objects directory in both the source and binary distributions.
Actions required: Please review the changes and apply them appropriately to your configuration. Ninja can help with updating existing initial objects during upgrade procedure using initial-objects command.
For more information see xrefv:/midpoint/reference/support-4.10/deployment/ninja/use-case/upgrade-with-ninja/#_initial_objects[here].
Please review source code history for detailed list of changes.
|
Tip
|
Copies of initial object files are located in config/initial-objects directory of midPoint distribution packages. These files can be used as a reference during upgrades.
On-line version can be found in midPoint source code.
|
|
Note
|
This section is relevant to the majority of midPoint deployments.
It describes what data items were marked as deprecated, or removed altogether from the schema.
You should at least scan through it - or use the ninja tool to check the deprecations for you.
|
Type |
Item or value |
Note |
|
|
Configure actions in the cert. items collection view instead. |
|
|
Use |
|
|
Use association types (in schemaHandling) instead. |
|
|
Use "marking" instead. |
|
|
Legacy associations of this shadow. Not used anymore. |
|
|
Use |
The synchronize/membership container was added to the object operation policy object, present in xrefv:/midpoint/reference/support-4.9/concepts/mark/[object marks] (like the Protected one).
It controls the handling of the membership of entitlements possessing given object mark.
Actions required:
-
Inspect your configuration for deprecated items, and replace them by their suggested equivalents. Make sure you don’t use any removed items. You can use
ninjatool for this. -
Be sure to apply the changes to initial objects 800-804 (object marks), as well as to your custom object marks to handle the membership in the expected way.
-
The contract for
ModificationsSupplierin dynamic object modifications (repo API) was changed.The original approach was that the caller, i.e., repository, cloned the existing object before handling it to the callback (modifications supplier). Now, the implementor of the callback is responsible for not modifying the provided object in any way.
-
Projections with denied access no longer cause "preview changes" operation to fail.
If a user has no authorization to see particular projection (shadow), the "preview changes" operation used to finish with "Access denied" fatal error even if there were parts of the result visible to the user. This is now changed (fixed): only the relevant projections are hidden now. All the remaining data are displayed to the user. See also bug:MID-10397[].
-
Expression profile changes:
-
Script expression evaluator was removed from
safeexpression profile, as it is not considered to be safe. -
Two new expression profiles were added:
permissive(allowing all expressions) andprohibitive(allowing no expressions). -
Permission profile
script-safewas renamed toscript-limited, as the existing mechanism for script permission checks is not considered to provide complete safety and security. This profile is not considered to provide strict security, therefore the name was changed to avoid mis-interpretation. Corresponding description was added to the profile. -
See Expression Security page for a description of recommended use of expression profiles.
-