Source code

Evolveum midPoint

18 February 2020
TL;DR. Give me just a very short summary.

All that is gold does not glitter.

MidPoint is a pragmatic provisioning system. Currently midPoint is a complete identity management system that has reached and exceeded many commercial IDM offerings. MidPoint is a comprehensive provisioning solution with many unique features. It is a truly universal system that can be deployed in almost any environment.

The fundamental principle of midPoint is efficient deployment of IDM solutions. Everything in midPoint is designed to support that goal. MidPoint supports many common-case scenarios directly in the product with no need to re-develop the solution for each deployment again and again. Therefore a deployment engineer needs only to configure and customize the product and does not need to invest time in writing, testing and debugging the code for features that are used in almost all IDM deployments. In this aspect midPoint is by far the most complete product from all the evaluated projects.

MidPoint has an excellent support for role-based access control (RBAC). It supports very rich and flexible provisioning roles. The roles can be composed into a hierarchy, they can be conditional and parametric. The RBAC system can easily be combined with fine-grained authorization system and workflows. Roles can be assigned only for a temporary time, they can be assigned several times, the assignment can contain exceptions from the policy, etc. The roles can contain very flexible mappings. The unique feature of midPoint is that the mappings are only executed as needed. This is consequence of a midPoint's relative change model which is unique among all the evaluated systems. The RBAC mechanism used in midPoint is a long way ahead of all other evaluated systems and as far as we know it is also unique among all the commercial IDM systems.

Organizational structure support in midPoint is very flexible. Almost any kind of organizational structure can be modeled in midPoint: simple trees, tress with multiple membership, flat structures, matrix structures, etc. Strictly speaking any acyclic oriented graph can be easily used in midPoint. The organizational structure is also well integrated with RBAC, workflows and especially with the authorization mechanism.

MidPoint has an excellent fine-grained authorization mechanism. It can be used to control access to data on the attribute level. When it is combined with an organizational structure it creates an extremely powerful delegated administration mechanism. This mechanism is also used to implement the partial multi-tenancy support in midPoint.

MidPoint has very good administration interface. It has a modern look and feel and it is reasonably easy to use. The team obviously pays attention to usability and ergonomy. The user interface is designed to be self-adjusting. It automatically adapts to schema changes, configuration changes, security policy, etc. Therefore the user interface usually does not need to be customized. But it definitely is customizable. E.g. the look and feel can be easily changed by using a very advanced templating system. The user interface is mostly feature-complete. However midPoint is a very feature-rich system and it is understandable that GUI support for some recent features is not entirely smooth.

Similarly to most other systems midPoint has an integrated workflow engine (Activiti). What is unique about midPoint workflow is that the workflow does not usually needs to be customized. The usual approval workflow is available out-of-the-box and it can be activated simply by turning on the workflow engine and configuring the approvers. MidPoint logic will automatically compute the approval schemes before handling the request to the workflow. As midPoint does the most demanding computation as part of the product functionality then the workflow development can be much easier, faster and cheaper. MidPoint also allows to approve each part of the request individually. E.g. if only three out of five requested roles are approved the process goes on and provisions the approved roles. As far as we know no other evaluated system has this ability. The other systems have all-or-nothing mechanisms which will stop the process completely even if some parts of the requests are approved.

MidPoint is using ConnId 1.4 provisioning framework which is a continuation of Sun Identity Connector Framework. MidPoint supports all connectors compatible with the ConnId framework. Which means that midPoint can use connectors from three projects: ConnId, OpenICF (maintained by ForgeRock) and Polygon project maintained by Evolveum team. The midPoint team also contributes both to the ConnId and OpenICF projects. Evolveum provides support for all the available connectors from all the three projects as long as they are used with midPoint. Therefore this gives midPoint the best connector support among all the evaluated products.

MidPoint 3.0 has introduced a new and very exciting feature: generic synchronization. MidPoint synchronization is not limited just to users, accounts and groups. MidPoint can synchronize any kind of object with almost any other kind of object. This can be used to synchronize roles, groups, organizational units, projects, workgroups, ACLs, etc. From all the evaluated systems only OpenIDM has this ability. However the difference is that OpenIDM is too generic and it does not understand how the objects relate to each other. However midPoint knows it very well. Therefore if midPoint creates a new group that represents a role it can also easily and automatically add appropriate members to the group. This is all available out-of-the-box. No coding is required.

This goes very well with the overall goal of midPoint: reducing deployment cost. MidPoint provides a huge amount of features out of the box. They only need to be turned on or configured. Most of midPoint customizations are simple one-line scripts. MidPoint is designed from day one to work like this. E.g. it pre-computes workflow approvals, GUI automatically adapts to schema changes, provisioning conflicts are automatically resolved, policies are reused (e.g. synchronization and reconciliation), etc. Simply speaking midPoint does everything to support lean and cost-efficient identity management deployments.

Clean concepts

One very interesting aspect of midPoint is how it all perfectly fits together. The way how individual midPoint features play together to create a very complex (but still flexible) configurations. E.g. roles contain authorizations. But as they are roles they also can be approved using a wokflow and this created an "entitlement lifecycle" support. The authorizations can refer to the organizational structure - which created a delegated administration. Roles are not limited to apply to users, they can apply to any kind of business object. Therefore the roles can also be applied to organizational unit - and also to roles themselves. Which creates a support for meta-roles that are extremely useful in generic synchronization scenarios. Organizational units can also contain any kind of object, not just users. And because organizational units also behave as roles this can be used to create a role typing mechanism (e.g business roles, IT roles, ...). Which can of course be part of the delegated administration as authorizations are natural part of roles and can be scoped to organizational units. And as all the objects pass through a workflow it is not difficult to implement a lifecycle for roles, meta-roles and other such advanced concepts. You see? All of this is created by several simple mechanisms that are carefully designed to work together and support each other.

It takes some time to adjust your thinking, to sweep all the non-systemic hacks used in other IDM systems out of your head and to start thinking in the clean architectural concepts. But it is more than worth it. Once you pass the (not very big) entry barrier a completely new world opens. Everything is possible in this world. And even better: almost everything can be implemented quickly and cleanly.

MidPoint is truly unique. Some of the evaluated systems have similar features than midPoint. E.g. Syncope has a parametric user-role membership. OpenIDM has the ability to synchronize any object type. OpenIAM has flexible organizational structure support. But none other product has it all together in one system. Only midPoint does.

MidPoint development team is a of a medium size. The team is reasonably stable. Although midPoint team is not the largest among all the evaluated projects it is undoubtedly the most productive. MidPoint code-base is several times bigger than any of the competing products. MidPoint development was up until now mostly driven by the core team. However midPoint project is open for contributions and some contributions have already found their way into midPoint code-base. MidPoint has an emerging user community. The community is supported by an active mailing lists and a very rich wiki. Complete architectural documentation is also available which perhaps makes midPoint the best documented system among all the evaluated systems.

When to use midPointWhen not to use midPoint
  • Project that require deployment efficiency and ROI.
  • Projects that require scalability (1M+ identities).
  • Projects that require good RBAC and organizational structure.
  • Projects that require integration using SOAP and REST.
  • Cloud-based deployments.
  • Projects that require extreme customization.
  • Strong GRC features are required.
What Radovan has to say ...

The origins of midPoint were laid a long time ago. But they were not developed immediately. It was a Sun-Oracle acquisition that really made us to do something real. We have seen the acquisition as a disaster but in fact it was a new beginning. The ideas that make up midPoint were revived at that time. But it was a completely different matter to forge the ideas into reality. It took many years, numerous turns, turbulences, some dead ends, a huge amount of energy and effort, a bit of luck and an enormous dedication. But we have done it.

Now MidPoint is undoubtedly a technological leader in its segment. And for me it has been a great honor and privilege to be part of this success. But it would not be possible without the great team that we have in Evolveum. And this is by no means an exaggeration. The team is really great! I have to thank each and every developer who contributed to midPoint. And I also have to thank every member of midPoint community that helped by sharing their ideas and feedback. Thank you all! MidPoint would not be what it is now without you.