MidPoint has reached the state of a sophisticated open-source identity provisioning system. It has went through many releases and its provisioning and synchronization capabilities were gradually refined. MidPoint is currently the largest and most sophisticated open source identity provisioning system available on the market. It is as big as its two other competitors combined. And we have achieved this with a relatively small development team. This is what a combination of development skill, efficiency and a good architecture can do. Looking back at all those years I must say that what we have created is a real technological marvel.
Up until now midPoint was trying to match the features of commercial IDM systems. Don’t get me wrong: we had not blindly copied the features of other products. We have always done things with a twist: our roles are so advanced that they are in fact closer to ABAC than RBAC, the synchronization goes a lot beyond normal and it makes midPoint a self-healing system and so on. MidPoint can do all of that what a traditional provisioning system can do. But it does it better and in a more efficient way. But even that is not enough for us …
MidPoint version 2.3 starts a new era. This version delivers the last missing pieces to make midPoint provisioning capabilities complete. But it does even more. Much more. It goes beyond traditional identity management and it delivers functionality that has always been missing in IDM solutions.
MidPoint 2.3 brings management of groups, privileges, ACLs and other entitlements. These can be easily associated with accounts, take part of roles definitions and so on. The emphasis is on the word “easily”: define it once, reuse it all the time. How can any IDM solution be complete without this? How could “the industry” live all these long years without this feature? And this is only a beginning. What makes this a into a real game-changer is the combination with other new midPoint features.
The real power of midPoint 2.3 is a feature that we call generic synchronization. This is a very simple yet incredibly powerful idea. But as all simple and powerful ideas it took a lot of effort to do properly. The story goes like this: From the very beginning midPoint was built to synchronize users and accounts. That’s what IDM was all about in 2010s. We have spent incredible amount of effort to do this well. But still quite early in midPoint development we have figured out that there is nothing fundamentally different between synchronizing accounts and organizational units. Or groups, roles … or almost anything. So we have made gradual changes in midPoint to allow this kind of “genericality” into midPoint. It happened slowly over several midPoint releases and it is culminating in midPoint 2.3.
Oh I can almost hear you: “This is no big deal, product XYZ has this feature for years!”. Yes, that’s technically correct. But the difference between “product XYZ” and midPoint is that midPoint really understand what it does. MidPoint knows that group “PX” is a projection of “Project X” which is a midPoint organizational unit and that all users that belong to this unit and also have the account on the same system that has the “PX” group should have that account added to this group. And all that is needed to make this work is just a handful of configuration lines.
This is the power of good abstractions and models in practice: combine simple mechanisms to get very powerful results. We have been working on this for years. And it all fits together in midPoint version 2.3. I guess that “Newton” is more than suitable name for this version. It brings the power of theory and models into practice. It has a good potential to change the IDM world.