midPoint is a tool that synchronizes several identity repositories, manages them and makes them available in unified form. It belongs to the user provisioning category of the enterprise identity management field. The basic features include:

• User provisioning and deprovisioning
• Identity synchronization
• Identity management process automation
• Management of identity-related parts of the enterprise security policy
• Support for security auditing and reporting

The development of midPoint is not governed by the technology, but rather by a set of principles. These principles reflect our solution to the business needs in the identity management field. The technological implementation adapts to the real needs of IDM deployments. We know that any technology has its limits and we go only as far as the solution is efficiently applicable and practically usable. We are looking for a solution to existing problems, not for a problem that would fit existing solution. Following principles govern the development of midPoint:

Open system: midPoint is open in all aspects. It is completely developed in the public. The source code is publicly available (including the most recent development version) under the OSI-approved CDDL open-source license. The design is openly discussed with the community. The development team is open to contributions from the public. Only open protocols and platforms are used. System interfaces are well documented and open for reuse. But, most importantly, midPoint is open to use by anyone and for any purpose at no charge (as long as it complies with CDDL).

Efficient common case: midPoint supports common provisioning scenarios as efficiently as possible. For example setup of simple directory-to-directory replication should be matter of minutes or hours. Most data transformations can be implemented using a one-line expressions. Connecting a new system with all the common provisioning features should be a matter of few clicks. User interface dynamically adapts to the situation therefore it automatically provides an auto-generated form for the end system. Common scenarios require just a configuration and simple expressions, not coding. This approach allows engineer to focus on specifics of a deployment instead of re-doing the same thing again and again for each deployment.

Extensible as needed: The less common scenarios can be supported by extending the system using a code. This may be a Java code, executing a process, calling external web services and so on. This is necessary to satisfy some of the customer requirements, but may be quite difficult to develop and maintain. We do not force engineers to a single programming language. Java is a natural choice and is naturally supported, but there are plans for Groovy, BPEL or any other practical language that the engineers need.

Data unification: The most significant obstacle in enterprise identity management is integration. Each system has its own variant of identity data model, its own flavor of operations on identities, its own security model, data types, etc. midPoint is trying to reduce the integration overhead by providing and evolving a common data model for enterprise identity. A model that can be used as lingua franca to easily communicate common identity data across systems. Customizations and exceptions are still possible - and usually even necessary. But the overall integration process is much easier.

Focus on Identity Management: The time when a provisioning system has to come bundled with a kitchen sink and a lawn mower is getting to an end. It makes little sense for a customer to maintain one business process management suite for identity management, yet another for document lifecycle management, yet another for support processes, etc. Similar situation is also in the domains of issue tracking, auditing, data warehousing, reporting, ... The focus of midPoint is identity management technology, the technical problems of provisioning and identity data synchronization. We are aware that the business side of the IDM is as important as the technical side. We just expect that the business side will be managed by the generic business systems - a place where business tasks can be handled efficiently.

Business first: It is the same in all the enterprises, small or huge. Identity management solution must not interrupt usual business. While some inconveniences cannot be avoided, the overall impact on normal operation of organization during IDM deployment must be very low. Therefore midPoint is designed with a final deployment in mind. The deployment is expected to happen in phases, small steps, while each step has to provide value. We understand the Pareto 80-20 principle. Each step of IDM deployment should provide 80% value with 20% of effort, executing the steps until they are still efficient. First step is usually short analysis and deployment of IDM as an admin tool. That speeds up processes, allow for easier auditing and provides data to plan further steps. midPoint is well suited for this purpose, as well as for the next steps in the IDM project.