How to override administrative status

In my previous post, I wrote how to override full name if you don’t have actual data from HR in all cases. We can have a similar problem with a special property like Administrative status (user is enabled/disabled/archived). In most cases you already have done the mapping from HR. If the employee is active (or Read more about How to override administrative status[…]

Evolveum - How to override full name

How to override full name

You know, at the beginning every IDM project is clear and ideal. Everything seems to work well in the test environment, but as time goes by, the deadline is close and your customer finds more and more special cases. These cases have to be part of the solution “somehow” and “quickly” and of course they are found Read more about How to override full name[…]

Real life story of SCIMv1 and ConnId, Part 2

When our interconnection of various services by using midPoint, SCIMv1 protocol and Connid framework was ready, we proceeded to testing. While looking around for services supporting the SCIM protocol we stumbled upon two quite popular ones. Salesforce and Slack which both support the SCIM 1.1 specification but both on their own way with a couple of Read more about Real life story of SCIMv1 and ConnId, Part 2[…]

Real life story of SCIMv1 and ConnId, Part 1

When implementing a connector for the Midpoint identity management solution, there is a potential to interconnect a broad spectrum of services. Using the System for Cross-domain Identity Management (SCIM) protocol seems as a road to take. We are also working with the connId framework. It provides a means for building identity connectors in a more Read more about Real life story of SCIMv1 and ConnId, Part 1[…]

Simplifying LDAP Group Management Using MidPoint: Part II – Posix Groups

Unix/Linux servers can be configured to authenticate and authorize against LDAP server, by using LDAP accounts and groups. With some Identity Management solutions you can put users to these groups, but you need to manage the groups by the native LDAP tools. This is not the case with midPoint! MidPoint allows you to create not only LDAP accounts, but also the groups so it can become the ultimate tool for IT administrators or even for users with limited IT skills, really simplifying the LDAP group management. […]

Sun IDM Migration Architecture

Sun Identity Manager a.k.a. Oracle Waveset is a software product at the end of its lifecycle. Yet many organizations still operate Sun IDM solution because they haven’t found any reasonable migration path. But now there is a migration path that leads to the most comprehensive open source IDM solution: Evolveum midPoint. In the previous two posts I have described the obstacles and motivation of Sun IDM migration. It is quite clear that major migration obstacles are the cost and the risk. However, we have successfully addressed both of these obstacles. The cost is addressed by the unprecedented deployment efficiency of Evolveum midPoint. Yet it is the risk that is usually the worst issue for any migration of any software system. But due to the flexibility of Evolveum midPoint we have managed to keep migration risk at a very acceptable level. And this post describes the details of our solution. […]

Simplifying LDAP Group Management Using MidPoint

Many applications connected to LDAP use LDAP groups for authorization. With some Identity Management solutions you can put users to these groups, but you need to manage the groups by the native LDAP tools. This is not the case with midPoint! MidPoint allows you to create not only LDAP accounts, but also the groups so it can become the ultimate tool for IT administrators or even for users with limited IT skills, really simplifying the LDAP group management. […]

From Waveset to midPoint, Part 2

Sun Identity Manager is a king that has fallen. It is now called Oracle Waveset and it is as good as dead. Yet there are still many Sun IDM installations that hesitate with the migration. One of the major concern is the cost of the migration project. But as I have written in the first Read more about From Waveset to midPoint, Part 2[…]

Query playground

At many places in midPoint we can (and sometimes have to) specify queries in order to find one or more objects in the system. We do this e.g. when we want to restrict objects (like users, roles, resources or services) shown on the screen, when selecting objects that are to be included within a report, when specifying objects that are to be processed by a background task, when account owner is to be determined, or when assignment target is to be found. All of this is done via midPoint query language – abstract XML-based language that is designed to specify constraints on objects, and optionally paging and sorting instructions. This language is very powerful. The negative side of that power is complexity: it is quite hard to write (correct) queries by hand. Because of this, we’ve recently added a simple, yet helpful feature to midPoint: query playground.

[…]

From Waveset to midPoint, Part 1

Back in 2000s the Sun Identity Manager was the king. It was the best IDM product pursuant to Gartner. It had a good market share. And according to my experience it was actually the only practical IDM system on the market. Sun Identity Manager is now dead. It died in 2010 when Sun Microsystems was acquired by Oracle. Sun IDM was renamed to Oracle Waveset and the development of the product has been immediately stopped. But Sun IDM is a tough one. Even though it was killed 6 years ago it still survives in a creepy half-life form to this day. Oracle obviously tried to migrate all the Sun IDM installations to Oracle Identity Manager. But many customers refused to migrate. We can only speculate about the reasons, although anyone that had any hands-on experience with Oracle IDM will certainly have an opinion about that. Anyway, the future was not entirely bright for those who still maintain Sun IDM installation. But now there is a new hope. […]