chap-whats-new.xml revision 7b85693a3ced68e4f3697280b999a5a710b7a17d
<?xml version="1.0" encoding="UTF-8"?>
<!--
! CCPL HEADER START
!
! This work is licensed under the Creative Commons
! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
! To view a copy of this license, visit
! or send a letter to Creative Commons, 444 Castro Street,
! Suite 900, Mountain View, California, 94041, USA.
!
! You can also obtain a copy of the license at
! See the License for the specific language governing permissions
! and limitations under the License.
!
! If applicable, add the following below this CCPL HEADER, with the fields
! enclosed by brackets "[]" replaced with your own identifying information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CCPL HEADER END
!
! Copyright 2011-2014 ForgeRock AS
!
-->
<chapter xml:id='chap-whats-new'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://docbook.org/ns/docbook
xmlns:xlink='http://www.w3.org/1999/xlink'>
<title>What's New in OpenIDM ${docTargetVersion}</title>
<para>
OpenIDM ${docTargetVersion} provides many new features and product
enhancements. The following list describes the main new features affecting an
end user.
</para>
<variablelist>
<varlistentry>
<term>Role-based Provisioning</term>
<listitem>
<para>
OpenIDM ${docTargetVersion} provides the ability to create and
manage roles that can be assigned to users. Roles provides an abstraction
layer in the way entitlements and attributes are set on target resources.
The roles functionality makes the assignment and removal of entitlements
and resources more consistent and easier to manage.
</para>
<para>
assignment of roles to user objects, implicitly, via business logic, or
explicitly, over the REST interface.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>High Availability Support</term>
<listitem>
<para>
OpenIDM ${docTargetVersion} supports cluster configuration and high
availability "out of the box".
</para>
<para>
Specific nodes can be configured to deal only with certain types of tasks,
for example, reconciliations. Nodes can also be configured to share load
and to act as a backup in the event of another node becoming unavailable.
</para>
<para>
For more information, see <link xlink:show="new"
xlink:href="integrators-guide#chap-cluster"
OpenIDM to Work in a Cluster</citetitle></link> in the
<citetitle>Integrator's Guide</citetitle>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Scripting Enhancements</term>
<listitem>
<para>
OpenIDM ${docTargetVersion} supports product-wide scripting in
Groovy.
</para>
<para>
Previous releases supported only JavaScript, with the exception of
Workflow definitions and certain generic scripted connectors. With
product-wide Groovy scripting, the language can now be used throughout
to define business logic and customizations.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Commons REST</term>
<listitem>
<para>
OpenIDM ${docTargetVersion} implements the ForgeRock Commons REST
API. This RESTful API is unique to ForgeRock and includes a set of
easy-to-remember REST calls: create, read, update, delete, patch, action,
and query (CRUDPAQ). For more information, see <link
xlink:show="new" xlink:href="release-notes#major-changes"
To Existing Functionality</citetitle></link>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>New OpenICF 1.4.0.0 Connectors</term>
<listitem>
<para>
OpenICF connectors support interfaces between OpenIDM and a variety of
external databases. For more information, see <link xlink:show="new"
xlink:href="release-notes#major-changes"
To Existing Functionality</citetitle></link>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PowerShell Capabilities</term>
<listitem>
<para>
OpenIDM ${docTargetVersion} supports PowerShell scripts.
</para>
<para>
The PowerShell connector is a generic scripted connector to address the
Microsoft Windows ecosystem. You can use this connector to provision any
Microsoft system, including, but not limited to, Active Directory, MS
SQL, MS Exchange, Sharepoint, Office365, and Azure. Essentially, any task
that can be performed with PowerShell can be executed through this
connector.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Synchronization Delivery Guarantees</term>
<listitem>
<para>
OpenIDM ${docTargetVersion} provides a new <literal>onSync</literal>
hook that enables clients to assess whether an overall synchronization
operation was successful on all remote systems, with the ability to roll
back synchronized changes in the event of one or more remote systems being
unavailable.
</para>
<para>
For more information, see <link xlink:show="new"
xlink:href="integrators-guide#sync-types-automatic"
Automatic Sync works with onSync </citetitle></link> in the
<citetitle>Integrator's Guide</citetitle>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>User Interface Improvements</term>
<listitem>
<itemizedlist>
<listitem>
<para>
Expanded folder structure
</para>
<para>
Previously, the static files making up the UI were packaged into a jar,
which made customization of the UI difficult. In this version, UI files
are expanded into the directory
be edited in this location. Changes made to files in this directory will
take effect after a browser refresh.
</para>
</listitem>
<listitem>
<para>
Project-specific UI customization
</para>
<para>
A new mechanism in the servlet that hosts the UI searches for
installation-specific overrides for many of the default UI files.
Customized files can be placed in the corresponding location in the
the files placed here have the same name as the default UI files, the
UI displays the customized files instead of the defaults. This facility
allows you to customize the UI without having to make changes to any
default files, which in turn makes upgrading easier.
</para>
<para>
For more information, see <link xlink:show="new"
xlink:href="integrators-guide#ui-customizing"
the UI Theme</citetitle></link> in the <citetitle>Integrator's
Guide</citetitle>.
</para>
</listitem>
<listitem>
<para>
Configuration-based customization
</para>
<para>
A new UI theme configuration file
detailed color values, background image paths, and a number of other
common styling options. Because the UI theme configuration file is part
of the configuration store, it is shared by all nodes in a cluster.
Changes made to this file do therefore not have to be replicated
manually across nodes.
</para>
<para>
For more information, see <link xlink:show="new"
xlink:href="integrators-guide#ui-customizing"
the UI Theme</citetitle></link> in the <citetitle>Integrator's
Guide</citetitle>.
</para>
</listitem>
<listitem>
<para>
Sample OpenIDM configurations that work with the UI
</para>
<para>
All the documented sample configurations now work with the UI. For more
information, see <link xlink:show="new"
xlink:href="install-guide/#chap-samples"
Samples</citetitle></link> in the <citetitle>Installation Guide</citetitle>.
</para>
</listitem>
<listitem>
<para>
Pass-Through Authentication
</para>
<para>
In previous OpenIDM releases, the only way in which an end user could
log into the UI for self-service requests was when a password had been
situation presented problems for organizations in which user records
originated in an external resource (such as an LDAP directory). In this
case, OpenIDM would generally be unable to read the clear text password
from the system resource (because such passwords are usually stored in
encrypted form).
</para>
<para>
OpenIDM ${docTargetVersion} supports delegated authentication
to most external data sources. This means that users are able to log
into the UI based on, for example, their LDAP credentials. After they
have logged in, they are able to perform the full range of
end-user-oriented tasks.
</para>
<para>
The <literal>DELEGATED</literal> module can now authenticate against
multiple targets, using either a named <literal>queryId</literal> or an
<literal>authenticate</literal> action, as appropriate. These targets
are described by the <literal>queryOnResource</literal> property.
</para>
<para>
Furthermore, to describe the authentication target, you may see
<literal>MANAGED_USER</literal>, <literal>INTERNAL_USER</literal>, or
<literal>PASSTHROUGH</literal> used as aliases for
<literal>DELEGATED</literal>.
</para>
<para>
If <literal>queryId</literal> is not defined, the
<literal>DelegatedAuthModule</literal> proceeds with an authentication
action, requiring username and password parameters.
</para>
<para>
For more information, see <link xlink:show="new"
xlink:href="integrators-guide#passthrough-auth"
Delegated Authentication</citetitle></link> in the
<citetitle>Integrator's Guide</citetitle>.
</para>
</listitem>
<listitem>
<para>
JWT Sessions
</para>
<para>
In previous releases, user sessions existed in the memory of the
OpenIDM server that performed the initial authentication. This was
acceptable in single-node environments, but in a clustered environment,
this meant that the user had to remain on the node they first
encountered. The solution provided no high-availability or failover.
</para>
<para>
In OpenIDM ${docTargetVersion}, user sessions are created as
encrypted Java Web Token (JWT) cookies. All the details of the user are
stored on the client, rather than on the server. Requests can therefore
be sent to any node in a cluster, enabling high-availability and
failover server configurations.
</para>
</listitem>
<listitem>
<para>
</para>
<para>
OpenIDM ${docTargetVersion} supports server-side paging, searching
with little noticeable performance degradation, assuming correct database
tuning.
</para>
</listitem>
<listitem>
<para>
External website integration
</para>
<para>
In previous releases, it was particularly complex to use any of the
end-user oriented REST endpoints provided by OpenIDM from another
website within the organization.
</para>
<para>
OpenIDM ${docTargetVersion} supports Cross Origin Resource
Sharing (CORS), which allows a "white list" of domains to make REST
calls to OpenIDM directly from within their own webpage context.
Authenticated users are now able to interact with OpenIDM services
(workflows, profile management, custom endpoints, and so forth) from
within their existing applications.
</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>Workflow improvements</term>
<listitem>
<itemizedlist>
<listitem>
<para>
External Activiti workflow templates
</para>
<para>
In previous OpenIDM releases, if you needed to define a custom template
for a workflow, you had to embed the HTML template within the workflow
definition. This was often cumbersome and difficult to maintain.
</para>
<para>
In this release, you can define an external HTML template and refer to
that template from within the workflow definition.
</para>
<para>
For more information, see <link xlink:show="new"
xlink:href="integrators-guide#activiti-custom-templates"
Templates for Activiti Workflows</citetitle></link> in the
<citetitle>Integrator's Guide</citetitle>.
</para>
</listitem>
<listitem>
<para>
Documented workflow use cases
</para>
<para>
OpenIDM ${docTargetVersion} provides a number of sample workflows,
that demonstrate typical use cases for OpenIDM. Each of these sample
workflows is integrated with the default UI. For more information see
<link xlink:show="new" xlink:href="integrators-guide#workflow-use-cases"
Cases</citetitle></link> in the <citetitle>Integrator's Guide</citetitle>.
</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
</variablelist>
<para>
For installation instructions and several samples to familiarize you with the
OpenIDM features, see the <link xlink:href="install-guide#chap-install"
Guide</citetitle></link>.
</para>
<para>
For an architectural overview and high-level presentation of OpenIDM, see the
<link xlink:href="integrators-guide#chap-overview"
Overview</citetitle></link> chapter in the <citetitle>Integrator's
Guide</citetitle>.
</para>
</chapter>