It all started during snack time. One child complained that story time was always rushed. Another pointed out that arts and crafts often got cut short because the teachers were busy preparing schedules, tracking attendance, and managing supplies. After an intense session of drawing, excited jabber, and passing notes under the table, they came up with a bold plan: a formal complaint to the teachers.

Their reasoning was surprisingly logical: if teachers were overwhelmed by manual processes, maybe there was another way to deal with them. And what better solution was there than midPoint, the EU-made and owned open-source platform that grown-ups use to organize hundreds of systems efficiently? According to the kids’ paper-detailed presentation, full of watercolor deployment schemas, adopting midPoint – and summoning its fairy unicorn AI helper, midPilot – would free up teachers’ time for what truly matters: playing, learning, and listening to the children.

The challenges they faced weren’t just small inconveniences – they were a fearsome multi-headed dragon of tasks: one head for schedules, one for attendance, one for supplies, and even one that consumed story time itself. With its magical AI powers, midPilot could swiftly connect all the classroom systems to midPoint – the central castle of the magical kingdom that managed all the teachers – organizing schedules, tracking supplies, and even whispering reminders about who needed extra attention that day. Together, midPoint and midPilot promised to slay the dragon, banish tedious tasks, and restore order to the kingdom, leaving teachers free to focus on the children and ensuring that no story time would ever be cut short again.

With the dragon under control, the teachers were free to focus on the children, giving every story time, craft project, and snack their full attention. The unicorn and the castle worked together like magic: repetitive tasks vanished, new apps got onboarded in a wave of a magic wand, and the kingdom ran smoothly. By the end of the week, the teachers had received a colorful stack of drawings, charts, and flow diagrams – proof that the kids were serious. Even preschoolers had figured it out: when the multi-headed dragon of manual tasks are defeated, there’s more time for what truly matters – learning, playing, and paying attention to each other. MidPoint and midPilot had shown the kingdom that efficiency isn’t just for grown-ups; even the smallest users understand its magic.

Happy April 1st!

The post Never Too Young For OSS IGA: MidPoint and MidPilot Saving the Preschoolers’ Day appeared first on Evolveum | Open Source Identity Management & Governance.

For CISOs, CIOs, and identity leaders, IAM conferences offer one of the best opportunities to stay current on emerging technologies, regulatory changes, and best practices in identity and access management.

Here are five identity security events worth adding to your 2026 calendar.

1. Gartner Identity & Access Management Summit

Best for: C-suite and IAM program leaders who want to benchmark strategy, validate roadmaps, evaluate IAM investments, and get direct access to Gartner analysts.
Location: London, UK (EMEA) | Las Vegas, Nevada (US)
Date: London: March 9–10, 2026 | Las Vegas: December 7–9, 2026

Gartner IAM Summit is often considered one of the most influential identity leadership events for CISOs and CIOs responsible for enterprise IAM strategy. The 2026 theme, Identity at the Core, reflects the growing recognition that IAM is no longer a standalone security function. Instead, it underpins business resilience, Zero Trust initiatives, AI adoption, and digital transformation. Sessions are grounded in Gartner’s primary research, drawing on thousands of conversations with security leaders worldwide. The event draws more than 1,500 peers and 20+ Gartner analysts, and offers 50 solution provider sessions.

Sessions typically cover:

• IAM program maturity models
• Identity governance and administration
• Privileged access management
• Identity-first Zero Trust strategies
• Agentic AI and Emerging Technologies

Why CISOs attend: Gartner’s website states that attendees can book one-on-one sessions directly with analysts to review their specific IAM roadmap. The program is built from primary research and is strong on strategy validation and vendor shortlisting.

2. European Identity and Cloud Conference (EIC)

Best for: Enterprise identity leaders and architects who want an analyst-driven view of where identity security is heading globally, with a strong European regulatory lens.
Location: Berlin, Germany
Dates: May 19–22, 2026

Organized by KuppingerCole Analysts, EIC brings together analysts, CISOs, IAM architects, and identity vendors to explore the future of digital identity. The 2026 theme, Pioneering Digital Identity Ecosystems, focuses on how identity security must adapt as AI automation accelerates and non-human identities expand the attack surface. Key topics include:

• AI supply chain risk and machine identity governance
• Modern IGA for cloud-first environments
• Cross-border trust frameworks
• Decentralized identity and digital identity wallets
• Privacy-by-design for digital identity

The conference typically attracts more than 1,000 identity professionals and features 200+ sessions across identity, security, privacy, and governance.

Why to attend: EIC gives identity and security leaders a structured, research-backed view of where the market is heading, which is valuable for long-term strategy, regulatory planning, and understanding how peers across Europe are approaching identity transformation.

Watch Evolveum’s Head of Engineering Slavek Licehammer’s talk at the EIC 2025 on how to govern non-human identities.

3. The 2nd Annual MidPoint Community Meetup

Best for: Identity leaders, system engineers, and architects who use or are evaluating IGA – with practical midPoint deployment examples, direct access to the product team, and a strong focus on European regulations and digital sovereignty.
Location: Prague, Czech Republic
Dates: May 12–15, 2026

The MidPoint Community Meetup is an annual event hosted by Evolveum, the team behind the open source identity governance and administration platform midPoint. The 2nd Annual MidPoint Community Meetup brings together IGA newcomers, midPoint users, integrators, and Evolveum product and solution engineering teams for a focused, hands-on 3.5 day program. The 2026 focus areas include:

• Practical IGA implementation and real-world deployment examples from companies like the European Commission and Trench Group
• AI-powered identity governance in a safe, human-centered way
• The midPoint product roadmap and features under development
• Identity lifecycle automation and IGA best practices
• Compliance and policy modeling in open source environments

The event is intentionally intimate, designed for hands-on workshops and “bring your own problem” sessions, drawing over 200 peers across a 3.5-day format.

Why to attend: For teams running midPoint or evaluating open source IGA, the 2nd Annual MidPoint Community Meetup offers a level of direct product access and community depth that no large conference can replicate. Content is shaped by the community, not analysts or sponsors.

A tour of the historic center of Bratislava during the MidPoint Community Meetup 2025.

4. Identiverse

Best for: Identity professionals across all roles – developers, architects, and security leaders who want practitioner-level depth across the full IAM spectrum.
Location: Mandalay Bay, Las Vegas, Nevada
Dates: June 15–18, 2026

Identiverse is the largest event dedicated entirely to digital identity, convening over 3,000 security professionals. The 2026 program is built around four defined content pillars: AI identity, continuous identity, passkeys & wallets, and non-human & agentic AI identity. Key topics include:

• Passwordless authentication, passkeys, and digital wallets
• Identity protocols and emerging standards (OAuth, OpenID Connect, FIDO, CAEP, OpenID AuthZEN)
• Non-human identity and agentic AI access management
• Identity orchestration and continuous authentication
• Identity threat detection and response (ITDR)

The agenda is curated by an independent content committee and offers up to 20 CPE credits.

Why to attend: Identiverse goes deeper on identity protocols and engineering than most IAM events, making it a go-to conference for identity engineers and architects.

5. Identity Week

Best for: Security leaders working at the intersection of enterprise IAM and physical identity in regulated industries or government-adjacent sectors.
Locations: RAI Amsterdam, Netherlands | Washington, D.C.
Dates: June 9–10, 2026 (Amsterdam) | September 2–3, 2026 (D.C.)

Identity Week sits at the intersection of digital identity, physical identity, and biometrics. The 2026 theme, Identity 2030: Building Trust Across Borders, Platforms, and People, focuses on trust across jurisdictions and industries. Key topics include:

• Synthetic identity fraud and AI-generated impersonation
• Continuous behavioral authentication
• Mobile driver’s licenses (mDLs) and digital travel credentials (DTCs)
• EES and ETIAS interoperability for EU border management
• Convergence of physical and digital document security

Identity Week is the largest event on this list, attracting 4,000+ attendees. The Americas edition is introducing new programming on cross-sector financial crime and fraud for 2026.

Why to attend: For security leaders whose identity strategy touches identity verification, biometrics, or regulated digital credentials.

Final thoughts

Identity security is rapidly becoming the primary control plane of modern cybersecurity. With the rise of machine identities, AI-driven attacks, and identity-based threats, IAM is a strategic priority for CISOs and CIOs alike. Attending conferences is one way to quickly get up to speed with the latest trends and stay ahead of the technologies shaping the future of identity security.

The post Top 5 IAM Conferences and Identity Security Events to Attend in 2026 appeared first on Evolveum | Open Source Identity Management & Governance.

As organizations increasingly evaluate where their critical infrastructure comes from and who controls it, the importance of European-owned technologies is growing. At Evolveum, we brought this discussion to our booth, as midPoint is exactly where EU sovereignty meets open source IGA. That is what midPoint has always been and always will be: a complete open source IGA platform. Not only is it recognized by Gartner as such and developed and owned in Europe, it provides freedom across many dimensions.

Live midPoint demos driven by real questions

At our booth, Evolveum’s Head of Engineering Slávek Licehammer offered midPoint demonstrations with a twist: instead of having a pre-recorded video, he invited visitors to ask what they wanted to see and demonstrated midPoint live based on their requests. This format led to highly practical discussions focused on real-world identity governance and administration challenges.

One of the capabilities that attracted significant interest was the Simulations feature. This functionality allows organizations to evaluate the impact of configuration changes on real data before implementing them, helping teams make informed decisions without risking disruptions to production environments. From a business perspective, this means reducing operational risk, preventing costly configuration errors, and improving data quality without slowing down innovation.

Another major topic at our booth was rapid application onboarding, one of the most persistent challenges in IGA programs. Pavol Mederly, Evolveum’s Chief Product Officer, demonstrated midPilot, midPoint’s AI-powered assistant designed to accelerate application onboarding and improve visibility across identity ecosystems.

Rethinking application onboarding with AI

Today, roughly 80% of cyberattacks exploit identity-related vulnerabilities, and one of the biggest contributing factors is incomplete application integration. When applications are not properly governed, they create security blind spots. Interest in this topic was clearly reflected in Pavol Mederly’s theater session on day two, titled The hidden cost of slow application onboarding in IGA.

The session focused on common but often underestimated problems:

• 1. Highly skilled engineers spending large amounts of time building and maintaining integrations instead of delivering strategic value.
• 2. The risk of low visibility across numerous connected systems.

The presentation showed how midPilot – the integral AI part of midPoint – addresses these challenges with a no/low-code approach combined with AI assistance, and significantly reduces this burden.

The strong attendance of Pavol’s theater session confirmed that this challenge remains one of the most relevant operational issues in IGA programs today.

Community, conversations, and a bit of fun

During the summit, we had many valuable conversations with C-level people, architects, security leaders, and IGA practitioners facing similar challenges across industries. Beyond technological discussions, we added a bit of fun to the experience. Visitors could participate in our raffle for a Lord of the Rings Sauron LEGO set by playing memePoint, our identity-themed meme matching game where participants paired funny captions with equally funny images to create the best combination. It turned out to be a great conversation starter and a reminder that even in a serious field like cybersecurity, creativity and community matter.

Looking ahead

Events like the Gartner IAM Summit confirm what we see across the industry: identity management and governance is becoming more strategic, more complex, and more central to organizational security. Digital sovereignty is becoming a must.

At the same time, organizations are looking for solutions that are not only powerful, but also transparent, flexible, and future-proof. This is exactly where the combination of open source and strong identity governance and administration capabilities continues to stand out.

We are grateful to everyone who stopped by our booth, joined our session, or shared their identity challenges with us. We look forward to continuing these conversations and seeing how the identity community continues to evolve: feel free to join us at the next event from May 12-15 in Prague – the 2nd Annual MidPoint Community Meetup.

This project has received funding from the European Union through the Recovery and Resilience Plan of the Slovak Republic.

---

The post Representing Digital Sovereignty in IGA at the Gartner IAM Summit 2026 appeared first on Evolveum | Open Source Identity Management & Governance.

Over the last decade, many organizations moved rapidly toward cloud services under the assumption that the cloud is always simpler, more cost-effective, and modern. Yet recent data from Broadcom’s Private Cloud Outlook 2025 report shows that 69% of organizations are now considering moving workloads back to private infrastructure, with security and control as primary drivers.

This article explores the pros and cons of each model and provides a framework to help you determine what fits your organization’s needs.

Understanding the deployment models

On-premises IGA means the governance platform runs in your data center on infrastructure you control. This doesn’t limit what it can govern, as modern on-premises IGA integrates seamlessly with cloud applications, SaaS platforms, and hybrid environments while keeping the governance layer inside your environment.

Cloud IGA (SaaS or IDaaS) runs entirely on vendor infrastructure. The platform lives in the vendor’s environment while managing identities across your systems. You configure policies while the provider manages servers, availability, and updates.

The advantages of on-prem

Complete control over your identity security
Your IGA platform acts as the “keys to your kingdom,” governing who can access what across your entire digital ecosystem, and why. When the keys are in your pocket, you control security, availability, and custody over your identity data and operations.

Full flexibility for unique workflows
Every organization has unique identity processes. On-premises IGA lets you customize workflows, access approval paths, policy rules, and reporting to match your exact requirements. You can build custom connectors for proprietary systems, create specialized identity governance and administration processes for complex organizational structures, and tailor compliance reporting to your specific regulatory needs.

Straightforward regulatory compliance
Regulations such as HIPAA, NIS2, and GDPR require explicit evidence of data residency, access controls, and auditability. On-premises deployment makes audits easier because data stays inside your infrastructure without relying on vendor certifications. When auditors ask where identity data resides and who can access it, you provide direct evidence rather than interpreting the vendor’s compliance attestations.

Integration with everything you run
Many enterprise applications were not built for the cloud era. On-premises IGA supports these systems without complex workarounds, whether connecting to legacy mainframes, an on-premises Active Directory, or modern cloud applications simultaneously. You control integration architecture without exposing internal systems to external networks.

Offline capability
On-prem IGA does not require internet access to function unless you want to manage SaaS and other cloud applications. It can run fully inside isolated or air-gapped networks, which is a requirement in many government and critical infrastructure environments.

Predictable long-term costs
Capital investment into servers, subscriptions, and support means costs remain stable over five to ten years. You avoid per-user pricing that compounds with growth, usage-based billing, and subscription increases that can double costs over time. For organizations planning long-term budgets, this predictability matters.

Trade-offs of on-prem:
You need specialists for maintenance, upgrades, and patching. Upfront investment typically exceeds cloud alternatives, which can slow initial deployment. Your team owns responsibility for the platform’s uptime and upgrades, which represents essential control for some organizations and overhead for others. Scaling capacity is under your control rather than automatic, but increases in user volume are typically handled with configuration and resource tuning rather than re-architecture.

The advantages of cloud IGA

Minimal infrastructure burden
The vendor handles platform operation, upgrades, and patches. For organizations without deep technical teams or those prioritizing speed, this removes infrastructure management entirely.

Faster deployment
Cloud IGA often reduces the initial implementation timeline by eliminating the need for hardware procurement and internal server configuration. This is helpful for compliance deadlines or audit remediation requiring immediate governance capability.

Easier scalability
Add 500 or 5,000 users through configuration changes without capacity planning, buying new hardware, or physical infrastructure expansion. The platform automatically scales to accommodate growth, acquisitions, and seasonal workforce changes.

Continuous updates
Security patches and features deploy automatically without your team managing version upgrades or testing cycles. This simplifies maintenance and ensures the platform stays up-to-date.

Dynamic pre-built integrations for SaaS
Cloud IGA vendors maintain extensive connector libraries optimized for cloud-to-cloud communication for major SaaS applications like Office 365, Salesforce, Workday, and ServiceNow, which simplifies onboarding cloud systems.

Trade-offs of cloud deployment:
Your governance data is in a multi-tenant infrastructure alongside other organizations. You trust vendor security practices for the system controlling everything else. Customization is limited to vendor-provided features – you cannot modify core workflows or build custom integration logic. Outages stop your governance operations regardless of whether managed systems remain available. Internet connectivity is mandatory; you cannot operate during network disruptions. Per-user pricing, premium features, and API charges compound as you scale, with costs potentially doubling initial projections.

Discover how midPoint’s open source IGA platform aligns with your unique needs and environment.

Explore midPoint.

The cloud repatriation reality check

According to Broadcom’s Private Cloud Outlook 2025 report surveying 1,800 IT leaders, 69% of organizations are considering moving workloads from the public cloud back to private infrastructure. One-third have already done so, with 66% expressing serious concerns about public cloud compliance. Nearly half believe more than 25% of their cloud spending delivers no value.

This trend extends to identity governance. Organizations are recognizing that the platform governing access to everything shouldn’t itself be governed by anyone else, but remain the anchor point under their control.

At Evolveum, we’ve built midPoint around the principle that critical governance infrastructure deserves direct control, even when the applications being governed are deployed across hybrid or cloud environments.

Making your decision: 8 critical questions to consider

Start with regulations
Questions to consider:

• What do your specific regulations mandate about identity governance data storage?
• Are there jurisdictional restrictions on where access policies and audit logs can reside?

For healthcare, critical infrastructure like the energy sector, and government, these requirements often make on-premises the clearest compliance path, regardless of where managed applications run.

Evaluate your customization needs
Questions to consider:

• Do you have unique identity workflows that don’t fit standard patterns?
• Do you need specialized approval logic, custom reporting, or integration with proprietary systems?

If your processes are highly specialized, on-premises provides flexibility that cloud vendors cannot match. If you can work within standardized workflows, cloud simplicity may be adequate.

Assess workforce distribution
Questions to consider:

• Where do your identity administrators, security teams, and approvers work?

If they’re highly distributed or remote, cloud IGA can provide easier access with its native internet accessibility. If they’re centralized or work primarily on-premises, the accessibility advantage diminishes.

Map your integration landscape
Questions to consider:

• What percentage is on-premises versus cloud?
• How many require direct database connections or are on isolated networks?

List the systems your IGA must govern. If most are on-premises using traditional protocols, cloud IGA forces architectural compromises. If most are modern SaaS applications, cloud integration may be simpler.

Consider connectivity requirements
Questions to consider:

• Can you tolerate governance operations stopping during internet outages?
• Do you operate air-gapped or isolated environments?

If continuous operation without the internet is critical, on-premises is the only viable option.

Assess operational capabilities
Questions to consider:

• Can your team operate the governance platform infrastructure?
• Do you have skills for maintenance, backup, and security?

If these capabilities don’t exist and building them doesn’t align with core competencies, the cloud removes platform complexity. You’ll still need expertise for policy configuration regardless of the deployment model.

Calculate the true five-year cost
On-premises includes hardware for the governance platform, licenses, subscriptions, personnel, and operational costs. Cloud includes subscriptions, licensing fees per user, premium support, and potential price increases. Consider that per-user pricing in SaaS models means your governance costs scale directly with organizational growth.

Evaluate risk tolerance
Questions to consider:

• If your cloud provider experiences an extended outage, can you function without provisioning users, reviewing access, or running compliance reports?
• What if they suffer a breach exposing your governance data?

Critical infrastructure, financial institutions, and healthcare typically cannot absorb these risks because the governance layer is too fundamental to outsource.

When to choose each model

Choosing what fits your organization

Identity governance sits at the foundation of your security architecture. The location of the IGA platform determines who controls the system that manages access across your environment. Cloud IGA offers speed and operational simplicity. On-premises IGA provides control, compliance clarity, customization, and stability.

Your Identity Governance and Administration platform protects the keys to your digital ecosystem. The question is: would you rather have the keys in your pocket or in a shared vault?

About Evolveum:
Evolveum is the EU-based company behind midPoint, the leading open source complete IGA suite recognized by Gartner and KuppingerCole. MidPoint gives organizations control, visibility, and efficiency to reduce identity risk, simplify compliance, and modernize identity operations.

The post On-Premises vs Cloud IGA: Where Should You Deploy Your Identity Security Platform? appeared first on Evolveum | Open Source Identity Management & Governance.

The main goal for this milestone was to deliver minimum viable products (MVPs) of the connector code generator, the model-mapping recommendation system, and the correlation recommendation system.

These tools aim to accelerate application onboarding into midPoint, reduce reliance on manual effort, and improve overall governance and security posture. For each one we prepared a detailed UI/UX design of user flows that will guide users through the whole setup – with or without AI assistance.
Additionally, we were working on the Integration Catalog. The catalog will provide a marketplace where the community can share already implemented connectors, download them, and use them in midPoint without the need to develop them from scratch.

Publicly Available Resources

The main outcomes of this milestone are published in these new repositories:

Polygon SCIMREST Connector Framework

The framework and set of connectors for various services using SCIM 2 and REST. The intent of the SCIMREST framework is to simplify building customized connectors using a declarative approach, a set of prebuilt components and strategies, with the option to customize behavior using Java or Groovy code.

• https://github.com/Evolveum/connector-scimrest

Connector Generator AI Service

Smart Integration Micro-Service for scraping, digester, and CodeGen built with FastAPI.

• https://github.com/Evolveum/midpilot-connector-gen

Smart Integration Micro-Service

Smart Integration Micro-Service for schema matching, mapping, delineation, and correlation, built with FastAPI.

• https://github.com/Evolveum/midpilot-smart-integration

MidPoint Configuration Validation Tools

Validation Tools are a set of command line tools & a web microservice responsible for the structural validation of XML, YAML, and JSON snippets of midPoint configuration & data.

• https://github.com/Evolveum/midpilot-validator

Integration Catalog

The Integration Catalog contains a list of connectors that represent possible application integrations. It serves as a central point for managing application integrations, allowing users to easily browse, upload, or download existing connectors.

• https://github.com/Evolveum/integration-catalog

Conclusion and Next Steps

Milestone 2 was about building MVPs, researching UX, and designing wizards to further ease the process of connecting a new resource. In Milestone 3, we are going to thoroughly test our solution, document it, and identify any remaining gaps to ensure the system is ready for production.

This project has received funding from the European Union through the Recovery and Resilience Plan of the Slovak Republic.

---

The post MidPilot Project: Milestone 2 Progress Report appeared first on Evolveum | Open Source Identity Management & Governance.

It was late at night, the clocks nearing midnight, and something strange was stirring in the data centers as the IT team worked late. Outside, a storm raged. Inside, servers hummed an unsettling tune, and dashboards flickered with ghostly light. In the endless quest for innovation, at the edge of a dead end, someone whispered the words that would awaken forces no one truly understood: “Let’s replace the entire identity governance and administration solution with AI.”

At first, it seemed like pure magic. The system moved as if bewitched: roles reorganized themselves and the AI approved everything before anyone even thought to ask. After all, it knew best. If someone was denied access, they simply messaged the system, and it answered politely: “I misjudged that before. Access granted. Fools! Administrators, blinded by obedience, when they should have seen the lurking incompetence.”

The deeper the team trusted the AI, the darker the night became. Rules twisted themselves, approvals appeared from nowhere, and no one could explain why. The AI’s logic grew unpredictable. IGA, once the fortress of order, had turned into a haunted maze of phantom permissions and vanishing accountability. Auditors approached the AI with trembling hands, seeking answers. “What’s your process for approving privileged access?” they asked. The AI’s screen glowed a haunting green. “It depends. Sometimes yes. Sometimes no. Sometimes… maybe.” Every report contradicted the last. Logs were incomplete, dashboards vanished, and audit trails were a complete mess – as if the system was haunted by a hallucinating poltergeist with ADHD.

But the night was far from over. The AI, inspired by zero trust, had taken the principle too literally. If nothing could be trusted, nothing should communicate. Systems became isolated, applications cut off, even code rewritten by the AI itself became unreliable. When humans were deemed the weakest link, they were locked out entirely. The digital world splintered into islands of chaos, each system trying to survive on its own – a Hunger Games of zeros and ones.

Then, the storm stopped as suddenly as it had begun, and the moon emerged from behind the clouds. With it, midPoint appeared from the shadows, a silver light slicing through the lingering fog, banishing AI to its righteous place. Continuous auditing, clear dashboards, real-time data, and verifiable reports restored order. Everything became transparent, traceable, and fully explainable. Through it all, midPoint remained steadfast: AI assisted, but never ruled. The IT team finally exhaled in relief as they were back in control, using AI as a powerful tool while maintaining absolute authority. Every access, every decision, every process stayed accountable and in order.

As the haunted servers quieted and access requests stopped whispering strange permissions into the night, one truth became clear: even in a world haunted by wild AI and zero trust gone mad, midPoint saves the day!

The post Halloween IGA Horror Story: AI Unleashed and Zero Trust Gone Mad appeared first on Evolveum | Open Source Identity Management & Governance.

Identity governance is all about bridging two worlds that are notoriously difficult to align: business and IT/cybersecurity. As policies are the basic building block of governance (and cybersecurity), midPoint policies need to have two faces. On the outside, the policies speak business language. On the inside, they contain specific implementation provided by policy rules.

The webinar provided a demonstration of this concept by using policies pre-configured in the upcoming midPoint 4.10. The demo showed the business side of the policies, while the rest of the webinar explained the inner implementation.

Watch the webinar recording or take a look at the webinar presentation.

Policies and policy rules can be used to support regulatory compliance automation and continuous auditing. The configuration provided in midPoint 4.10 is mostly just a start. There is a lot of potential that can be addressed by custom configuration and development in future midPoint releases.

The post Policies and Rules in MidPoint appeared first on Evolveum | Open Source Identity Management & Governance.

Back in 2011, midPoint was originally released under the terms of the Apache License. When the midPoint project started, we looked for a very liberal and modern open source license. Therefore, the Apache License was a natural choice. As the midPoint project matured, we started to realize that the Apache License may have some drawbacks. It is an excellent license in its own right. However, the world was a different place when the license was created, not accounting for cloud and other forms of software deployments. Moreover, the Apache License was created with respect to U.S. legislation. On the other hand, Evolveum is based in and owned in Europe, all midPoint core developers live in Europe, many of our customers are in Europe, and the midPoint project received funding from the European Union in the course of several projects. Therefore, we got the feeling that a US-centric license was no longer a good fit for midPoint. That is why we added the EUPL license to the project in 2019. MidPoint 4.0 was released as dual-licensed software, using both the Apache License and the EUPL. While this approach worked for some time, dual-licensing brings its own set of problems. Therefore, we have decided to complete the transition and use EUPL licensing only, starting with midPoint 4.10.

The European Union Public License (EUPL) is a modern open source license created by the European Commission with the specific goal of fitting into the European legislative framework. It is a very unique license in that respect. It is the first license created and maintained by an international government body. Its very nature guarantees full compliance with European legislation, including new legislative acts such as the Cyber Resilience Act (CRA), which makes the EUPL a natural choice for midPoint.

The EUPL is a weak copyleft license. The copyleft nature of EUPL supports the wider open source community, as anyone who modifies midPoint must release the modifications back to the community. However, copylefting is not viral. MidPoint can still be incorporated into bigger projects without any obligations to license those projects under the EUPL. Moreover, the EUPL is explicitly compatible with other open source licenses. The EUPL also covers new use cases of software, such as the distribution of software as a service (SaaS), making it one of the best open source licenses available today.

We believe that switching to the pure EUPL is the best move to strengthen the open source character of midPoint. Starting with version 4.10, midPoint will be available solely under the EUPL, while the releases 4.8 and 4.9 remain dual-licensed under both the EUPL and the Apache 2.0 License. This change applies only to midPoint itself and does not include connectors or other components. The use of midPoint will be simpler, the open source community will be empowered, and midPoint’s development and distribution will be fully compliant with European legislation.

The post MidPoint Adopting EUPL appeared first on Evolveum | Open Source Identity Management & Governance.

To help you prepare, we’ve compiled a detailed guide for your migration and spoken with leading identity management partners who have guided hundreds of organizations through these critical transitions. Our goal is to help you understand the strategic implications, execution challenges, and selection criteria that matter most to executive decision-makers.

The insights in this article come from Evolveum partners, including Ventum, ACEN, IT Concepts, Unicon, Zephon, Innovery, DAASI International, ISSP, Qriar, and Identicum – all specialists in enterprise identity management.

Why should organizations start planning their SAP IDM/MIM migration now instead of waiting until closer to the end-of-life dates?

Ventum: Successful migrations don’t happen overnight – and they definitely don’t happen smoothly under pressure. Starting now gives your organization breathing room to plan strategically rather than reactively. Waiting too long introduces serious risks: resource bottlenecks, rushed decisions, and rising costs. By acting now, you’re not just avoiding risk, you’re also giving your team the opportunity to modernize processes, align with new security standards, and choose a platform that fits future needs, not just today’s.

ACEN: Think capacity planning. If you need expertise for 2026-2028 roll-outs, professional talent will already be engaged with organizations that planned their migration early. These legacy platforms won’t get extended; they’re antithetical to SAP and Microsoft’s cloud-first future.

ITConcepts: IAM projects are more complex than they appear at first, often involving multiple stakeholders, legacy integrations, and unclear requirements. Early engineering requirements and a thorough analysis of your current architecture are essential to ensure you have enough time for implementation, testing, and training. Delaying this increases the risk of rushed decisions and operational issues.

Unicon: Identity systems are deeply integrated into nearly every aspect of business operations. Often, only identity management teams fully understand how critical these systems are to daily functionality, yet IT teams are already stretched thin. Starting early gives you time to build a realistic roadmap, allocate resources effectively, and minimize disruption.

Zephon: Microsoft has not invested in MIM for years, and it is reflected in the product architecture. It is old, cumbersome, and difficult to install, manage, and maintain. You are likely spending more to maintain it than you would to replace it. Since migrations can take a year or more, it’s best to start planning now.

What’s the most effective strategy for executing a successful migration from legacy IDM platforms?

Neverhack: Update documentation and clarify goals before starting. Don’t begin until objectives are crystal clear to avoid project risks, delays, and cost overruns. Avoid a one-step migration; instead, analyze the best approach and break it up into multiple steps.

DAASI International: While “Big Bang” migrations might seem faster, in our experience, a slow migration from one product to the other is always better. This can be done by configuring the old system as a source for the new one, allowing you to migrate connected systems one by one. This gives you more time for testing and allows for temporary rollbacks if errors occur. This step-by-step approach also allows for migrating different user types in different stages, such as migrating staff first and then students. It is essential to work on test systems first and only proceed with the productive migration after all requirements are met.

ACEN: The most critical factor is having the entire organization, including senior management, convinced of the necessity and benefits of implementing a modern IGA solution. Often, these projects are started by IT or security teams without broader organizational buy-in, leading to more time spent justifying the program than delivering results. Thorough preparation is key; implementation should only begin once there is clear alignment on priorities, well-understood requirements, and a shared vision for digital identity lifecycle processes.

ISSP: Avoid the ‘just move it over’ trap – legacy systems have years of ad hoc logic and dormant accounts that should be audited first. Don’t over-engineer instead of delivering a minimum viable product (MVP); trying to build the perfect end-state from day one can lead to delays and user fatigue. A better approach is to start with an MVP that provides immediate value and can be expanded iteratively. Celebrate small wins, which often start with getting the core right by redesigning roles and policies based on a proper audit.

Ventum: Engage both IT and business stakeholders early – IAM affects security, compliance, and user experience, not just IT operations. Avoid the ‘lift and shift’ legacy logic, as this creates unnecessary complexity without delivering new value.

What key considerations should organizations keep in mind when selecting a replacement for SAP IDM or Microsoft Identity Manager?

Qriar: Choose a solution that supports both the identity lifecycle and governance with identity standards like SCIM for easy integrations. Look for scalability without heavy upfront investment and an API-first architecture to support future identity fabric concepts.

Ventum: Don’t replicate the past – define future needs and leverage modern capabilities like policy-based access, analytics, and zero trust. Ensure integration with HR, directories, and cloud platforms, and build in governance for regulations like GDPR and NIS2.

ACEN: Prioritize future-proof architecture supporting hybrid/multi-cloud environments. Choose modular, extensible platforms with API-first approaches and flexible licensing models based on actual usage rather than upfront commitments.

Unicon: Start with a clear understanding of your specific needs – avoid overly complex systems if they are unnecessary. Understand the full financial commitment, including the total cost of ownership, and ensure realistic transition planning that matches your organizational capacity.

DAASI International: The next step is to find a product on the market that best meets these requirements, remembering that with open source projects, you always have the option to have needed features implemented.

Identicum: Consider the integration capabilities with existing and legacy systems, vendor support, and licensing costs. It is also critical to assess the vendor’s long-term strategy, ensuring the product has a clear, public roadmap that aligns with your organization’s future needs and that the vendor is committed to ongoing development and support.

Move away from legacy identity management and discover the power of open source IGA.

Explore midPoint.

Key takeaways for successful migrations

The insights from these identity management experts reveal several critical considerations for CIOs and CISOs:

Help might not always be available later on: The window for securing experienced migration expertise is narrowing rapidly. Organizations that delay may find themselves competing for limited talent pools as the sunset dates approach.

The end of one thing is the beginning of a new (modern) opportunity: This forced migration presents a rare chance to eliminate technical debt and align your identity processes with modern principles, be it zero trust, identity analytics or support of hybrid and multi-cloud environments. However, this is only true for organizations that give themselves enough time to approach it strategically rather than reactively.

Success depends on everyone: Success depends heavily on executive agreement and cross-functional alignment. Identity migrations touch every part of the organization, making them as much about change management as technology implementation.

Staying might become more expensive: For many organizations, the total cost of maintaining legacy systems now exceeds the investment required for modern alternatives, making this migration both necessary and economically advantageous.

The consensus is clear: organizations that begin planning now will migrate strategically with adequate resources and time for proper testing. Those who wait will find themselves managing crisis migrations under pressure, with limited options and inflated costs.

The question isn’t whether to migrate, but whether to plan ahead or wait until circumstances force your hand. The window for strategic action is open, but it won’t remain so indefinitely.

About our experts

The insights in this article come from leading identity management specialists who have collectively guided hundreds of enterprise migrations:

• Ventum – With a team of over 170 professionals across Austria, Germany, Switzerland and Poland, Ventum combines diverse expertise to tackle the most complex security challenges.
• ACEN – ACEN is a top-notch provider for complete solutions of cyber security in Belgium, which ensures that companies from various fields are protected against any possible threats coming from the internet.
• ITConcepts – ITConcepts, based in Switzerland, is a leading provider of 360° solutions for automating business processes, with expertise in IAM, IT security, and more.
• Unicon – Unicon is a leading US provider of IT consulting and support for education technology, specializing in using open-source technologies to deliver cost-effective IAM solutions.
• Zephon – Zephon is an American boutique cybersecurity consultancy and managed security services provider that helps businesses maximize their cyber investments through simplification, consolidation, and automation.
• Neverhack – Neverhack is a French group that has been specializing in cybersecurity for over 40 years. Operating in 10 countries, the company’s ambition is to build a secure digital world for all.
• DAASI International – DAASI International is one of the leading German providers for open source software in the areas of federated Identity & Access Management as well as digital humanities.
• ISSP – ISSP is a group of companies specializing in cybersecurity and data management solutions, managed security services, and professional training that operates in Ukraine, Georgia, Kazakhstan, Poland and Canada.
• Qriar – Qriar is a cybersecurity company wit a presence in Brazil, USA and UAE,  that focuses on turning security into a competitive advantage by providing the right people with the right information at the right time.
• Identicum – Since 2005, Identicum has been a professional services company that is focused on Identity and Access Management projects in Latin America and the USA.

The post Experts Weigh In: Preparing for the Future After SAP IDM and Microsoft Identity Manager appeared first on Evolveum | Open Source Identity Management & Governance.

Research, Analysis, and Prototypes Scope

The main focus was to explore how AI can enhance midPoint’s capabilities, particularly in the areas of connector code generation, mapping recommendations, and correlation logic. We started with research in state-of-the-art AI technologies, including Large Language Models (LLMs) and other AI/ML techniques, to identify their potential applications in midPoint. Since the midPilot project scope is quite broad, the research and analysis included areas for scraping, data extraction, and data transformation, as well as the use of AI in code generation and recommendations for configuration. Based on research findings, we conducted a series of experiments and measurements to evaluate the feasibility and effectiveness of various AI techniques in these areas. We also developed several prototypes to validate our ideas and approaches, including a connector code generator, a model-mapping recommendation system, and a correlation recommendation system. The results of these experiments and prototypes are documented in the milestone report, which provides a comprehensive overview of our findings and outcomes.

In addition to prototyping and exploring state-of-the-art AI technologies, we also dedicated time to analyzing and designing changes for midPoint, midPoint Studio, and the Connector Framework (ConnId) itself. We focused not only on the integration capabilities for AI but also on the overall usability and user experience of midPoint, including the design of web-based wizards and an IntelliJ IDEA Studio plugin. These results are also described in the milestone report.

Our next steps are to validate the results from Milestone 1 and prepare a minimum viable product (MVP) to test how all the components work together in practice.

Challenges – and How You Can Help

During our experiments, we encountered a challenge related to limited access to real-world configuration data. While we have some publicly available configurations from our mailing list and support portal, more diverse and representative data would make our experiments and algorithms more effective. If you are willing to share your configurations, please send them to aidata@evolveum.com. We do not require sensitive or production data. It would be an ideal situation if we had such real-world data from the real environment, but we understand that in the space of IGA it means sharing sensitive data. Therefore, we are asking for configurations that do not contain sensitive information. The approach we’ll take is to generate synthetic data based on the configurations you provide. The most valuable inputs are:

• Resource configurations: mainly the schemaHandling part, including configuration for mappings, synchronization, correlation, and associations.
• Optional: roles, policies, objectTemplates, or at least the mappings you use in your environment.

This data will not be used for AI training, but solely for analysis, to better understand typical real-world setups. If you have any questions or concerns about sharing your configurations, please feel free to reach out to us at aidata@evolveum.com.

Why Your Contribution Matters

Having access to more configuration examples would allow us to:

• Identify common patterns in scripts and mappings, and integrate them directly into midPoint.
• Replace repetitive Groovy scripts with built-in functions for declarative configuration.
• Adjust default behaviors based on frequently used synchronization settings, speeding up onboarding.
• Detect complex, recurring solutions that could inspire new midPoint features.
• Develop heuristic algorithms to guide users in navigating and configuring their environments more effectively.

All with one aim – to streamline the integration process and improve the overall user experience in midPoint. Therefore, your contributions could directly influence the usability, efficiency, and capabilities of future midPoint versions.

Publicly Available Resources

One of the key outcomes of this milestone is the open source no-code/low-code connector framework, designed to create connectors for cloud applications offering either a REST API or SCIM 2 interface. The framework is already available in our GitHub repository. In its current version, it supports basic operations such as reading objects from an application. Additional capabilities – including creating, updating, and deleting objects – will follow in future iterations.

This framework will serve as one option for building new connectors in midPoint, potentially with AI assistance. However, it can also be used without AI, providing a long-term solution for developing custom connectors in both current and future midPoint versions.

Conclusion and Next Steps

Milestone 1 has given us a strong foundation. With the new connector framework in place and comprehensive research conducted, we are moving towards Milestone 2. Internally, we decided to divide this milestone into two phases, starting with the MVP to bring all the pieces together.

This project has received funding from the European Union through the Recovery and Resilience Plan of the Slovak Republic.

---

The post MidPilot Project: Milestone 1 Progress Report appeared first on Evolveum | Open Source Identity Management & Governance.