Frequently Asked Questions

Evolveum midPoint is an open-source Identity Governance and Administration (IGA) platform. It handles identity lifecycle management, access provisioning, role-based access control, and compliance reporting for organizations of any size. Unlike commercial IAM platforms, midPoint has no per-user licensing fees and no vendor lock-in.

midPoint itself is open-source and free to download and use. The costs come from implementation, customization, and ongoing support. You pay for consulting services to deploy and configure midPoint, build custom connectors, and train your team. There are no per-user or per-identity licensing fees, making midPoint significantly cheaper than commercial alternatives at scale.

midPoint offers comparable functionality including full lifecycle management, access certification, role mining, and compliance reporting. Key differences: midPoint is open-source with no per-user licensing, supports Kubernetes-native deployment, and provides full source code access. Commercial platforms offer more out-of-the-box connectors but at significantly higher total cost of ownership.

midPoint scales from small organizations with a few hundred identities to large enterprises managing over 1,000,000 identities. WeKnowIdentity has delivered implementations across this full range, from mid-size companies with 400 identities to major telecom operators with hundreds of thousands of users.

midPoint supports both cloud and on-premises deployment. It runs natively on Kubernetes (AWS, Azure, GCP) with Helm charts and GitOps configuration. It also runs on traditional infrastructure with Docker or bare-metal installation.

midPoint is powerful but complex. A certified consultant brings proven deployment patterns, avoids common pitfalls, and delivers production-ready implementations in weeks rather than months. WeKnowIdentity holds 4 Evolveum midPoint certifications and has completed 10+ enterprise deployments.

Founder Jan Minarciny holds 4 Evolveum midPoint certifications: Professional, Advanced, Deployment Specialist, and Group Synchronization Specialist. Plus Identity Management (IDPro BoK), GitOps (CGOA from The Linux Foundation), and Kubernetes certifications.

Basic deployment: 4 to 8 weeks. Complex implementations with multiple systems and compliance workflows: 3 to 6 months. Migration projects from legacy IAM platforms: 6 to 12 months depending on complexity.

Yes. Contact us for a free initial consultation where we assess your current IAM landscape and recommend the right midPoint approach for your organization.

Telecom, government, finance, healthcare, education, media, and technology sectors across Slovakia, Switzerland, Germany, Austria, and Poland.

SAP IDM end of maintenance: December 2027. Microsoft MIM extended support end: January 2029. midPoint offers a modern alternative with full lifecycle management, ConnId connector framework, Kubernetes-native deployment, and no per-user licensing.

Active Directory, LDAP, REST APIs, SOAP services, SCIM, SQL/NoSQL databases, CSV feeds, HR systems, and proprietary platforms. We build custom connectors for any target system.

Yes. We help organizations migrate from SailPoint IdentityIQ, One Identity Manager, and other commercial IAM platforms, including data migration, connector mapping, and phased cutover.

No. We deliver zero-downtime migrations using parallel operation. Your existing platform continues running while midPoint is deployed alongside it, with controlled cutover only after full verification.

From hundreds to over 1,000,000 identities. Performance depends on infrastructure sizing, which we optimize during the architecture phase.

Yes, midPoint runs natively on Kubernetes. We specialize in Kubernetes-native deployments with Helm charts, GitOps configuration, and CI/CD pipelines for reproducible, scalable environments.

GDPR, NIS2, ISO 27001, SOX, and industry-specific frameworks. Built-in features include access certification, segregation of duties (SoD), role mining, audit logging, and automated compliance reporting.

Yes. Hands-on training covering administration, configuration, connector development, and troubleshooting. From half-day executive overviews to multi-day workshops. Knowledge transfer is included in every implementation project.

midPoint is open source and free to download and use. However, we recommend purchasing a subscription from Evolveum for two reasons: it funds the continued development of the platform, and it gives you access to Level 4 (L4) support, which includes bug fixes in the midPoint core and the ability to request new features. WeKnowIdentity covers the first three levels of support (L1, L2, L3): configuration, deployment, troubleshooting, and optimization of your midPoint environment. Together, you get complete coverage from operational support all the way to platform development.

Organizations typically achieve ROI on their midPoint investment within 12 to 18 months. Key benefits: elimination of per-user license fees (60 to 80% savings over commercial platforms on a 5-year horizon), 70 to 90% reduction in manual identity administration through automation, onboarding shortened from days to hours, minimized security risk from excessive access, and regulatory compliance (GDPR, NIS2) achieved without additional tools.

If your IAM system (SAP IDM, Microsoft MIM) is reaching end of life, you will lose security patches, bug fixes, and vendor support. This means growing security vulnerabilities, compliance problems during audits (GDPR, NIS2), and increasing maintenance costs for aging infrastructure. The longer you delay migration, the more expensive and risky it becomes. Organizations that plan early can execute phased migrations with zero downtime.

For an organization with 50,000 identities: commercial platforms (SailPoint, One Identity, Saviynt) typically cost EUR 300,000 to 600,000 per year in licensing alone, plus implementation costs. midPoint has zero license fees. Total costs include implementation (one-time), optional annual Evolveum subscription for L4 support, and internal operational costs. Over a 5-year horizon, organizations commonly save 50 to 75% in total costs compared to commercial alternatives.

After implementation, annual costs consist of: Evolveum subscription for L4 support and platform updates (optional but recommended), internal team operational time for midPoint administration (typically 0.5 to 1 FTE for mid-size deployments), and optional L1 to L3 support from WeKnowIdentity. There are no per-user license fees, no mandatory upgrades, and no overage charges for exceeding identity limits.

midPoint has native connectors for Active Directory and LDAP directories, which are the most commonly used target systems. For Microsoft Entra ID (Azure AD), midPoint integrates via the Microsoft Graph API. These connectors support full synchronization: account creation, updates, deletion, group management, password synchronization, and change detection via delta imports. Most organizations keep their existing AD/LDAP infrastructure and add midPoint as the governance layer on top.

midPoint supports high-availability deployment through multiple application replicas behind a load balancer, PostgreSQL database with replication and automatic failover, shared storage for the midPoint home directory, and Kubernetes-native features like self-healing pods and rolling updates. For disaster recovery: regular database backups, GitOps configuration (entire config in Git enables rapid restoration), and multi-region deployment for mission-critical environments.

For a mid-size deployment (5,000 to 50,000 identities): typically 0.5 to 1 FTE midPoint administrator for daily operations, monitoring, and minor configuration changes. For larger deployments or environments with frequent changes: 1 to 2 FTE. WeKnowIdentity provides training to make your team self-sufficient, and we offer ongoing L1 to L3 support for organizations that prefer an external operational model.

Evolveum releases regular midPoint versions (major releases annually, minor updates and patches on an ongoing basis). Upgrades typically involve: database backup, deploying the new version (on Kubernetes, a simple image tag change), running database migrations (automatic), and verification. With GitOps deployment, upgrading is as simple as changing the version number in your Helm values and committing to Git. WeKnowIdentity assists clients with upgrade planning and execution.

Yes. midPoint supports key zero trust principles: least privilege (automatic access assignment and revocation based on roles), continuous verification (periodic access certification campaigns), micro-segmentation of access (granular roles and policies), automatic anomaly detection (SoD violations, non-standard access patterns), and complete audit trail of all access changes. midPoint does not replace your authentication solutions (SSO, MFA) but complements them with a governance layer that ensures the right people have the right access at the right time.

midPoint integrates with MFA and SSO solutions through provisioning: it manages user accounts and group memberships in identity providers such as Keycloak, Okta, Microsoft Entra ID, or ForgeRock. midPoint ensures users are automatically enrolled for MFA, assigned to the correct SSO groups, and de-provisioned upon departure. The midPoint admin interface itself supports delegated authentication via SAML or OIDC.

midPoint excels at modeling complex organizational structures: multi-level hierarchies (divisions, departments, teams, projects), matrix organizations with multiple reporting lines, multi-tenant environments with data isolation between tenants, delegated administration (each tenant or division manages their own identities), and organizational units as the source for automatic role assignment. This is an area where midPoint significantly outperforms many commercial platforms.