modify release notes and adding notes for predefined mappings

docs/resources/resource-configuration/schema-handling/activation.adoc

@@ -252,6 +252,30 @@ Predefined activation mapping are available from midpoint 4.8. We can use simple
 
 If an account is unassigned and there is no other existing assignment for an account midPoint will de-provisioning that account. Which means that the account will be deleted. This is the default behavior. But it can be changed by predefined mappings configuration.
 
+All predefined mapping work only for one purpose. When we want mapping for administrative status, then we need add inbound or outbound mapping configuration.
+
+[source,xml]
+----
+<resource>
+	<schemaHandling>
+		<objectType>
+			...
+			<activation>
+                <administrativeStatus>
+                    <outbound>
+                        <strength>strong</strength>
+                        <expression>
+                            <asIs/>
+                        </expression>
+                    </outbound>
+                </administrativeStatus>
+			</activation>
+			...
+		</objectType>
+	</schemaHandling>
+</resource>
+----
+
 Now we can use three predefined configurations.
 
 === Disable instead of delete
@@ -264,6 +288,7 @@ This configuration change default behavior and account will be disabled instead
 		<objectType>
 			...
 			<activation>
+                <administrativeStatus>...</administrativeStatus>
                 <disableInsteadOfDelete/>
 			</activation>
 			...
@@ -275,7 +300,7 @@ This configuration change default behavior and account will be disabled instead
 === Delayed delete
 This configuration change default behavior and account will delete with delay and meanwhile account will be disabled.
 
-We use activation/disableTimestamp from shadow object as reference attribute for time when was account disabled. As disable reason we use de-provision or mapped.
+We use activation/disableTimestamp from shadow object as reference attribute for time when was account disabled. As disable reason we use de-provision, so it mean that focus lost assignment for resource.
 
 [source,xml]
 ----
@@ -284,6 +309,7 @@ We use activation/disableTimestamp from shadow object as reference attribute for
 		<objectType>
 			...
 			<activation>
+                <administrativeStatus>...</administrativeStatus>
                 <delayedDelete>
                     <deleteAfter>P1M</deleteAfter>
                 <delayedDelete/>
@@ -305,6 +331,7 @@ This configuration will pre-provision a disabled account defined by time before
 		<objectType>
 			...
 			<activation>
+                <administrativeStatus>...</administrativeStatus>
                 <preProvision>
                     <createBefore>-P5D</createBefore>
                 <preProvision/>

docs/security/authentication/flexible-authentication/configuration.adoc

@@ -1003,7 +1003,7 @@ Required attribute is only `issuerUri`, because midPoint gets configuration for
 </securityPolicy>
 ----
 
-For the identification of the user, midPoint uses the claim value with the name from _nameOfUsernameAttribute_. The claim is primarily obtained from the ID token. When a claim is missing in the ID token, midPoint looks for it in the access token. Finally, if the claim is missing in the access token, midPoint uses the user info endpoint to retrieve the claim.
+WARNING: Since version 4.8, the flow for identifying a user logged in via the GUI has been changed. MidPoint uses the claim value with the name from the _nameOfUsernameAttribute_. The claim is primarily obtained from the ID token. When a claim is missing in the ID token, midPoint looks for it in the access token. Finally, if the claim is missing in the access token, midPoint uses the user info endpoint to retrieve the claim. Only the last step applies to Midpoint 4.7
 
 If Midpoint is located behind a reverse proxy it may be useful to set the _publicHttpUrlPattern_ setting to the right value in order for the OIDC Redirect URI to point to a valid public URL (see below).