MendixSSO

Content Type: Module

Categories: Authentication

Overview

Add Single Sign-On functionality to all your apps for any user with a Mendix platform account. Authenticate users with either the Mendix Identity Provider (IDP) or enable BYOIDP to delegate the authentication to your own OpenID Connect Identity Provider (via the Mendix IDP).

[Warning: Vulnerable Library Dependency]

MendixSSO is based on the oauth2-oidc-sdk and nimbus-jose-jwt libraries. By releasing new versions of the MendixSSO module, we also keep these libraries up to date. Unfortunately, a vulnerability was found in an older version of the nimbus-jose-jwt library.

We have released new versions of the MendixSSO module and updated the vulnerable libraries. We strongly advise all our consumers to update their applications to the most recent version of the MendixSSO module. If this is not possible, manually update the libraries used by the MendixSSO module.

[Version compatibility ]

Mendix 10: MendixSSO 10.x.x
Mendix 9: MendixSSO 9.x.x
Mendix 8: MendixSSO 3.x.x

[Warning: EOL notice v3.1.1 and lower]

We have marked all MendixSSO module versions v3.1.1 and lower as 'no longer supported', to emphasize the module versions containing the vulnerable nimbus-jose-jwt library version, as well as being released on a Mendix version that is no longer supported.

Documentation

Please see Mendix SSO in the Mendix documentation for details.

Need SSO?
Add Single Sign-On functionality to your app for any user with a Mendix account. Authenticate users with either the Mendix Identity Provider (IDP) or your own IDP if you have BYOIDP enabled.

With this module you can add Single Sign-On functionality to your app for any user with a Mendix account. When your app uses the Mendix SSO module, it will delegate authentication of your end-users to the Mendix Identity Provider (IDP). The Mendix platform will authenticate users either with their Mendix credentials on https://login.mendix.com, or it can delegate the authentication to your own IDP if you have BYOIDP enabled. End-users will only get access to a protected user role in your app when you assign a user role to the end-user via Mendix’ Developer portal.

The MendixSSO implementation is based on the well known framework OpenID Connect.

Note: The MendixSSO module has always been completely flexible towards the Mendix developer in which user entity specialization you choose to use in your app, to suit your app’s specific needs.

For instructions how to setup BYOIDP, please you can read the BYOIDP documentation here: setup-byoidp

For an extensive overview of all the possibilities this module offers and instructions how to add this module to your application, see this Developer Portal Guide on Mendix Single Sign-On

Releases

Version: 10.3.0

Framework Version: 10.21.0

Release Notes: - Mendix runtime is upgraded to 10.21.0 for Mendix 11 support - Apache commons-text library is upgraded to version 1.13.1 - Netty codec-http library is upgraded to version 4.2.0.Final

Version: 10.2.0

Framework Version: 10.6.15

Release Notes: - Improved implementation of nonce, state and PKCE features. - Nimbus oauth2-oidc-sdk library is upgraded to version 11.23.1

Version: 10.1.0

Framework Version: 10.6.15

Release Notes: - Added support for configuring JWKS endpoint timeouts. Custom values can be set using custom environment variables "MendixSSO_RemoteJWKSHttpConnectTimeout", and "MendixSSO_RemoteJWKSHttpReadTime". Timeouts are in milliseconds, and must not be negative. - Localization support has been added and enabled by default. It can be disabled by setting the custom environment variable "MendixSSO_LocalizationEnabled" to "false". - Page URLs support has been added as the DeepLink module has been deprecated and replaced with page URLs. In order to leverage this functionality the file "login.html" needs to be replaced with the file "resources/mendixsso/templates/login-with-mendixsso-automatically.html" - Nimbus oauth2-oidc-sdk library is upgraded to version 11.21 - Nimbus nimbus-jose-jwt library is upgraded to version 10.0.1 This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v10.2.0 or higher, or update the library version

Version: 10.0.0

Framework Version: 10.6.15

Release Notes: Stale data cleanup logic refactored and fixed based on Mendix 10 behavioral/structural changes. This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v10.2.0 or higher, or update the library version

Version: 9.2.0

Framework Version: 9.24.0

Release Notes: - Improved implementation of nonce, state and PKCE features. - Nimbus oauth2-oidc-sdk library is upgraded to version 11.23.1

Version: 9.1.0

Framework Version: 9.24.0

Release Notes: - Added support for configuring JWKS endpoint timeouts. Custom values can be set using custom environment variables "MendixSSO_RemoteJWKSHttpConnectTimeout", and "MendixSSO_RemoteJWKSHttpReadTime". Timeouts are in milliseconds, and must not be negative. - Localization support has been added and enabled by default. It can be disabled by setting the custom environment variable "MendixSSO_LocalizationEnabled" to "false". - Nimbus oauth2-oidc-sdk library is upgraded to version 11.21 - Nimbus nimbus-jose-jwt library is upgraded to version 10.0.1 This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v 9.2.0 or higher, or update the library version

Version: 9.0.0

Framework Version: 9.24.0

Release Notes: - Nimbus oauth2-oidc-sdk library is upgraded to version 11.10.1 - Nimbus nimbus-jose-jwt library is upgraded to version 9.37.3 - The cipher algorithm has been changed to use "AES/GCM/NoPadding" to support Mendix 10.6.0 or newer versions This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v 9.2.0 or higher, or update the library version

Version: 4.2.0

Framework Version: 9.24.0

Release Notes: (edit: updated on Feb 22 2024) - Added ContinuationURL validation (see Breaking change 1) - Updated the internal parsing method for getting the user UUID and Email (see Breaking change 2) - Added migration file for easy migration to the module dependency management in Studio Pro 10.3 and above. Internal Technical Changes: - Renamed internal getConfig microflow GetSignupHint to GetDefaultSignupHint - Optional custom MendixSSO_ParseSignupHint microflow is now supported - Stopped parsing the user UUID from the OpenID value from the user's Mendix profile claim ("mx:user:profile:v1") - Started parsing the user UUID from the ID token subject claim ("sub") - Stopped parsing the user EmailAddress from the user 's Mendix profile claim ("mx:user:profile:v1") - Started parsing the user EmailAddress from the ID token email claim ("email") - Non-persistent entity UserProfile attributes - EmailAddress and OpenID have been removed, EmailAddress is now available with the extra parameter $EmailAddress. This affects customized versions of MendixSSO_CreateUser and MendixSSO_UpdateUser [BREAKING CHANGE 1] The ContinuationURL parameter is now validated before redirecting. The allowed URLs list only contains default application URL. Custom domains need to be added by using the custom environment variable MendixSSO_AllowedContinuationURLs. See MendixSSO documentation section 5.4.1 for details: https://docs.mendix.com/appstore/modules/mendix-sso/#supplements [BREAKING CHANGE 2] As the EmailAddress and OpenID values are no longer parsed from the Mendix profile claim, these attributes are no longer part of the internal non-persistent entity UserProfile. The EmailAddress is now available as microflow parameter $EmailAddress, the example microflows (MendixSSO_CreateUser and MendixSSO_UpdateUser) have been updated to reflect this change. If you made customizations to these microflows in your project, you could add the $EmailAddress parameter to your customized microflows as well. For the OpenID, you can call the helper microflow GetLegacyOpenIDForSSOUser, which constructs the OpenID by combining the user's UUID from the Identity Provider and the OpenID-prefix. Note: User UUID, ForeignIdentity UUID, and the UUID part of the OpenID are intended to be identical. This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v9.0.0 or higher, or update the library version

Version: 4.1.0

Framework Version: 9.24.0

Release Notes: - Solved deprecations to make the module Mendix 10 compatible - Updated Nimbus oauth2-oidc-sdk library to 10.7.1 (which now includes json-smart 2.4.10) - Updated pom.xml dependency manager file - Updated the module version to 4.1.0 - Updated the Mendix version to 9.24.0 This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v9.0.0 or higher, or update the library version

Version: 4.0.2

Framework Version: 9.20.0

Release Notes: - Solved a security concern, where the regular user role had access to their own decrypted access tokens via XAS request access rules - Nimbus oauth2-oidc-sdk library is upgraded 10.7 - Its sub-dependency json-smart library is upgraded to 2.4.10 - This resolves High security issue https://nvd.nist.gov/vuln/detail/CVE-2023-1370 This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v9.0.0 or higher, or update the library version