MendixSSO

Content Type: Module

Categories: Authentication

Overview

Add Single Sign-On functionality to all your apps for any user with a Mendix platform account. Authenticate users with either the Mendix Identity Provider (IDP) or enable BYOIDP to delegate the authentication to your own OpenID Connect Identity Provider (via the Mendix IDP).

[Warning: Vulnerable Library Dependency]

MendixSSO is based on the oauth2-oidc-sdk and nimbus-jose-jwt libraries. By releasing new versions of the MendixSSO module, we also keep these libraries up to date. Unfortunately, a vulnerability was found in an older version of the nimbus-jose-jwt library.

We have released new versions of the MendixSSO module and updated the vulnerable libraries. We strongly advise all our consumers to update their applications to the most recent version of the MendixSSO module. If this is not possible, manually update the libraries used by the MendixSSO module.

For our consumers on Mendix 9 and 10, we have patched MendixSSO module v4.2.0 and are making it available as module v9.0.0.For our consumers on Mendix 8, we have patched MendixSSO module v3.1.1 and made it available as module v3.2.0.

To support our consumers still on Mendix 8 we will make a patched version available of the MendixSSO module v3.1.1, we will release this as module v3.2.0.

[Warning: EOL notice v3.1.1 and lower]

We have marked all MendixSSO module versions v3.1.1 and lower as 'no longer supported', to emphasize the module versions containing the vulnerable nimbus-jose-jwt library version, as well as being released on a Mendix version that is no longer supported.We have marked all MendixSSO module versions v4.0.0 - v4.2.0 as 'contains vulnerability', to emphasize the module versions containing the vulnerable nimbus-jose-jwt library version.

Documentation

Please see Mendix SSO in the Mendix documentation for details.

Need SSO?
Add Single Sign-On functionality to your app for any user with a Mendix account. Authenticate users with either the Mendix Identity Provider (IDP) or your own IDP if you have BYOIDP enabled.

With this module you can add Single Sign-On functionality to your app for any user with a Mendix account. When your app uses the Mendix SSO module, it will delegate authentication of your end-users to the Mendix Identity Provider (IDP). The Mendix platform will authenticate users either with their Mendix credentials on https://login.mendix.com, or it can delegate the authentication to your own IDP if you have BYOIDP enabled. End-users will only get access to a protected user role in your app when you assign a user role to the end-user via Mendix’ Developer portal.

The MendixSSO implementation is based on the well known framework OpenID Connect.

Note: The MendixSSO module has always been completely flexible towards the Mendix developer in which user entity specialization you choose to use in your app, to suit your app’s specific needs.

For instructions how to setup BYOIDP, please you can read the BYOIDP documentation here: setup-byoidp

For an extensive overview of all the possibilities this module offers and instructions how to add this module to your application, see this Developer Portal Guide on Mendix Single Sign-On

Releases

Version: 9.0.0

Framework Version: 9.24.0

Release Notes: - Nimbus oauth2-oidc-sdk library is upgraded to version 11.10.1 - Nimbus nimbus-jose-jwt library is upgraded to version 9.37.3 - The cipher algorithm has been changed to use "AES/GCM/NoPadding" to support Mendix 10.6.0 or newer versions

Version: 4.2.0

Framework Version: 9.24.0

Release Notes: (edit: updated on Feb 22 2024) - Added ContinuationURL validation (see Breaking change 1) - Updated the internal parsing method for getting the user UUID and Email (see Breaking change 2) - Added migration file for easy migration to the module dependency management in Studio Pro 10.3 and above. Internal Technical Changes: - Renamed internal getConfig microflow GetSignupHint to GetDefaultSignupHint - Optional custom MendixSSO_ParseSignupHint microflow is now supported - Stopped parsing the user UUID from the OpenID value from the user's Mendix profile claim ("mx:user:profile:v1") - Started parsing the user UUID from the ID token subject claim ("sub") - Stopped parsing the user EmailAddress from the user 's Mendix profile claim ("mx:user:profile:v1") - Started parsing the user EmailAddress from the ID token email claim ("email") - Non-persistent entity UserProfile attributes - EmailAddress and OpenID have been removed, EmailAddress is now available with the extra parameter $EmailAddress. This affects customized versions of MendixSSO_CreateUser and MendixSSO_UpdateUser [BREAKING CHANGE 1] The ContinuationURL parameter is now validated before redirecting. The allowed URLs list only contains default application URL. Custom domains need to be added by using the custom environment variable MendixSSO_AllowedContinuationURLs. See MendixSSO documentation section 5.4.1 for details: https://docs.mendix.com/appstore/modules/mendix-sso/#supplements [BREAKING CHANGE 2] As the EmailAddress and OpenID values are no longer parsed from the Mendix profile claim, these attributes are no longer part of the internal non-persistent entity UserProfile. The EmailAddress is now available as microflow parameter $EmailAddress, the example microflows (MendixSSO_CreateUser and MendixSSO_UpdateUser) have been updated to reflect this change. If you made customizations to these microflows in your project, you could add the $EmailAddress parameter to your customized microflows as well. For the OpenID, you can call the helper microflow GetLegacyOpenIDForSSOUser, which constructs the OpenID by combining the user's UUID from the Identity Provider and the OpenID-prefix. Note: User UUID, ForeignIdentity UUID, and the UUID part of the OpenID are intended to be identical. This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v9.0.0 or higher, or update the library version

Version: 4.1.0

Framework Version: 9.24.0

Release Notes: - Solved deprecations to make the module Mendix 10 compatible - Updated Nimbus oauth2-oidc-sdk library to 10.7.1 (which now includes json-smart 2.4.10) - Updated pom.xml dependency manager file - Updated the module version to 4.1.0 - Updated the Mendix version to 9.24.0 This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v9.0.0 or higher, or update the library version

Version: 4.0.2

Framework Version: 9.20.0

Release Notes: - Solved a security concern, where the regular user role had access to their own decrypted access tokens via XAS request access rules - Nimbus oauth2-oidc-sdk library is upgraded 10.7 - Its sub-dependency json-smart library is upgraded to 2.4.10 - This resolves High security issue https://nvd.nist.gov/vuln/detail/CVE-2023-1370 This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v9.0.0 or higher, or update the library version

Version: 4.0.1

Framework Version: 9.20.0

Release Notes: - MendixSSO v4.0.1 module is upgraded to Mendix version 9.20.0 - MendixSSO v4.0.1 module prepends __Host parameter to the cookie names if the app uses Https connection This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v9.0.0 or higher, or update the library version

Version: 4.0.0

Framework Version: 9.18.3

Release Notes: - MendixSSO v4.0.0 module is upgraded to Mendix version 9.18.3 - Nimbus oauth2-oidc-sdk library is upgraded 10.5 - Nimbus nimbus-jose-jwt library is upgraded to 9.24.4 This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v9.0.0 or higher, or update the library version

Version: 3.2.0

Framework Version: 8.18.28

Release Notes: - Nimbus oauth2-oidc-sdk library is upgraded to version 11.10.1 - Nimbus nimbus-jose-jwt library is upgraded to version 9.37.3

Version: 3.1.1

Framework Version: 8.18.11

Release Notes: The only change in this module version is the version update of the dependent java libraries: - commons-text to version 1.10 - commons-lang3 to version 3.12 This module version is no longer supported

Version: 3.1.0

Framework Version: 8.18.11

Release Notes: - updated the /userlib/ folder jar libraries - readded some requested utility functions - updated and improved error pages - tightened some security rules - bug fixes This module version is no longer supported

Version: 3.0.0

Framework Version: 8.18.11

Release Notes: Please note the two breaking changes, see below! This version made MendixSSO independent of Atlas UI. It is compatible with Mendix 8 LTS and Mendix 9.0.5 and up. This version is now purely offering SSO functionality and no longer provides example UI pages nor snippets that your app can use to display the contents of OIDC tokens. If you want to upgrade your app to this version of MendixSSO, you can create such pages yourself using the previous versions of MendixSSO as a reference implementation. Change log MendixSSO 3.0.0 - removed all UI elements so the module is compatible with both Atlas 2 and Atlas 3 at the same time - updated the /userlib/ folder jar libraries - cleaned up unused code - added support for signup_hint as a public beta feature. Via MendixSSO, apps can request a particular kind of Mendix signup and Mendix platform onboarding process for new users. Until Mendix signup and onboarding processes support this parameterisation, the feature is considered ‘beta’. Breaking changes introduced by this release - all UI pages (to display details about users and tokens) were removed from the module. If you still need to use them, make sure to move them to your own module from a previous version of MendixSSO before importing version 3.0.0. - MendixSSO 3.0.0 introduces an update to the jar libraries that is incompatible to previous versions. Mendix projects always benefit from a clean /userlib/ folder, it should never have two versions of the same library. The dependent libraries of the previous version and this version are marked within the /userlib/ folder, make sure to clean up the old versions. Only jar versions marked with ".jar.MendixSSO.3.0.0" should remain, the ones marked with only ".jar.MendixSSO.RequiredLib" should be removed. Known issue: we received a report that the Silent Authentication feature is not compatible with the Deeplink module. This module version is no longer supported