MendixSSO

Content Type: Module
Categories: Authentication

Overview

Add Single Sign-On functionality to your app for any user with a Mendix account. Authenticate users with either the Mendix Identity Provider (IDP) or your own IDP if you have BYOIDP enabled.

 

[Warning: Vulnerable Library Dependency]

MendixSSO is based on the oauth2-oidc-sdk and nimbus-jose-jwt libraries. With newer versions of the module, we update these libraries to newer versions. Unfortunately, recently a new vulnerability was found for the nimbus-jose-jwt library.

 

We have updated the MendixSSO module and dependent libraries. We strongly advise all our consumers to update their applications to the most recent version of the MendixSSO module. If this is not possible, manually update the libraries used by the MendixSSO module.

 

For our consumers on Mendix 9 and 10, we have patched MendixSSO module v4.2.0 and are making it available as module v9.0.0.

To support our consumers still on Mendix 8 we will make a patched version available of the MendixSSO module v3.1.1, we will release this as module v3.2.0.

 

Documentation

Please see Mendix SSO in the Mendix documentation for details.

Need SSO?
Add Single Sign-On functionality to your app for any user with a Mendix account. Authenticate users with either the Mendix Identity Provider (IDP) or your own IDP if you have BYOIDP enabled.

With this module you can add Single Sign-On functionality to your app for any user with a Mendix account. When your app uses the Mendix SSO module, it will delegate authentication of your end-users to the Mendix Identity Provider (IDP). The Mendix platform will authenticate users either with their Mendix credentials on https://login.mendix.com, or it can delegate the authentication to your own IDP if you have BYOIDP enabled. End-users will only get access to a protected user role in your app when you assign a user role to the end-user via Mendix’ Developer portal.

The MendixSSO implementation is based on the well known framework OpenID Connect.

Note: The MendixSSO module has always been completely flexible towards the Mendix developer in which user entity specialization you choose to use in your app, to suit your app’s specific needs.

For instructions how to setup BYOIDP, please you can read the BYOIDP documentation here: setup-byoidp


For an extensive overview of all the possibilities this module offers and instructions how to add this module to your application, see this Developer Portal Guide on Mendix Single Sign-On

Releases

Version: 9.0.0
Framework Version: 9.24.0
Release Notes: - Nimbus oauth2-oidc-sdk library is upgraded to version 11.10.1 - Nimbus nimbus-jose-jwt library is upgraded to version 9.37.3 - The cipher algorithm has been changed to use "AES/GCM/NoPadding" to support Mendix 10.6.0 or newer versions
Version: 4.2.0
Framework Version: 9.24.0
Release Notes: (edit: updated on Feb 22 2024) - Added ContinuationURL validation (see Breaking change 1) - Updated the internal parsing method for getting the user UUID and Email (see Breaking change 2) - Added migration file for easy migration to the module dependency management in Studio Pro 10.3 and above. Internal Technical Changes: - Renamed internal getConfig microflow GetSignupHint to GetDefaultSignupHint - Optional custom MendixSSO_ParseSignupHint microflow is now supported - Stopped parsing the user UUID from the OpenID value from the user's Mendix profile claim ("mx:user:profile:v1") - Started parsing the user UUID from the ID token subject claim ("sub") - Stopped parsing the user EmailAddress from the user 's Mendix profile claim ("mx:user:profile:v1") - Started parsing the user EmailAddress from the ID token email claim ("email") - Non-persistent entity UserProfile attributes - EmailAddress and OpenID have been removed, EmailAddress is now available with the extra parameter $EmailAddress. This affects customized versions of MendixSSO_CreateUser and MendixSSO_UpdateUser [BREAKING CHANGE 1] The ContinuationURL parameter is now validated before redirecting. The allowed URLs list only contains default application URL. Custom domains need to be added by using the custom environment variable MendixSSO_AllowedContinuationURLs. See MendixSSO documentation section 5.4.1 for details: https://docs.mendix.com/appstore/modules/mendix-sso/#supplements [BREAKING CHANGE 2] As the EmailAddress and OpenID values are no longer parsed from the Mendix profile claim, these attributes are no longer part of the internal non-persistent entity UserProfile. The EmailAddress is now available as microflow parameter $EmailAddress, the example microflows (MendixSSO_CreateUser and MendixSSO_UpdateUser) have been updated to reflect this change. If you made customizations to these microflows in your project, you could add the $EmailAddress parameter to your customized microflows as well. For the OpenID, you can call the helper microflow GetLegacyOpenIDForSSOUser, which constructs the OpenID by combining the user's UUID from the Identity Provider and the OpenID-prefix. Note: User UUID, ForeignIdentity UUID, and the UUID part of the OpenID are intended to be identical.
Version: 4.1.0
Framework Version: 9.24.0
Release Notes: - Solved deprecations to make the module Mendix 10 compatible - Updated Nimbus oauth2-oidc-sdk library to 10.7.1 (which now includes json-smart 2.4.10) - Updated pom.xml dependency manager file - Updated the module version to 4.1.0 - Updated the Mendix version to 9.24.0
Version: 4.0.2
Framework Version: 9.20.0
Release Notes: - Solved a security concern, where the regular user role had access to their own decrypted access tokens via XAS request access rules - Nimbus oauth2-oidc-sdk library is upgraded 10.7 - Its sub-dependency json-smart library is upgraded to 2.4.10 - This resolves High security issue https://nvd.nist.gov/vuln/detail/CVE-2023-1370
Version: 4.0.1
Framework Version: 9.20.0
Release Notes: - MendixSSO v4.0.1 module is upgraded to Mendix version 9.20.0 - MendixSSO v4.0.1 module prepends __Host parameter to the cookie names if the app uses Https connection