MendixSSO

Content Type: Module
Categories: Authentication

Overview

Add Single Sign-On functionality to all your apps for any user with a Mendix platform account. Authenticate users with either the Mendix Identity Provider (IDP) or enable BYOIDP to delegate the authentication to your own OpenID Connect Identity Provider (via the Mendix IDP).

 

[Warning: Vulnerable Library Dependency]

MendixSSO is based on the oauth2-oidc-sdk and nimbus-jose-jwt libraries. By releasing new versions of the MendixSSO module, we also keep these libraries up to date. Unfortunately, a vulnerability was found in an older version of the nimbus-jose-jwt library.

 

We have released new versions of the MendixSSO module and updated the vulnerable libraries. We strongly advise all our consumers to update their applications to the most recent version of the MendixSSO module. If this is not possible, manually update the libraries used by the MendixSSO module.

 

[Version compatibility ]

  • Mendix 10: MendixSSO 10.x.x
  • Mendix 9:   MendixSSO 9.0.x
  • Mendix 8:   MendixSSO 3.2.x

 

[Warning: EOL notice v3.1.1 and lower]

We have marked all MendixSSO module versions v3.1.1 and lower as 'no longer supported', to emphasize the module versions containing the vulnerable nimbus-jose-jwt library version, as well as being released on a Mendix version that is no longer supported.We have marked all MendixSSO module versions v4.0.0 - v4.2.0 as 'contains vulnerability', to emphasize the module versions containing the vulnerable nimbus-jose-jwt library version.

Documentation

Please see Mendix SSO in the Mendix documentation for details.

Need SSO?
Add Single Sign-On functionality to your app for any user with a Mendix account. Authenticate users with either the Mendix Identity Provider (IDP) or your own IDP if you have BYOIDP enabled.

With this module you can add Single Sign-On functionality to your app for any user with a Mendix account. When your app uses the Mendix SSO module, it will delegate authentication of your end-users to the Mendix Identity Provider (IDP). The Mendix platform will authenticate users either with their Mendix credentials on https://login.mendix.com, or it can delegate the authentication to your own IDP if you have BYOIDP enabled. End-users will only get access to a protected user role in your app when you assign a user role to the end-user via Mendix’ Developer portal.

The MendixSSO implementation is based on the well known framework OpenID Connect.

Note: The MendixSSO module has always been completely flexible towards the Mendix developer in which user entity specialization you choose to use in your app, to suit your app’s specific needs.

For instructions how to setup BYOIDP, please you can read the BYOIDP documentation here: setup-byoidp


For an extensive overview of all the possibilities this module offers and instructions how to add this module to your application, see this Developer Portal Guide on Mendix Single Sign-On

Releases

Version: 10.0.0
Framework Version: 10.6.15
Release Notes: Stale data cleanup logic refactored and fixed based on Mendix 10 behavioral/structural changes.
Version: 9.0.0
Framework Version: 9.24.0
Release Notes: - Nimbus oauth2-oidc-sdk library is upgraded to version 11.10.1 - Nimbus nimbus-jose-jwt library is upgraded to version 9.37.3 - The cipher algorithm has been changed to use "AES/GCM/NoPadding" to support Mendix 10.6.0 or newer versions
Version: 4.2.0
Framework Version: 9.24.0
Release Notes: (edit: updated on Feb 22 2024) - Added ContinuationURL validation (see Breaking change 1) - Updated the internal parsing method for getting the user UUID and Email (see Breaking change 2) - Added migration file for easy migration to the module dependency management in Studio Pro 10.3 and above. Internal Technical Changes: - Renamed internal getConfig microflow GetSignupHint to GetDefaultSignupHint - Optional custom MendixSSO_ParseSignupHint microflow is now supported - Stopped parsing the user UUID from the OpenID value from the user's Mendix profile claim ("mx:user:profile:v1") - Started parsing the user UUID from the ID token subject claim ("sub") - Stopped parsing the user EmailAddress from the user 's Mendix profile claim ("mx:user:profile:v1") - Started parsing the user EmailAddress from the ID token email claim ("email") - Non-persistent entity UserProfile attributes - EmailAddress and OpenID have been removed, EmailAddress is now available with the extra parameter $EmailAddress. This affects customized versions of MendixSSO_CreateUser and MendixSSO_UpdateUser [BREAKING CHANGE 1] The ContinuationURL parameter is now validated before redirecting. The allowed URLs list only contains default application URL. Custom domains need to be added by using the custom environment variable MendixSSO_AllowedContinuationURLs. See MendixSSO documentation section 5.4.1 for details: https://docs.mendix.com/appstore/modules/mendix-sso/#supplements [BREAKING CHANGE 2] As the EmailAddress and OpenID values are no longer parsed from the Mendix profile claim, these attributes are no longer part of the internal non-persistent entity UserProfile. The EmailAddress is now available as microflow parameter $EmailAddress, the example microflows (MendixSSO_CreateUser and MendixSSO_UpdateUser) have been updated to reflect this change. If you made customizations to these microflows in your project, you could add the $EmailAddress parameter to your customized microflows as well. For the OpenID, you can call the helper microflow GetLegacyOpenIDForSSOUser, which constructs the OpenID by combining the user's UUID from the Identity Provider and the OpenID-prefix. Note: User UUID, ForeignIdentity UUID, and the UUID part of the OpenID are intended to be identical. This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v9.0.0 or higher, or update the library version
Version: 4.1.0
Framework Version: 9.24.0
Release Notes: - Solved deprecations to make the module Mendix 10 compatible - Updated Nimbus oauth2-oidc-sdk library to 10.7.1 (which now includes json-smart 2.4.10) - Updated pom.xml dependency manager file - Updated the module version to 4.1.0 - Updated the Mendix version to 9.24.0 This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v9.0.0 or higher, or update the library version
Version: 4.0.2
Framework Version: 9.20.0
Release Notes: - Solved a security concern, where the regular user role had access to their own decrypted access tokens via XAS request access rules - Nimbus oauth2-oidc-sdk library is upgraded 10.7 - Its sub-dependency json-smart library is upgraded to 2.4.10 - This resolves High security issue https://nvd.nist.gov/vuln/detail/CVE-2023-1370 This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v9.0.0 or higher, or update the library version
Version: 4.0.1
Framework Version: 9.20.0
Release Notes: - MendixSSO v4.0.1 module is upgraded to Mendix version 9.20.0 - MendixSSO v4.0.1 module prepends __Host parameter to the cookie names if the app uses Https connection This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v9.0.0 or higher, or update the library version
Version: 4.0.0
Framework Version: 9.18.3
Release Notes: - MendixSSO v4.0.0 module is upgraded to Mendix version 9.18.3 - Nimbus oauth2-oidc-sdk library is upgraded 10.5 - Nimbus nimbus-jose-jwt library is upgraded to 9.24.4 This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v9.0.0 or higher, or update the library version
Version: 3.2.0
Framework Version: 8.18.28
Release Notes: - Nimbus oauth2-oidc-sdk library is upgraded to version 11.10.1 - Nimbus nimbus-jose-jwt library is upgraded to version 9.37.3
Version: 3.1.1
Framework Version: 8.18.11
Release Notes: The only change in this module version is the version update of the dependent java libraries: - commons-text to version 1.10 - commons-lang3 to version 3.12 This module version is no longer supported
Version: 3.1.0
Framework Version: 8.18.11
Release Notes: - updated the /userlib/ folder jar libraries - readded some requested utility functions - updated and improved error pages - tightened some security rules - bug fixes This module version is no longer supported