Overview
Add Single Sign-On functionality to all your apps for any user with a Mendix platform account. Authenticate users with either the Mendix Identity Provider (IDP) or enable BYOIDP to delegate the authentication to your own OpenID Connect Identity Provider (via the Mendix IDP).
[Warning: Vulnerable Library Dependency]
MendixSSO is based on the oauth2-oidc-sdk and nimbus-jose-jwt libraries. By releasing new versions of the MendixSSO module, we also keep these libraries up to date. Unfortunately, a vulnerability was found in an older version of the nimbus-jose-jwt library.
We have released new versions of the MendixSSO module and updated the vulnerable libraries. We strongly advise all our consumers to update their applications to the most recent version of the MendixSSO module. If this is not possible, manually update the libraries used by the MendixSSO module.
[Version compatibility ]
- Mendix 10: MendixSSO 10.x.x
- Mendix 9: MendixSSO 9.x.x
- Mendix 8: MendixSSO 3.x.x
[Warning: EOL notice v3.1.1 and lower]
We have marked all MendixSSO module versions v3.1.1 and lower as 'no longer supported', to emphasize the module versions containing the vulnerable nimbus-jose-jwt library version, as well as being released on a Mendix version that is no longer supported.
Documentation
Please see Mendix SSO in the Mendix documentation for details.
Need SSO?
Add Single Sign-On functionality to your app for any user with a Mendix account. Authenticate users with either the Mendix Identity Provider (IDP) or your own IDP if you have BYOIDP enabled.
With this module you can add Single Sign-On functionality to your app for any user with a Mendix account. When your app uses the Mendix SSO module, it will delegate authentication of your end-users to the Mendix Identity Provider (IDP). The Mendix platform will authenticate users either with their Mendix credentials on https://login.mendix.com, or it can delegate the authentication to your own IDP if you have BYOIDP enabled. End-users will only get access to a protected user role in your app when you assign a user role to the end-user via Mendix’ Developer portal.
The MendixSSO implementation is based on the well known framework OpenID Connect.
Note: The MendixSSO module has always been completely flexible towards the Mendix developer in which user entity specialization you choose to use in your app, to suit your app’s specific needs.
For instructions how to setup BYOIDP, please you can read the BYOIDP documentation here: setup-byoidp
For an extensive overview of all the possibilities this module offers and instructions how to add this module to your application, see this Developer Portal Guide on Mendix Single Sign-On
Releases
Version: 10.5.0
Framework Version: 10.21.0
Release Notes: - Enhanced error & informative page for internationalization support
Version: 10.4.0
Framework Version: 10.21.0
Release Notes: - Mendix 11 Compatibility: Deprecated runtime methods have been replaced to ensure full compatibility with Mendix 11.
- Enhanced Page & Microflow URL Support: We've added support for query parameters providing more flexibility for data handling and navigation.
Version: 10.3.0
Framework Version: 10.21.0
Release Notes: - Mendix runtime is upgraded to 10.21.0 for Mendix 11 support
- Apache commons-text library is upgraded to version 1.13.1
- Netty codec-http library is upgraded to version 4.2.0.Final
Version: 10.2.0
Framework Version: 10.6.15
Release Notes: - Improved implementation of nonce, state and PKCE features.
- Nimbus oauth2-oidc-sdk library is upgraded to version 11.23.1
Version: 10.1.0
Framework Version: 10.6.15
Release Notes: - Added support for configuring JWKS endpoint timeouts.
Custom values can be set using custom environment variables "MendixSSO_RemoteJWKSHttpConnectTimeout", and "MendixSSO_RemoteJWKSHttpReadTime".
Timeouts are in milliseconds, and must not be negative.
- Localization support has been added and enabled by default.
It can be disabled by setting the custom environment variable "MendixSSO_LocalizationEnabled" to "false".
- Page URLs support has been added as the DeepLink module has been deprecated and replaced with page URLs.
In order to leverage this functionality the file "login.html" needs to be replaced with the file
"resources/mendixsso/templates/login-with-mendixsso-automatically.html"
- Nimbus oauth2-oidc-sdk library is upgraded to version 11.21
- Nimbus nimbus-jose-jwt library is upgraded to version 10.0.1
This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v10.2.0 or higher, or update the library version
Version: 10.0.0
Framework Version: 10.6.15
Release Notes: Stale data cleanup logic refactored and fixed based on Mendix 10 behavioral/structural changes.
This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v10.2.0 or higher, or update the library version
Version: 9.3.0
Framework Version: 9.24.0
Release Notes: - Enhanced error & informative page for internationalization support
Version: 9.2.0
Framework Version: 9.24.0
Release Notes: - Improved implementation of nonce, state and PKCE features.
- Nimbus oauth2-oidc-sdk library is upgraded to version 11.23.1
Version: 9.1.0
Framework Version: 9.24.0
Release Notes: - Added support for configuring JWKS endpoint timeouts.
Custom values can be set using custom environment variables "MendixSSO_RemoteJWKSHttpConnectTimeout", and "MendixSSO_RemoteJWKSHttpReadTime".
Timeouts are in milliseconds, and must not be negative.
- Localization support has been added and enabled by default.
It can be disabled by setting the custom environment variable "MendixSSO_LocalizationEnabled" to "false".
- Nimbus oauth2-oidc-sdk library is upgraded to version 11.21
- Nimbus nimbus-jose-jwt library is upgraded to version 10.0.1
This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v 9.2.0 or higher, or update the library version
Version: 9.0.0
Framework Version: 9.24.0
Release Notes: - Nimbus oauth2-oidc-sdk library is upgraded to version 11.10.1
- Nimbus nimbus-jose-jwt library is upgraded to version 9.37.3
- The cipher algorithm has been changed to use "AES/GCM/NoPadding" to support Mendix 10.6.0 or newer versions
This module version contains a vulnerable version of the nimbus-jose-jwt library. Please update to v 9.2.0 or higher, or update the library version