SAML

Content Type: Module

Categories: Authentication

Overview

Use this module to implement single sign-on to your Mendix app using the SAML 2.0 protocol. This module manages the end-to-end SSO workflow when working with a SAML IDP. The IDP will relieve your app from logging in your end-users and optionally will also decide which roles the user gets assigned in your app, using mechanism from the SAML protocol.

The module is tested against AzureAD and providing a jump start to implementing providers such as Shibboleth and European eIDAS implementations such as Dutch eHerkenning and DigiD. Given adherence to commonly used parts of the SAML 2.0 specifications the module can be used to integrate your app with with IDaaS (Identity-as-a-Service) providers (e.g. Azure AD, Okta, Auth0, Ping and AWS IAM Identity Center) as well as IAM solutions such as ForgeRock and Keycloak.

Mendix also offers an “OIDC SSO” module to authenticate your end-users using the OAuth / OpenID Connect protocol.

Documentation

Please see SAML in the Mendix documentation for details.

Please follow the below version compatibility guidance:

# v.1.18.0 version for Mx7 apps

# v.2.4.0 version for Mx8 apps

# v.3.6.2 version for Mx9 apps using Atlas UI v2 (e.g. Mx8 apps upgraded to Mx9)

# v.3.6.3 version for Mx 9 and Mx 10 apps using Atlas UI v3 (e.g. for apps newly built on Mx 9 or Mx 10)

Releases

Version: 3.6.3

Framework Version: 9.24.1

Release Notes: This version contains the following fixes/improvements: - Solved deprecations to make the module Mendix 10 compatible Library Upgrades: - Few java libraries updated to latest versions Recommendation: After upgrading to the latest version, there could be a potential issue due to conflicting Java libraries of the old and the new version. Hence it is recommended that you delete all Java libraries used by the old SAML module from the userlib folder of the project before upgrading to the latest version.

Version: 3.6.2

Framework Version: 9.24.1

Version: 3.6.1

Framework Version: 9.24.1

Release Notes: This version contains the following fixes/improvements: - Renamed “ReadOnly” role to “Admin_ReadSAMLEntities” - We added fix of CVE-2023-25957 that makes it impossible to make a configuration mistake when using the POST binding on SAML responses - Fixed IDP alias rename issue (Ticket # 184726) - Fixed SSO Logout issue when encryption is disabled (Ticket # 185011) - Upgraded to Studio pro v9.24.1 - SAML Module user lib includes only its dependency libraries (Ticket # 184521) Note: If ReadOnly role used in App security, then update to “Admin_ReadSAMLEntities” role

Version: 3.6.0

Framework Version: 9.24.1

Version: 3.5.1

Framework Version: 9.22.0

Release Notes: This version contains the following fixes/improvements: - When using the SAML module to connect a single app with multiple IDPs it is now possible to have independent keypairs, which can either be uploaded or self-generated. This makes it possible – as an example for the Dutch market - to connect your SAML app with both eHerkenning and DigiD. As a consequence the key store configuration is moved from the overall SP configuration tab to the IDP configuration tab. When you upgrade your app to this version of the SAML module, the module will ensure existing keys are migrated to the new keystore structure (backwards compatibility). - Fixed Session related issues w.r.t MX10(#Ticket 182000) Note: Require encryption module as a dependency for v3.5.0 and above