OIDC SSO

Content Type: Module
Categories: Authentication

Overview

Use this module to implement single sign-on to your Mendix app using an OpenID Connect (OIDC) compliant identity provider (IDP).  It supports ‘normal’ Mendix apps (i.e. responsive browser-based applications) and doesn’t yet support native or hybrid mobile apps. Supports AWS Cognito, Google, Salesforce, Apple, Okta, Ping, and Microsoft, this module manages the end-to-end SSO workflow when working with an OIDC IDP. The IDP will relieve your app from logging in your end-users and optionally will also decide which roles the user gets assigned in your app, using mechanism from the OAuth protocol.

Simply provide configuration details, decide how you'd like to provision users, and log in! 

You can use this module if your app is on Mendix 9 or later. If your app is using a previous Mendix version, you would have to upgrade your app or use the similar “OpenIDConnect Single Sign-on (OIDC, OAuth2, SSO)” module, which has community support. Both modules have similar but not the same features. Please look at release notes and documentation to make the best choice for your app.

Documentation

Please see OIDC SSO in the Mendix documentation for details.

Releases

Version: 3.0.1
Framework Version: 9.24.2
Release Notes: This version contains the following enhancements: - Enhanced security by resolving weak sha1 algorithm detection in package-lock.json.(Ticket#215455) This version contains the following fixes/improvements: - Fixed base64 decoding issue in AzureRoleParse to handle JWT payloads with underscores(Ticket#217222) - Fixed auto-commit issue in OIDC.CodeChallengeMethodsSet during Automated Deploy-time SSO Configuration(Ticket#217387)
Version: 3.0.0
Framework Version: 9.24.2
Release Notes: This version contains the following enhancements: - Users can be provisioned to Custom user entity without customizing the module. - When using Entra ID, the default attribute mapping can be used ; in the typical case there is no need to configure attribute mapping. - User provisioning can set the user_type (i.e. internal / external ) based on IdP-level configuration. This eliminates the need to build a customer microflow for accurate user counting. - User provisioning allows to set the user’s preferred language and timezone based on SSO response. - User provisioning can set a default userrole, regardless of the Access Token. - JIT user provisioning can be disabled, e.g. when users are provisioned only via Administration module. - Possible to select any custom microflow for user provisioning i.e prefixed with "OIDC_CustomUserParsing". This makes it possible for customers to share such microflows across multiple apps using OIDC SSO. - Forward-compatible with Upcoming SCIM Module. - Added UserCommons Module as a new dependency for OIDC SSO. - Mandatory to Set OIDC.Startup microflow as After Startup within settings. This version contains the following fixes/improvements: - Fixed issue related to access token parsing microflow (Ticket#177243). - Fixed issue related to Scope Value Attribute.
Version: 2.4.0
Framework Version: 9.24.2
Release Notes: This version contains the following fixes/improvements: - Support of Progressive Web App(PWA) - Support of Page and Microflow URLs - Support for Additional Scopes on deploytime Configuration - Fixed issue with Token expires_in attribute (Ticket#206386) Library Upgrades: - com.nimbusds:nimbus-jose-jwt to version 9.37.3 Recommendation: After upgrading to the latest version ,there could be a potential issue due to conflicting Java libraries of the old and the new version. Hence it is recommended that you delete all Java libraries used by the old OIDC SSO module from the userlib folder of the project before upgrading to the latest version.
Version: 2.3.2
Framework Version: 9.24.2
Release Notes: This version contains the following fixes/improvements: - Encoded the escaping special characters in URL for OIDC - Fixed issues related to Dutch Translation Library Upgrades: - com.fasterxml.jackson.core:jackson-databind to 2.16.0 - com.fasterxml.jackson.core:jackson-annotations to 2.16.0 - com.fasterxml.jackson.core:jackson-core to 2.16.0 Recommendation: After upgrading to the latest version ,there could be a potential issue due to conflicting Java libraries of the old and the new version. Hence it is recommended that you delete all Java libraries used by the old OIDC SSO module from the userlib folder of the project before upgrading to the latest version.
Version: 2.3.1
Framework Version: 9.24.2
Release Notes: This version contains the following fixes/improvements: - Fixed Java dependency issue in migration file for Mendix 10 compatibility. Library Upgrades: - org.json:json:20230227 to 20231013 Recommendation: After upgrading to the latest version ,there could be a potential issue due to conflicting Java libraries of the old and the new version. Hence it is recommended that you delete all Java libraries used by the old OIDC SSO module from the userlib folder of the project before upgrading to the latest version.