OIDC SSO

Category: Modules
Subcategory: Authentication

Overview

Use this module to implement single sign-on to your Mendix app using an OpenID Connect (OIDC) compliant identity provider (IDP).  It supports ‘normal’ Mendix apps (i.e. responsive browser-based applications) and doesn’t yet support native or hybrid mobile apps. Tested against Google, Salesforce, Apple, Okta, Ping, and Microsoft, this module manages the end-to-end SSO workflow when working with an OIDC IDP. The IDP will relieve your app from logging in your end-users and optionally will also decide which roles the user gets assigned in your app, using mechanism from the OAuth protocol.

Simply provide configuration details, decide how you'd like to provision users, and log in! 

You can use this module if your app is on Mendix 9 or later. If your app is using a previous Mendix version, you would have to upgrade your app or use the similar “OpenIDConnect Single Sign-on (OIDC, OAuth2, SSO)” module, which has community support. Both modules have similar but not the same features. Please look at release notes and documentation to make the best choice for your app.

Documentation

Please see OIDC SSO in the Mendix documentation for details.

Releases

Version: 1.1.0
Framework Version: 9.12.5
Release Notes: This version contains the following fixes/improvements/enhancements: - Added support for ‘client_secret_basic’ client authentication method. This method should be your preferred choice over using ‘client_secret_post’ for security reasons. - Removed beta implementation of private_key_jwt client authentication. - Configuration experience for client authentication is improved because it now enforces mandatory fields: client_id and client_secret. - Added support for OIDC nonce parameter. Usage of nonce mitigates replay attacks, hence enhances the security of your app. - Removed PKCE configuration from the UI; instead the OIDC SSO module will automatically detect if your IDP supports PKCE through its well-known endpoint. Hence, your app will apply the security best practice to use PKCE whenever possible. Library Upgrade (Ticket #152019): - url-parse package to 1.5.10 - querystringify to 2.2.0
Version: 1.0.1
Framework Version: 9.8.1
Release Notes: This version contains the following fixes/improvements: - Fixed unintended behaviour issue w.r.t logout Library Upgrades: - com.fasterxml.jackson.core: jackson-databind to version 2.13.3 (Ticket #150849) - com.fasterxml.jackson.core: jackson- annotations to version 2.13.3 (Ticket #150849) - com.fasterxml.jackson.core: jackson- core to version 2.13.3 (Ticket #150849) Recommendation: After upgrading to the latest version, there could be a potential issue due to conflicting Java libraries of the old and the new version. Hence it is recommended that you delete all Java libraries used by the old “OIDC SSO” module from the userlib folder of the project before upgrading to the latest version.
Version: 1.0.0
Framework Version: 9.8.1
Release Notes: This is the initial version of the “OIDC SSO” module having platform support. It can be seen as a successor to the “OpenIDConnect Single Sign-on (OIDC, OAuth2, SSO)” module that is also provided via the Mendix Marketplace, which has community support only. In comparison to the community supported version we have the following differences: - “OIDC SSO” is supported for Mendix 9 onwards, no version is available for Mendix 8 or Mendix 7 - Software dependencies have been updated and simplified - PKCE support has been added - Microflow is included for processing of Access Tokens issued by the Siemens SAM IDP - Usage with native mobile apps is not yet supported. The documentation provides guidance on how to migrate your app from using “OpenIDConnect Single Sign-on (OIDC, OAuth2, SSO)” to using “OIDC SSO”.