Mendix SSO deprecation#11148
Conversation
| A Mendix Admin can set up **App Access Groups**, which consist of end-users (who are active users of Mendix Platform in your company) who will have access to [Mendix SSO](/appstore/modules/mendix-sso/)-enabled apps with specific environments and roles. | ||
|
|
||
| {{% alert color="warning" %}} | ||
| Note that the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/). |
There was a problem hiding this comment.
Consequence is that this whole "Groups" page becomnes obsolete.
I think we need to make that more explicit.
Maybe somthing like:
"App Access Groups" are depricated together with the deprecation of Mendix SSO.
Alternatives to Mendix SSO are OIDC SSO, SAML or LDAP.
Alternative to the associated App Access groups are user groups and/or roles in your IdP of choice."
There was a problem hiding this comment.
@NicoletaComan, I implemented the feedback in the groups.md doc in this commit. Please validate further.
| * External users (with domains that are not part of your company) are unaffected. They still have access based on the way they normally sign in to Mendix. | ||
| * When BYOIDP is used, a session at Mendix is valid for one hour. After the session has expired, Mendix will request a new `ID_token` from your IdP. If the user still has a session at your IdP, the token will be issued without any user input and the platform user continues to have access to the Mendix Platform. The effect of this mechanism is that users have access to the Mendix Platform as long as the session at your IdP is valid. | ||
| * You can also use the [Mendix SSO](/appstore/modules/mendix-sso/) module in your non-production apps to provide an SSO experience. With BYOIDP, authentication of end-users of these apps will also be delegated by BYOIDP SSO. The end-users of these apps need to [sign up for a Mendix account](https://signup.mendix.com/) before they can sign in to your app. | ||
| * You can also use the [Mendix SSO](/appstore/modules/mendix-sso/) module in your non-production apps to provide an SSO experience. With BYOIDP, authentication of end-users of these apps will also be delegated by BYOIDP SSO. The end-users of these apps need to [sign up for a Mendix account](https://signup.mendix.com/) before they can sign in to your app. However, this module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/). |
There was a problem hiding this comment.
in this context it makes sense to say:
"You may alternatively use OIDC SSO, SAML, or LDAP to delegate login to your IdP directly rather than via the platform services."
| On the tab, you can only see the environments that satisfy the following requirements: | ||
|
|
||
| * [Mendix Single Sign-On](/developerportal/deploy/mendix-sso/) is implemented in the app using the [Mendix SSO](/appstore/modules/mendix-sso/) module. For more information, refer to [Mendix Single Sign-On](/developerportal/deploy/mendix-sso/). | ||
| * [Mendix Single Sign-On](/developerportal/deploy/mendix-sso/) is implemented in the app using the [Mendix SSO](/appstore/modules/mendix-sso/) module. For more information, refer to [Mendix Single Sign-On](/developerportal/deploy/mendix-sso/). Note that the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/). |
There was a problem hiding this comment.
Similar to my comment on the Control Center page, deprecation of Mendix SSO means that the whole section 5 on Access Management has become deprecated.
There was a problem hiding this comment.
I implemented the changes in this commit. It needs further validation from the component owner.
There was a problem hiding this comment.
Thanks, Karuna. LGTM!
| * **Authentication** tab | ||
|
|
||
| {{% alert color="info" %}}For the best user experience, your are strongly encouraged to apply Mendix SSO to your app and connect the Mendix SSO module to the Mendix Feedback widget version 8.2.1 or above. Choose only one of the authentication methods: either **MendixSSO** or **Custom Authentication**.</br></br>You need to enter the value of authentication items manually as currently the widget does not support a drop-down menu for selecting microflow or the attributes of an entity.{{% /alert %}} | ||
| {{% alert color="info" %}}For the best user experience, your are strongly encouraged to apply Mendix SSO to your app and connect the Mendix SSO module to the Mendix Feedback widget version 8.2.1 or above. Choose only one of the authentication methods: either **MendixSSO** or **Custom Authentication**. Note that the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).</br></br>You need to enter the value of authentication items manually as currently the widget does not support a drop-down menu for selecting microflow or the attributes of an entity.{{% /alert %}} |
There was a problem hiding this comment.
This needs to be rephrased a bit more. 'Strongly encouraging' doesn't combine well with the deprecated status ;-).
Custom authentication will be the recommended approach. After sunset it will actually be the only approach
| #### Authenticating with Mendix SSO {#authenticate-mendix-sso} | ||
|
|
||
| Publishers can set up [custom authentication](/refguide/published-odata-services/#authentication-microflow) using [Mendix SSO](/appstore/modules/mendix-sso/) module. For more information, see the [Mendix SSO](/refguide/published-odata-services/#authentication-mendix-sso) section of *Published OData Services*. | ||
| Publishers can set up [custom authentication](/refguide/published-odata-services/#authentication-microflow) using [Mendix SSO](/appstore/modules/mendix-sso/) module. For more information, see the [Mendix SSO](/refguide/published-odata-services/#authentication-mendix-sso) section of *Published OData Services*. However, the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/). |
There was a problem hiding this comment.
In case OIDC SSO / SAML / LDAP is used, customers will have to set-up Custom authentication - as indicated by the call out a bit higher.
I feel the page should guide the user in that direction more clearly.
There was a problem hiding this comment.
Commit. Component owner should verify and improve.
| {{% alert color="warning" %}} | ||
| Note that the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/). | ||
| {{% /alert %}} | ||
|
|
There was a problem hiding this comment.
The notification should go to the start of the section about Mendix SSO - upfront rather than an afterthought
There was a problem hiding this comment.
I think this section needs improved steps to set up an authentication using OIDC, SAML, or LDAP. Further improvement is required from the component owner.
3 participants
https://mendix.atlassian.net/browse/TW-2834