Mendix SSO deprecation#11148
Conversation
| A Mendix Admin can set up **App Access Groups**, which consist of end-users (who are active users of Mendix Platform in your company) who will have access to [Mendix SSO](/appstore/modules/mendix-sso/)-enabled apps with specific environments and roles. | ||
|
|
||
| {{% alert color="warning" %}} | ||
| Note that the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/). |
There was a problem hiding this comment.
Consequence is that this whole "Groups" page becomnes obsolete.
I think we need to make that more explicit.
Maybe somthing like:
"App Access Groups" are depricated together with the deprecation of Mendix SSO.
Alternatives to Mendix SSO are OIDC SSO, SAML or LDAP.
Alternative to the associated App Access groups are user groups and/or roles in your IdP of choice."
There was a problem hiding this comment.
@NicoletaComan, I implemented the feedback in the groups.md doc in this commit. Please validate further.
| * External users (with domains that are not part of your company) are unaffected. They still have access based on the way they normally sign in to Mendix. | ||
| * When BYOIDP is used, a session at Mendix is valid for one hour. After the session has expired, Mendix will request a new `ID_token` from your IdP. If the user still has a session at your IdP, the token will be issued without any user input and the platform user continues to have access to the Mendix Platform. The effect of this mechanism is that users have access to the Mendix Platform as long as the session at your IdP is valid. | ||
| * You can also use the [Mendix SSO](/appstore/modules/mendix-sso/) module in your non-production apps to provide an SSO experience. With BYOIDP, authentication of end-users of these apps will also be delegated by BYOIDP SSO. The end-users of these apps need to [sign up for a Mendix account](https://signup.mendix.com/) before they can sign in to your app. | ||
| * You can also use the [Mendix SSO](/appstore/modules/mendix-sso/) module in your non-production apps to provide an SSO experience. With BYOIDP, authentication of end-users of these apps will also be delegated by BYOIDP SSO. The end-users of these apps need to [sign up for a Mendix account](https://signup.mendix.com/) before they can sign in to your app. However, this module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/). |
There was a problem hiding this comment.
in this context it makes sense to say:
"You may alternatively use OIDC SSO, SAML, or LDAP to delegate login to your IdP directly rather than via the platform services."
| * **Authentication** tab | ||
|
|
||
| {{% alert color="info" %}}For the best user experience, your are strongly encouraged to apply Mendix SSO to your app and connect the Mendix SSO module to the Mendix Feedback widget version 8.2.1 or above. Choose only one of the authentication methods: either **MendixSSO** or **Custom Authentication**.</br></br>You need to enter the value of authentication items manually as currently the widget does not support a drop-down menu for selecting microflow or the attributes of an entity.{{% /alert %}} | ||
| {{% alert color="info" %}}For the best user experience, your are strongly encouraged to apply Mendix SSO to your app and connect the Mendix SSO module to the Mendix Feedback widget version 8.2.1 or above. Choose only one of the authentication methods: either **MendixSSO** or **Custom Authentication**. Note that the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).</br></br>You need to enter the value of authentication items manually as currently the widget does not support a drop-down menu for selecting microflow or the attributes of an entity.{{% /alert %}} |
There was a problem hiding this comment.
This needs to be rephrased a bit more. 'Strongly encouraging' doesn't combine well with the deprecated status ;-).
Custom authentication will be the recommended approach. After sunset it will actually be the only approach
| #### Authenticating with Mendix SSO {#authenticate-mendix-sso} | ||
|
|
||
| Publishers can set up [custom authentication](/refguide/published-odata-services/#authentication-microflow) using [Mendix SSO](/appstore/modules/mendix-sso/) module. For more information, see the [Mendix SSO](/refguide/published-odata-services/#authentication-mendix-sso) section of *Published OData Services*. | ||
| Publishers can set up [custom authentication](/refguide/published-odata-services/#authentication-microflow) using [Mendix SSO](/appstore/modules/mendix-sso/) module. For more information, see the [Mendix SSO](/refguide/published-odata-services/#authentication-mendix-sso) section of *Published OData Services*. However, the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/). |
There was a problem hiding this comment.
In case OIDC SSO / SAML / LDAP is used, customers will have to set-up Custom authentication - as indicated by the call out a bit higher.
I feel the page should guide the user in that direction more clearly.
There was a problem hiding this comment.
Commit. Component owner should verify and improve.
| {{% alert color="warning" %}} | ||
| Note that the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/). | ||
| {{% /alert %}} | ||
|
|
There was a problem hiding this comment.
The notification should go to the start of the section about Mendix SSO - upfront rather than an afterthought
There was a problem hiding this comment.
I think this section needs improved steps to set up an authentication using OIDC, SAML, or LDAP. Further improvement is required from the component owner.
There was a problem hiding this comment.
I agree that the warning should be at the beginning of this section, but I agree with Karuna that having security better described would also help.
(See comment above - text within a warning box doesn't really need "Note that" at the beginning).
MarkvanMents
left a comment
MarkvanMents
left a comment
There was a problem hiding this comment.
A good piece of work to find and deal with all the discussions of Mendix SSO. Generally looks good. I have been very critical, because of the importance of ensuring that customers don't miss the deprecation and have made a few suggestions.
You could think about making this more obvious by inserting the DEPRECATED lozenge actually within the document. This is activated in the sidebar in https://github.com/mendix/docs/blob/development/layouts/partials/sidebar-tree.html. The code for that is <text class="badge badge-pill badge-deprecated">DEPRECATED</text>
I think we should (unusually) copy these warnings to refguide9 and refgude10, given the importance to users - who are often not on the latest Mendix version.
Thanks for everyone's hard work here.
| * **Basic authentication** – Authenticate from a username and password | ||
| * **Active session** – For Mendix services, authenticate from the open and active browser session | ||
| * **Mendix SSO** – For Mendix services, authenticate from single sign-on using the [Mendix SSO](/appstore/modules/mendix-sso/) module | ||
| * **Mendix SSO** – For Mendix services, authenticate from single sign-on using the [Mendix SSO](/appstore/modules/mendix-sso/) module. However, this module is deprecated as of May 1, 2026. |
There was a problem hiding this comment.
Is this warning strong enough. Also, I think we should move this to the end of the list - and perhaps not even have it as part of the list but just a separate paragraph ("You can also use Mendix SSO, but be aware that this module is deprecated as of …" or something like that)?
| A Mendix Admin can set up **App Access Groups**, which consist of end-users (who are active users of Mendix Platform in your company) who will have access to [Mendix SSO](/appstore/modules/mendix-sso/)-enabled apps with specific environments and roles. | ||
|
|
||
| {{% alert color="warning" %}} | ||
| Note that the Mendix SSO module has been deprecated as of May 1, 2026. As part of this deprecation, **App Access Groups** are also deprecated. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/) for Mendix SSO. For **App Access Groups**, use user groups or roles configured within your Identity Provider (IdP) of choice. |
There was a problem hiding this comment.
This is an alert note, so you don't have to start with "Note that".
| * External users (with domains that are not part of your company) are unaffected. They still have access based on the way they normally sign in to Mendix. | ||
| * When BYOIDP is used, a session at Mendix is valid for one hour. After the session has expired, Mendix will request a new `ID_token` from your IdP. If the user still has a session at your IdP, the token will be issued without any user input and the platform user continues to have access to the Mendix Platform. The effect of this mechanism is that users have access to the Mendix Platform as long as the session at your IdP is valid. | ||
| * You can also use the [Mendix SSO](/appstore/modules/mendix-sso/) module in your non-production apps to provide an SSO experience. With BYOIDP, authentication of end-users of these apps will also be delegated by BYOIDP SSO. The end-users of these apps need to [sign up for a Mendix account](https://signup.mendix.com/) before they can sign in to your app. | ||
| * You can also use the [Mendix SSO](/appstore/modules/mendix-sso/) module in your non-production apps to provide an SSO experience. With BYOIDP, authentication of end-users of these apps will also be delegated by BYOIDP SSO. The end-users of these apps need to [sign up for a Mendix account](https://signup.mendix.com/) before they can sign in to your app. However, this module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/) to delegate login to your IdP directly rather than via the platform services. |
There was a problem hiding this comment.
I would take this out of the list and put it as a plain paragraph to make it clearer that it isn't something we now recommend.
| On the tab, you can only see the environments that satisfy the following requirements: | ||
|
|
||
| * [Mendix Single Sign-On](/developerportal/deploy/mendix-sso/) is implemented in the app using the [Mendix SSO](/appstore/modules/mendix-sso/) module. For more information, refer to [Mendix Single Sign-On](/developerportal/deploy/mendix-sso/). | ||
| * [Mendix Single Sign-On](/developerportal/deploy/mendix-sso/) is implemented in the app using the [Mendix SSO](/appstore/modules/mendix-sso/) module. For more information, refer to [Mendix Single Sign-On](/developerportal/deploy/mendix-sso/). Note that the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/). |
There was a problem hiding this comment.
We also have a warning box, I think we only need to say this once - but see comment below.
|
|
||
| {{% alert color="warning" %}} | ||
| Note that the Mendix SSO module has been deprecated as of May 1, 2026. As part of this deprecation, **Access Management** is also deprecated. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/) for Mendix SSO. For **Access Management**, use user groups or roles configured within your Identity Provider (IdP) of choice. | ||
| {{% /alert %}} |
There was a problem hiding this comment.
I agree with @JaapF that this would be better straight after the section header (section 5) as it affects everything in this section. You can't do access management this way once Mendix SSO is removed.
| * **Authentication** tab | ||
|
|
||
| {{% alert color="info" %}}For the best user experience, your are strongly encouraged to apply Mendix SSO to your app and connect the Mendix SSO module to the Mendix Feedback widget version 8.2.1 or above. Choose only one of the authentication methods: either **MendixSSO** or **Custom Authentication**.</br></br>You need to enter the value of authentication items manually as currently the widget does not support a drop-down menu for selecting microflow or the attributes of an entity.{{% /alert %}} | ||
| {{% alert color="info" %}}For the best user experience, configure your app to use the Mendix Feedback widget version 8.2.1 or above with a supported authentication method. Choose only one authentication method: either **MendixSSO** or **Custom Authentication**. Note that the Mendix SSO module is deprecated as of May 1, 2026. **Custom Authentication** is the recommended approach going forward. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/) modules for authentication integration.</br></br>Enter the value of authentication items manually as currently the widget does not support a drop-down menu for selecting microflow or the attributes of an entity.{{% /alert %}} |
There was a problem hiding this comment.
I would probably now separate out "Custom Authentication" and "Mendix SSO". Start with Custom Authentication and then have a separate set of instructions for Mendix SSO and start with the fact it has been deprecated.
As it is, I find the deprecation notice is too hidden.
|
|
||
| * [SAML](https://marketplace.mendix.com/link/component/1174) – if your IdP supports the SAML protocol but not the OIDC protocol | ||
| * [Mendix SSO](https://marketplace.mendix.com/link/component/111349) – if your app is targeted at end-users that have signed up to the Mendix platform | ||
| * [Mendix SSO](https://marketplace.mendix.com/link/component/111349) – if your app is targeted at end-users that have signed up to the Mendix platform. However, this module is deprecated as of May 1, 2026. You may alternatively use [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/). |
There was a problem hiding this comment.
Again, make this not part of the list?
| * Familiarize yourself with workflow terms. For more information, see [Workflows](/refguide/workflows/). | ||
| * Install Atlas 3 from the Mendix Marketplace. As a result of installing Atlas 3, your app should contain the following modules that Workflow Commons depends on: Atlas_Core, Atlas_Web_Content, and DataGrid. | ||
| * Your app has the following optional modules [Workflow Commons](https://marketplace.mendix.com/link/component/117066) and [Mendix SSO](https://marketplace.mendix.com/link/component/111349) modules for better developer experience. For more information on how to set up Workflow Commons in an existing app, see [Adding a Workflow to an Existing App: Using Workflow Commons](/refguide/workflow-setting-up-app/). | ||
| * Your app has the following optional modules [Workflow Commons](https://marketplace.mendix.com/link/component/117066) and [Mendix SSO](https://marketplace.mendix.com/link/component/111349) modules for better developer experience. However, the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).For more information on how to set up Workflow Commons in an existing app, see [Adding a Workflow to an Existing App: Using Workflow Commons](/refguide/workflow-setting-up-app/). |
There was a problem hiding this comment.
I think we should separate out the two modules, Workflow Commons and Mendix SSO. This will make it clearer that one can still be used while the other is deprecated.
|
|
||
| Publishers can set up [custom authentication](/refguide/published-odata-services/#authentication-microflow) using [Mendix SSO](/appstore/modules/mendix-sso/) module. For more information, see the [Mendix SSO](/refguide/published-odata-services/#authentication-mendix-sso) section of *Published OData Services*. | ||
|
|
||
| {{% alert color="info" %}} |
There was a problem hiding this comment.
Elsewhere, this is a warning - I think it should be here too?
https://github.com/mendix/docs/pull/11148/changes#diff-9846f35b182897a89913c8acc4c76416fa78fb8ba2e30555d07db3a53e07d8c2R78-R80
It could also be at the beginning of this section?
| {{% alert color="warning" %}} | ||
| Note that the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/). | ||
| {{% /alert %}} | ||
|
|
There was a problem hiding this comment.
I agree that the warning should be at the beginning of this section, but I agree with Karuna that having security better described would also help.
(See comment above - text within a warning box doesn't really need "Note that" at the beginning).
4 participants
https://mendix.atlassian.net/browse/TW-2834