Question

Suggestions on how to build your own SSO between Mendix Applications

1

We currently have 4 (with a 5th incoming) mendix applications for one of our customers. These applications used to be for seperate parts of the organization, but are becoming more and more integrated, meaning that people need to log on in multiple applications. We are thinking about creating our own SSO solution just for these Mendix applications (it does not have to be connected to some active directory or something similar). How would one go about setting this up? Will there be one application which contains all the accounts (The host) and the other applications would be clients. Could we for example use the SAML module for this, and connect it to the host application rather than an active directory? Suggestions on how to set this up/get started would be very helpful.

asked 2018-11-01

Niels van de Sande

5 answers

Dragos Vrabie · Answer 1 · 2018-11-01

Hello Niels,

If you plan on just using a separate Mx App, I'm not quite sure how you'd keep the session alive for a user if they don't directly connect to the app, and if the session gets killed on your login app your user might have to re-authenticate when switching apps.

Personally I think active directory is the easiest and most straight-forward option, but if you don't have the possibility of using it I would suggest OAuth against a different service.

We have our Mx CRM app on OAuth against Office365, so we get people to authenticate with the company's email provider - this way we don't need to cache any data or store cookies, Office365 does that for us, and on attempting to log in a second time with out app the user gets redirected again to Office365 where their cookie takes effect if it's still active or they're prompted to log in again. Should work in between multiple apps as well since the IdP's cookie would be available on the browser regardless of the source SP.

Hope this helps

Ronald Catersels · Answer 2 · 2018-11-01

We used the sollution provided here: https://www.mattkdaniels.com/blogs/walkthrough-enabling-autologin-functionality-within-your-mendix-app

The first app calls a webservice of the second app to get the token. Then use the deeplink module to goto a page in the second application that logs the user automaticly in. Works perfectly. Assumption is that the user has the same accountname in all the applications.

Regards,

Ronald

[EDIT] Found a new blogpost about how to do this: https://medium.com/mendix/mendix-autologin-with-deeplink-1c8fa92873a8

Stèphan Numan TimeSeries · Answer 3 · 2018-11-01

implement an identity provider and connect your apps to the identity provider. Don't try to build this within Mendix, there are lots of solutions available.

Reinout van Schouwen · Answer 4 · 2018-11-01

The AppCloudServices module is meant for this type of situations (assuming your customer runs apps on the Mendix cloud). Keep in mind, it currently only supports authentication with a Mendix account, not external identity providers.

Rom van Arendonk · Answer 5 · 2018-11-01

If you really want to do this (as opposed to buying an identity provider), I think the easiest way is to combine the JWT module and the OAuth module, if the latter supports authentication through JWT (I believe Erwin 't Hoen said it did, but I can't find his post). Otherwise, it shouldn't be too hard to write your own authentication logic based on a JWT.