OIDC SSO: explain login-page and disabling local login TW-2642#10766
Open
Karuna-Mendix wants to merge 4 commits intodevelopmentfrom
Open
OIDC SSO: explain login-page and disabling local login TW-2642#10766Karuna-Mendix wants to merge 4 commits intodevelopmentfrom
Karuna-Mendix wants to merge 4 commits intodevelopmentfrom
Conversation
JaapF
reviewed
Feb 18, 2026
content/en/docs/marketplace/platform-supported-content/modules/oidc.md
Outdated
Show resolved
Hide resolved
Karuna-Mendix
changed the title
content/en/docs/marketplace/platform-supported-content/modules/oidc.md
Outdated
Show resolved
Hide resolved
content/en/docs/marketplace/platform-supported-content/modules/oidc.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
since we don't recommend the use of Anonymous role, Wouldn't it be more consistent if we could remove this explanation?
Karuna-Mendix
commented
Mar 11, 2026
|
|
||
| The OIDC SSO module works without a specified sign-in page. Therefore, in the navigation section of your app, set **Sign-in page** (in the **Authentication** section) to *none*. | ||
|
|
||
| If you are configuring navigation for web/responsive apps and want to allow your end-users to choose from a number of different IdPs (multiple IdPs), or to have the option to sign in back into the app after they have signed out, set a **Role-based home page** for role **Anonymous** to **OIDC.Login_Web_Button**. When configuring navigation for PWA apps, set the **Role-based home page** for the **Anonymous** role to `OIDC.Login_PWA_Online_Button` for online apps and `Login_PWA_Offline_Button` for offline apps. See [Role-Based Home Pages](/refguide/navigation/#role-based) in *Navigation* for more information. |
Collaborator
Author
There was a problem hiding this comment.
Hi @JaapF, do you have a comment on this section which is removed? CC @murat-ustabas-mx
There was a problem hiding this comment.
Yes, makes sense to remove this, given the fact that we are removing anonymous page.
I trust Murat has reviewed this PR as well?
JaapF
reviewed
Mar 13, 2026
|
|
||
| {{% alert color="warning" %}} | ||
| Enabling anonymous users introduces a broader attack surface. If you choose this option, follow Mendix guidelines for [setting up anonymous user security](/howto/security/set-up-anonymous-user-security/) to mitigate potential risks. | ||
| In OIDC SSO version 4.1.0 and above, you do not have to enable anonymous users for multiple IdPs. You can remove the `Anonymous` User Role from the module. |
There was a problem hiding this comment.
maybe add: "Also you may want to check if the Anonymous user role can be removed from your app. Not using an anonymous role if not needed is a best security practice."
JaapF
reviewed
Mar 13, 2026
| 2. Select *Anonymous* as the **Anonymous user role** | ||
|
|
||
| {{< figure src="/attachments/appstore/platform-supported-content/modules/oidc/anonymous-user.png" class="no-border" >}} | ||
| If multiple IdPs are configured in the OIDC module, end users can access the same URL (`<your-app-url>/oauth/v2/login`) to initiate authentication. In this case, they will first be redirected to an IdP selection page, where they can choose the IdP they want to use for authentication. |
There was a problem hiding this comment.
I think we need somethjing like:
"If multiple IdPs are configured in the OIDC module, 2 mechanisms for selecting the IdP are supported:
- (1) depending on deeplink, your application logic may redirect to a IdP-specific endpoint (see XXX / more details needed).
- (2) endusers makes the selection. In this case, your app logic can use (
<your-app-url>/oauth/v2/login) to initiate authentication. End-users will first be redirected to an IdP selection page, where they can choose the IdP they want to use for authentication."
Maybe @murat-ustabas-mx can add some more details.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://mendix.atlassian.net/browse/TW-2642