OIDC SSO: explain login-page and disabling local login TW-2642 #10766
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -202,15 +202,15 @@ If your app is already developed using Mendix 9 or above, but uses the community | |
|
|
||
| This section provides an overview of updates for the OIDC SSO module across different versions. It includes new dependencies, snippet replacements, and microflow renaming to ensure a smooth transition while migrating to higher module versions. | ||
|
|
||
| | Mendix Version | OIDC SSO Module Version | Important Migration Changes | Additional Information | | ||
| | --- | --- | --- | --- | | ||
| | 10.24.0 and above | 4.2.1 | In version 4.2.1, automatic migration of the UserCommons has been removed. | Since migration steps were removed in 4.2.1, you must upgrade to OIDC SSO version 4.2.0 first to prevent data loss. This applies to the UserCommons, if you are migrating from any version below 3.0.0, always upgrade to 4.2.0 first, then move to the latest v4.2.1. | | ||
| | 10.21.01 and above | 4.2.0 | In version 4.2.0, the module no longer automatically executes the UserCommons migration in the startup microflow. The migration step has been moved to a dedicated microflow, which you can trigger via a widget. | The `ASU_STARTUP` microflow has been moved under the **USE_ME** folder. | | ||
| | 10.12.10 and above | 4.0.0 | Set `OIDC.ASU_OIDC_Startup` microflow as part of the after-startup microflow | From UserCommons 2.0.0, new users without IdP-specified time zone or language will use default App settings; existing users retain their previously set values. | | ||
| | | | For module version 4.0.0 and above, use User Commons module version 2.0.0 and above, and vice versa. | Deprecated Mx Model Reflection module; maintained for compatibility but will be removed in future versions. | | ||
| | | | | Default user roles in UserProvisioning will be assigned along with roles from the access token. | | ||
| | | | | The `OIDC.ACT_Account_RetrieveAccount` microflow, located in the **USE_ME** folder, has been removed as it is no longer required. | | ||
| | 9.24.18 and above | 3.2.0 | Select and refresh the Administration and System modules manually in the `MxModelReflection.MxObjects_Overview` page | Added a new heading for selected scopes: *Your app will request the following scopes at IdP*. | | ||
| | 9.24.2 and above | 3.1.0 | Set `OIDC.ASU_OIDC_Startup` microflow as part of the after-startup microflow | `OIDC.Startup` microflow renamed to `OIDC.ASU_OIDC_Startup` | | ||
| | 9.24.2 and above | 3.0.1 | Use `Snip_Login_Button` snippet instead of `Snip_Login_Automatic` | `Snip_Login_Automatic` snippet removed from the module | | ||
| | 9.24.2 and above | 3.0.0 (migrating to 3.0.0 and above) | Include [UserCommons](https://marketplace.mendix.com/link/component/223053) module as a dependency. | New UserCommons module | | ||
|
|
@@ -231,40 +231,24 @@ Ensure that you have allocated the following user roles to the OIDC module and U | |
| | User Role | OIDC Module Role | | ||
| | --- | --- | | ||
| | Administrator | OIDC.Administrator, UserCommons.Administrator | | ||
| | User | OIDC.User | | ||
|
|
||
| {{< figure src="/attachments/appstore/platform-supported-content/modules/oidc/user-roles.png" >}} | ||
|
|
||
| ### End User Login When Using Single or Multiple IdPs | ||
|
|
||
| If a single Identity Provider (IdP) is configured in the OIDC SSO module, end users can be authenticated via the URL `https://<your-app-url>/oauth/v2/login`. When accessing the URL, users are automatically redirected to the configured IdP for authentication. | ||
|
|
||
| If multiple IdPs are configured in the OIDC module, end users can access the same URL (`<your-app-url>/oauth/v2/login`) to initiate authentication. In this case, they will first be redirected to an IdP selection page, where they can choose the IdP they want to use for authentication. | ||
|
|
||
| {{% alert color="info" %}} | ||
| In OIDC SSO version 4.1.0 and above, you do not have to enable anonymous users for multiple IdPs. You can remove the `Anonymous` User Role from the module. | ||
|
There was a problem hiding this comment. maybe add: "Also you may want to check if the Anonymous user role can be removed from your app. Not using an anonymous role if not needed is a best security practice." |
||
| {{% /alert %}} | ||
|
|
||
| ### Configuring Navigation{#configure-nav} | ||
|
|
||
| The OIDC SSO module works without a specified sign-in page. Therefore, in the navigation section of your app, set **Sign-in page** (in the **Authentication** section) to *none*. | ||
|
|
||
|
Collaborator
Author
There was a problem hiding this comment. Hi @JaapF, do you have a comment on this section which is removed? CC @murat-ustabas-mx There was a problem hiding this comment. Yes, makes sense to remove this, given the fact that we are removing anonymous page. |
||
| In addition, administrators will need to have access to configure OIDC and also manage end-users. You can do this by including the pages `Administration.Account_Overview` and `OIDC.OIDC_Client_Overview` into the app navigation, or a separate administration page. | ||
|
|
||
| If you are testing phone web and phone web offline locally, use the URLs `http://localhost:8080/?profile=Phone` and | ||
|
|
||
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need somethjing like:
"If multiple IdPs are configured in the OIDC module, 2 mechanisms for selecting the IdP are supported:
<your-app-url>/oauth/v2/login) to initiate authentication. End-users will first be redirected to an IdP selection page, where they can choose the IdP they want to use for authentication."Maybe @murat-ustabas-mx can add some more details.