Mendix SSO deprecation #11148

MarkvanMents · 2026-05-18T15:04:52Z

Is this warning strong enough. Also, I think we should move this to the end of the list - and perhaps not even have it as part of the list but just a separate paragraph ("You can also use Mendix SSO, but be aware that this module is deprecated as of …" or something like that)?

MarkvanMents · 2026-05-18T15:06:46Z

This is an alert note, so you don't have to start with "Note that".

MarkvanMents · 2026-05-18T15:09:13Z

I would take this out of the list and put it as a plain paragraph to make it clearer that it isn't something we now recommend.

MarkvanMents · 2026-05-18T15:16:48Z

We also have a warning box, I think we only need to say this once - but see comment below.

MarkvanMents · 2026-05-18T15:18:14Z

I agree with @JaapF that this would be better straight after the section header (section 5) as it affects everything in this section. You can't do access management this way once Mendix SSO is removed.

MarkvanMents · 2026-05-18T15:19:23Z

Again, take it out of the list and make it a paragraph to make the deprecation clearer.

MarkvanMents · 2026-05-18T15:21:48Z

I would put this at the top of this section (section 4), rather than people read the whole section and only discover at the end that it has been deprecated?

MarkvanMents · 2026-05-18T15:25:20Z

I would probably now separate out "Custom Authentication" and "Mendix SSO". Start with Custom Authentication and then have a separate set of instructions for Mendix SSO and start with the fact it has been deprecated.

As it is, I find the deprecation notice is too hidden.

MarkvanMents · 2026-05-18T15:26:07Z

Again, make this not part of the list?

MarkvanMents · 2026-05-18T15:27:19Z

I think we should separate out the two modules, Workflow Commons and Mendix SSO. This will make it clearer that one can still be used while the other is deprecated.

MarkvanMents · 2026-05-18T15:30:43Z

Elsewhere, this is a warning - I think it should be here too?
https://github.com/mendix/docs/pull/11148/changes#diff-9846f35b182897a89913c8acc4c76416fa78fb8ba2e30555d07db3a53e07d8c2R78-R80

It could also be at the beginning of this section?

JaapF · 2026-05-11T10:32:08Z

The notification should go to the start of the section about Mendix SSO - upfront rather than an afterthought

I think this section needs improved steps to set up an authentication using OIDC, SAML, or LDAP. Further improvement is required from the component owner.

I agree that the warning should be at the beginning of this section, but I agree with Karuna that having security better described would also help.

(See comment above - text within a warning box doesn't really need "Note that" at the beginning).

-Original file line number
+Diff line change
@@ Expand Up / @@ -98,7 +98,7 @@ The Catalog supports the following methods: @@
     * **Basic authentication** – Authenticate from a username and password
     * **Active session** – For Mendix services, authenticate from the open and active browser session
-    * **Mendix SSO** – For Mendix services, authenticate from single sign-on using the [Mendix SSO](/appstore/modules/mendix-sso/) module
+    * **Mendix SSO** – For Mendix services, authenticate from single sign-on using the [Mendix SSO](/appstore/modules/mendix-sso/) module. However, this module is deprecated as of May 1, 2026.
     * **OAuth** – Authenticate with [OAuth](https://oauth.net/)
     * **OpenID Connect** – Authenticate with [OpenID Connect](https://openid.net/connect/), built on top of [OAuth 2.0](https://oauth.net/2/) and used with the [OIDC SSO](/appstore/modules/oidc/) module
     * **Other** – Specify other ways to authenticate, including custom modules
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
     A Mendix Admin can set up **App Access Groups**, which consist of end-users (who are active users of Mendix Platform in your company) who will have access to [Mendix SSO](/appstore/modules/mendix-sso/)-enabled apps with specific environments and roles.
+    {{% alert color="warning" %}}
+    Note that the Mendix SSO module has been deprecated as of May 1, 2026. As part of this deprecation, **App Access Groups** are also deprecated. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/) for Mendix SSO. For **App Access Groups**, use user groups or roles configured within your Identity Provider (IdP) of choice.
+    {{% /alert %}}
     ## Adding Access Group
     To create a new group, click **Add Access Group**  on the upper-right corner and then enter the **Name** and **Description**.
@@ Expand All @@
     {{< figure src="/attachments/control-center/people/groups/access-group.jpg" class="no-border" >}}
     {{% alert color="warning" %}}
-    You can only add apps that utilize [Mendix SSO](/appstore/modules/mendix-sso/) to App Access Groups.
+    You can only add apps that utilize [Mendix SSO](/appstore/modules/mendix-sso/) to App Access Groups. However, this module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).
     {{% /alert %}}
     When you select groups in the list, Mendix Platform users in your company, or accessible apps in the group details page, a context menu will appear with options for exporting item details to an *.xlsx* file, deleting access groups, removing the Mendix Platform users in your company from access groups, and removing accessible apps.

-Original file line number
+Diff line change
@@ Expand Up / @@ -45,7 +45,7 @@ BYOIDP SSO has the following features: @@
     * When you add a domain to your company account, it is automatically added to the active IdP configuration.
     * External users (with domains that are not part of your company) are unaffected. They still have access based on the way they normally sign in to Mendix.
     * When BYOIDP is used, a session at Mendix is valid for one hour. After the session has expired, Mendix will request a new `ID_token` from your IdP. If the user still has a session at your IdP, the token will be issued without any user input and the platform user continues to have access to the Mendix Platform. The effect of this mechanism is that users have access to the Mendix Platform as long as the session at your IdP is valid.
-    * You can also use the [Mendix SSO](/appstore/modules/mendix-sso/) module in your non-production apps to provide an SSO experience. With BYOIDP, authentication of end-users of these apps will also be delegated by BYOIDP SSO. The end-users of these apps need to [sign up for a Mendix account](https://signup.mendix.com/) before they can sign in to your app.
+    * You can also use the [Mendix SSO](/appstore/modules/mendix-sso/) module in your non-production apps to provide an SSO experience. With BYOIDP, authentication of end-users of these apps will also be delegated by BYOIDP SSO. The end-users of these apps need to [sign up for a Mendix account](https://signup.mendix.com/) before they can sign in to your app. However, this module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/) to delegate login to your IdP directly rather than via the platform services.
     #### Technical Integration
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
     The [Mendix SSO](/appstore/modules/mendix-sso/) module enables your app end-users to sign in with their Mendix account when your app is deployed to Mendix Cloud.
+    {{% alert color="warning" %}}
+    This module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).
+    {{% /alert %}}
     {{% alert color="warning" %}}
     Because your app end-users are signing in with a Mendix account, they will all need to [sign up for a Mendix account](https://signup.mendix.com/) before they can sign in to your app.
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
     On the tab, you can only see the environments that satisfy the following requirements:
-    * [Mendix Single Sign-On](/developerportal/deploy/mendix-sso/) is implemented in the app using the [Mendix SSO](/appstore/modules/mendix-sso/) module. For more information, refer to [Mendix Single Sign-On](/developerportal/deploy/mendix-sso/).
+    * [Mendix Single Sign-On](/developerportal/deploy/mendix-sso/) is implemented in the app using the [Mendix SSO](/appstore/modules/mendix-sso/) module. For more information, refer to [Mendix Single Sign-On](/developerportal/deploy/mendix-sso/). Note that the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).
     * You are currently assigned a user role in the app which allows you to manage other users. For more information, refer to the [User Management Properties](/refguide/user-roles/#user-management) section of *User Roles*.
+    {{% alert color="warning" %}}
+    Note that the Mendix SSO module has been deprecated as of May 1, 2026. As part of this deprecation, **Access Management** is also deprecated. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/) for Mendix SSO. For **Access Management**, use user groups or roles configured within your Identity Provider (IdP) of choice.
+    {{% /alert %}}
     {{% alert color="info" %}}
     When deploying your application to a non-production environment, the deploying user and the Technical Contact are always assigned the Administrator user role.
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Mendix SSO deprecation #11148

Uh oh!

Diff view

Diff view

There are no files selected for viewing

MarkvanMents May 18, 2026

Uh oh!

MarkvanMents May 18, 2026

Uh oh!

MarkvanMents May 18, 2026

Uh oh!

Uh oh!

MarkvanMents May 18, 2026

Uh oh!

MarkvanMents May 18, 2026

Uh oh!

Uh oh!

MarkvanMents May 18, 2026

Uh oh!

MarkvanMents May 18, 2026

Uh oh!

MarkvanMents May 18, 2026

Uh oh!

MarkvanMents May 18, 2026

Uh oh!

MarkvanMents May 18, 2026

Uh oh!

MarkvanMents May 18, 2026

Uh oh!

JaapF May 11, 2026

Uh oh!

Karuna-Mendix May 12, 2026

Uh oh!

MarkvanMents May 18, 2026

Uh oh!

-Original file line number
+Diff line change
@@ Expand Up @@
     * The Input type should be `MCPServer` and/or `System.HttpRequest`, to extract required values, such as HttpHeaders, from the request.
     * The return value needs to be a `System.User` object which represents the user who sent the request.
-    Within your microflow, you can implement your custom logic to authenticate the user. For example, you can use username and password (basic auth), Mendix SSO, or external identity providers (IdP) as long as a `User` is returned. Note that the example authentication microflow within the module only implements basic authentication.
+    Within your microflow, you can implement your custom logic to authenticate the user. For example, you can use username and password (basic auth) or external identity providers (IdP) as long as a `User` is returned. Note that the example authentication microflow within the module only implements basic authentication.
     The `User` returned in the microflow is used for all subsequent prompt and tool microflows within the same session. This makes the `currentUser` and `currentSession` variables available, allowing you to apply entity access for user-based access control based on the default Mendix entity access settings.
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
     * [Atlas Core](https://marketplace.mendix.com/link/component/117187): required for the Administration module versions 4.0.0 and above
     * [Combo Box](https://marketplace.mendix.com/link/component/219304): required for the Administration module versions 4.0.0 and above
     * [Atlas UI Resources](https://marketplace.mendix.com/link/component/104730): required for the Administration module versions 3.0.0 and below
-    * [Mendix SSO](https://marketplace.mendix.com/link/component/111349): required for the Administration module versions 1.3.X (for example 1.3.2) and 2.1.X (for example 2.1.2)
+    * [Mendix SSO](https://marketplace.mendix.com/link/component/111349): required for the Administration module versions 1.3.X (for example 1.3.2) and 2.1.X (for example 2.1.2). However, this module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).
     ## Installation
@@ Expand Down Expand Up @@
 . Configure the **MendixSSO_AfterStartup** microflow from the Administration module as the [after startup](/refguide/runtime-tab/#after-startup) microflow. If there is already an after startup microflow, do not replace it, but add the **MendixSSO_AfterStartup** microflow as a sub-microflow in the existing microflow.
     {{% alert color="info" %}}If you previously used the Mendix SSO in your application, use the **MendixSSO_MigrateUsersToAccount** microflow to migrate users from the `MendixSSOUser` to the `Administration.Account` specialization. Before executing the migration, carefully read the instructions in the microflow.{{% /alert %}}
+    {{% alert color="warning" %}}
+    Note that the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).
+    {{% /alert %}}

-Original file line number
+Diff line change
@@ Expand Up @@
     * **Authentication** tab
-        {{% alert color="info" %}}For the best user experience, your are strongly encouraged to apply Mendix SSO to your app and connect the Mendix SSO module to the Mendix Feedback widget version 8.2.1 or above. Choose only one of the authentication methods: either **MendixSSO** or **Custom Authentication**.</br></br>You need to enter the value of authentication items manually as currently the widget does not support a drop-down menu for selecting microflow or the attributes of an entity.{{% /alert %}}
+        {{% alert color="info" %}}For the best user experience, configure your app to use the Mendix Feedback widget version 8.2.1 or above with a supported authentication method. Choose only one authentication method: either **MendixSSO** or **Custom Authentication**. Note that the Mendix SSO module is deprecated as of May 1, 2026. **Custom Authentication** is the recommended approach going forward. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/) modules for authentication integration.</br></br>Enter the value of authentication items manually as currently the widget does not support a drop-down menu for selecting microflow or the attributes of an entity.{{% /alert %}}
         * **MendixSSO** – if Mendix SSO is applied and the following settings are configured correctly, the end-user can leave feedback without having to enter their name and email address
             * **ID token microflow** – recommended that you select the **DS_GetCurrentIdToken** microflow from the Mendix SSO module.
@@ Expand Down @@

-Original file line number
+Diff line change
@@ -1,13 +1,22 @@
     ---
     title: "Mendix SSO"
     url: /appstore/modules/mendix-sso/
+    deprecated: true
     description: "Describes the configuration and usage of the Mendix SSO module, which is available in the Mendix Marketplace."
     #If moving or renaming this doc file, implement a temporary redirect and let the respective team know they should update the URL in the product. See Mapping to Products for more details.
     #Please do not rename the anchor #supplements in this document as it is used in links from the module release notes.
     ---
     ## Introduction
+    {{% alert color="warning" %}}
+    This module is deprecated as of May 1, 2026, and will be removed from the public Marketplace on November 1, 2026.
+    To ensure uninterrupted single sign-on functionality for end users, Mendix recommends migrating to the [OIDC SSO](/appstore/modules/oidc/) module, which requires configuring an identity provider (IdP).
+    If an external IdP is not available, you may alternatively use local in-app credentials or implement a custom SSO solution using the [OIDC Provider](/appstore/services/oidc-provider/) module.
+    {{% /alert %}}
     With the [Mendix SSO](https://marketplace.mendix.com/link/component/111349/) module, you can utilize single sign-on functionality by directly integrating with the Mendix identity provider and leveraging the [OpenID Connect](https://openid.net/connect/) framework.
     This module allows end-users to sign in with their Mendix account with the click of a button, instead of requiring their local user credentials. This module avoids having to deal with local user management or password reset flows for the test and acceptance phases of your app development.
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
     Alternatives to using OIDC SSO for managing single sign-on are:
     * [SAML](https://marketplace.mendix.com/link/component/1174) – if your IdP supports the SAML protocol but not the OIDC protocol
-    * [Mendix SSO](https://marketplace.mendix.com/link/component/111349) – if your app is targeted at end-users that have signed up to the Mendix platform
+    * [Mendix SSO](https://marketplace.mendix.com/link/component/111349) – if your app is targeted at end-users that have signed up to the Mendix platform. However, this module is deprecated as of May 1, 2026. You may alternatively use [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).
     ### Typical Usage Scenarios
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
     * Familiarize yourself with workflow terms. For more information, see [Workflows](/refguide/workflows/).
     * Install Atlas 3 from the Mendix Marketplace. As a result of installing Atlas 3, your app should contain the following modules that Workflow Commons depends on: Atlas_Core, Atlas_Web_Content, and DataGrid.
-    * Your app has the following optional modules [Workflow Commons](https://marketplace.mendix.com/link/component/117066) and [Mendix SSO](https://marketplace.mendix.com/link/component/111349) modules for better developer experience. For more information on how to set up Workflow Commons in an existing app, see [Adding a Workflow to an Existing App: Using Workflow Commons](/refguide/workflow-setting-up-app/).
+    * Your app has the following optional modules [Workflow Commons](https://marketplace.mendix.com/link/component/117066) and [Mendix SSO](https://marketplace.mendix.com/link/component/111349) modules for better developer experience. However, the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).For more information on how to set up Workflow Commons in an existing app, see [Adding a Workflow to an Existing App: Using Workflow Commons](/refguide/workflow-setting-up-app/).
     ## Exposing the Microflow as the Workflow Action
@@ Expand Down @@

Mendix SSO deprecation #11148

Are you sure you want to change the base?

Uh oh!

Mendix SSO deprecation #11148

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!