Single Sign-On API

Last update: Edit

1 Connecting to Mendix OpenID

The Mendix Single Sign-On system is based on the OpenID 2.0 protocol and any AppCloud-Powered Mendix application will automatically use this single sign-on system. Non-Mendix apps can be integrated with the Mendix Single Sign-On server as well by using one of the many available implementations. An extensive list of existing implementations can be found here. The OP Endpoint to connect to is Note that all Mendix OpenIDs (OP Identifiers) start with

2 Realm Verification

Realm verification is required from all Relying parties (clients), as recommended, so your application needs to be accessible by the Mendix OpenID server on a verified HTTPS domain while offering valid discovery information. Realm verification errors ("Realm verification failed (9)") will occur if this is not the case.

3 Extensions

Currently no OpenID extensions (like OpenID AX) are supported to retrieve profile data.

4 Optional arguments

The following optional query parameters can be sent as part of the authentication requests:

  • mxid2.continuation – The URL the user should be redirected to after the user has successfully been authenticated.
  • mxid2.logoffcallback – If provided, this URL will be invoked once using a GET request by the Mendix Single Sign-On server to indicate that the user has logged out globally. This request will be invoked with query parameters: The fingerprint containing the base64 encoding of the user-agent string of the browser, and the openid of the user that has logged out. His/her session could be destroyed locally if desired.