Single Sign-On API

Last update: Edit

1 Connecting to Mendix OpenID

The Mendix Single Sign-On system is based on the OpenID 2.0 protocol and any AppCloud-Powered Mendix application will automatically use this single sign-on system. Non-Mendix apps can be integrated with the Mendix Single Sign-On server as well by using one of the many available implementations. An extensive list of existing implementations can be found here. The OP Endpoint to connect to is https://mxid2.mendixcloud.com/mxid2/discover. Note that all Mendix OpenIDs (OP Identifiers) start with https://mxid2.mendixcloud.com/mxid2/.

2 Realm Verification

Realm verification is required from all Relying parties (clients), as recommended, so your application needs to be accessible by the Mendix OpenID server on a verified HTTPS domain while offering valid discovery information. Realm verification errors ("Realm verification failed (9)") will occur if this is not the case.

3 Extensions

Currently no OpenID extensions (like OpenID AX) are supported to retrieve profile data.

4 Optional arguments

The following optional query parameters can be sent as part of the authentication requests:

  • mxid2.continuation – The URL the user should be redirected to after the user has successfully been authenticated.
  • mxid2.logoffcallback – If provided, this URL will be invoked once using a GET request by the Mendix Single Sign-On server to indicate that the user has logged out globally. This request will be invoked with query parameters: The fingerprint containing the base64 encoding of the user-agent string of the browser, and the openid of the user that has logged out. His/her session could be destroyed locally if desired.