diff --git a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md index ea193eabd7d..534b2e15560 100644 --- a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md +++ b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md @@ -202,7 +202,7 @@ If your app is already developed using Mendix 9 or above, but uses the community This section provides an overview of updates for the OIDC SSO module across different versions. It includes new dependencies, snippet replacements, and microflow renaming to ensure a smooth transition while migrating to higher module versions. -| Mendix Version | OIDC SSO Module Version | Important Migration Changes | Additional Information| +| Mendix Version | OIDC SSO Module Version | Important Migration Changes | Additional Information | | --- | --- | --- | --- | | 10.24.0 and above | 4.2.1 | In version 4.2.1, automatic migration of the UserCommons has been removed. | Since migration steps were removed in 4.2.1, you must upgrade to OIDC SSO version 4.2.0 first to prevent data loss. This applies to the UserCommons, if you are migrating from any version below 3.0.0, always upgrade to 4.2.0 first, then move to the latest v4.2.1. | | 10.21.01 and above | 4.2.0 | In version 4.2.0, the module no longer automatically executes the UserCommons migration in the startup microflow. The migration step has been moved to a dedicated microflow, which you can trigger via a widget. | The `ASU_STARTUP` microflow has been moved under the **USE_ME** folder. | @@ -210,7 +210,7 @@ This section provides an overview of updates for the OIDC SSO module across diff | | | For module version 4.0.0 and above, use User Commons module version 2.0.0 and above, and vice versa. | Deprecated Mx Model Reflection module; maintained for compatibility but will be removed in future versions. | | | | | Default user roles in UserProvisioning will be assigned along with roles from the access token. | | | | | The `OIDC.ACT_Account_RetrieveAccount` microflow, located in the **USE_ME** folder, has been removed as it is no longer required. | -| 9.24.18 and above | 3.2.0 | Select and refresh the Administration and System modules manually in the `MxModelReflection.MxObjects_Overview` page| Added a new heading for selected scopes: *Your app will request the following scopes at IdP*. | +| 9.24.18 and above | 3.2.0 | Select and refresh the Administration and System modules manually in the `MxModelReflection.MxObjects_Overview` page | Added a new heading for selected scopes: *Your app will request the following scopes at IdP*. | | 9.24.2 and above | 3.1.0 | Set `OIDC.ASU_OIDC_Startup` microflow as part of the after-startup microflow | `OIDC.Startup` microflow renamed to `OIDC.ASU_OIDC_Startup` | | 9.24.2 and above | 3.0.1 | Use `Snip_Login_Button` snippet instead of `Snip_Login_Automatic` | `Snip_Login_Automatic` snippet removed from the module | | 9.24.2 and above | 3.0.0 (migrating to 3.0.0 and above) | Include [UserCommons](https://marketplace.mendix.com/link/component/223053) module as a dependency. | New UserCommons module | @@ -231,40 +231,24 @@ Ensure that you have allocated the following user roles to the OIDC module and U | User Role | OIDC Module Role | | --- | --- | | Administrator | OIDC.Administrator, UserCommons.Administrator | -| Anonymous | OIDC.Anonymous (for multiple IdPs only) | | User | OIDC.User | -{{< figure src="/attachments/appstore/platform-supported-content/modules/oidc/user-roles.png" class="no-border" >}} +{{< figure src="/attachments/appstore/platform-supported-content/modules/oidc/user-roles.png" >}} -### User Roles for Single IdP +### End User Login When Using Single or Multiple IdPs -If a single Identity Provider (IdP) is configured in the OIDC SSO module, end-users can be authenticated via the URL `https:///oauth/v2/login` This means you do not need to configure the *Anonymous* user role for a single IdP. +If a single Identity Provider (IdP) is configured in the OIDC SSO module, end users can be authenticated via the URL `https:///oauth/v2/login`. When accessing the URL, users are automatically redirected to the configured IdP for authentication. -### Allowing Anonymous Users for Multiple IdPs (Optional) - -The OIDC module supports multiple OIDC/OAuth-compatible IdPs. Optionally, if you allow your end-users to choose from multiple IdPs, or to have the option to log back into the app after they have logged out, you will need to give them access to the app before they have signed in to the app. Therefore, you need to give anonymous users access to your app. - -In the **Anonymous** tab of the app security settings, do the following: - -1. Set **Allow anonymous users** to **Yes** -2. Select *Anonymous* as the **Anonymous user role** - -{{< figure src="/attachments/appstore/platform-supported-content/modules/oidc/anonymous-user.png" class="no-border" >}} +If multiple IdPs are configured in the OIDC module, end users can access the same URL (`/oauth/v2/login`) to initiate authentication. In this case, they will first be redirected to an IdP selection page, where they can choose the IdP they want to use for authentication. {{% alert color="info" %}} -For multiple IdPs, you may have to add the *Anonymous* user role if it does not exist already. -{{% /alert %}} - -{{% alert color="warning" %}} -Enabling anonymous users introduces a broader attack surface. If you choose this option, follow Mendix guidelines for [setting up anonymous user security](/howto/security/set-up-anonymous-user-security/) to mitigate potential risks. +In OIDC SSO version 4.1.0 and above, you do not have to enable anonymous users for multiple IdPs. You can remove the `Anonymous` User Role from the module. {{% /alert %}} ### Configuring Navigation{#configure-nav} The OIDC SSO module works without a specified sign-in page. Therefore, in the navigation section of your app, set **Sign-in page** (in the **Authentication** section) to *none*. -If you are configuring navigation for web/responsive apps and want to allow your end-users to choose from a number of different IdPs (multiple IdPs), or to have the option to sign in back into the app after they have signed out, set a **Role-based home page** for role **Anonymous** to **OIDC.Login_Web_Button**. When configuring navigation for PWA apps, set the **Role-based home page** for the **Anonymous** role to `OIDC.Login_PWA_Online_Button` for online apps and `Login_PWA_Offline_Button` for offline apps. See [Role-Based Home Pages](/refguide/navigation/#role-based) in *Navigation* for more information. - In addition, administrators will need to have access to configure OIDC and also manage end-users. You can do this by including the pages `Administration.Account_Overview` and `OIDC.OIDC_Client_Overview` into the app navigation, or a separate administration page. If you are testing phone web and phone web offline locally, use the URLs `http://localhost:8080/?profile=Phone` and diff --git a/static/attachments/appstore/platform-supported-content/modules/oidc/user-roles-anonymous.png b/static/attachments/appstore/platform-supported-content/modules/oidc/user-roles-anonymous.png new file mode 100644 index 00000000000..dcf645f31e6 Binary files /dev/null and b/static/attachments/appstore/platform-supported-content/modules/oidc/user-roles-anonymous.png differ diff --git a/static/attachments/appstore/platform-supported-content/modules/oidc/user-roles.png b/static/attachments/appstore/platform-supported-content/modules/oidc/user-roles.png index dcf645f31e6..353148e2bd6 100644 Binary files a/static/attachments/appstore/platform-supported-content/modules/oidc/user-roles.png and b/static/attachments/appstore/platform-supported-content/modules/oidc/user-roles.png differ