Introducing BYOIdP: Bring Your Own Identity Provider

Jaap Francke
June 29, 2023
minute read

Are you championing the use of Mendix in your organization? If so, there’s a good chance that your security and compliance manager will pay you a visit with some ‘difficult’ questions. But with Mendix 10’s new bring-your-own identity provider (BYOIdP) feature, you’ll be able to take some of their worries away.

Why bring your own IdP?

At the start of your Mendix journey, all you likely needed was your laptop, a business mailbox, and a password. There was no need to hassle with credit cards, contracts, or company onboarding; you were just there to create a few simple apps. But as more of your IP is reflected in the application logic or as you develop more apps with Mendix, it’s imperative to comply with the guidelines set by your organization.

These guidelines may include:

Logging into business applications only via your organization’s Active Directory so that the preferred password length, complexity, and password expiry are applied.
Requiring two-factor authentication (2FA) for any application that does not sit behind your own firewall (e.g., the Mendix platform).

A security and compliance manager may be prepared to make a temporary exception to these rules, but at some point, that exception comes to an end. Don’t let this become a block to continue innovating.

How and why does BYOIdP work?

With BYOIdP, the Mendix platform now delegates the login process to your own identity provider. With this Single Sign-On (SSO) solution, you are fully in control of meeting your organization’s established requirements for authentication.

After all, the fewer passwords employees have to remember, the less likely they are to reuse passwords or make other undesirable choices that are detrimental to security.

SSO via BYOIdP not only offers strong security in a simple way, but it also provides immediate control over who can log in to the Mendix platform.

What if a user is deactivated in the company IdP? Then they will no longer be able to log into the Mendix platform. A session on the Mendix platform based on BYOIdP will be refreshed every hour, so blocking a user will quickly have the desired effect.

And while most customers allow all employees to participate in Mendix projects as low-code developers or end users, BYOIdP leverages the capability in your IdP to restrict access to the Mendix platform to a single business unit. BYOIdP affects both sign-in and sign-up.

How to set up the new BYOIdP feature

Configuring and testing BYOIdP can be done within a day by following the steps described on our documentation website. The SSO integration works on the basis of the so-called OpenID Connect protocol, an industry standard supported by almost all IAM technologies. So whether it’s Azure AD, Okta, or Ping, it all works the same way.

For direct access to code repositories from your CI/CD pipeline or via client SVN tools like Tortoise, your platform users will need to create Personal Access Tokens. For Team Server Git users, this is a familiar mechanism. If your app is on Team Server SVN, you now have the same option.

Our advice is to activate BYOIdP as soon as possible and create a win-win situation for security, access, and governance, and your colleagues will be happy with the convenience of SSO.