SSL Certificate authentication possible?

Is it possible to configure the Mendix server to support X.509 certificate authentication? We are working on an application that will contain certain sensitive information. However, the customer doesn't like the suggested password policies we want to put into place to increase the password strength. I have worked with strong authentication before, using smart cards etc. That is a bit over the top, but setting up SSL client certificate authentication isn't too hard. Does Mendix support it? Kind regards, Jonathan van Alteren - FlowFabric
3 answers

As far as I know, configuring connection security settings such as SSL and client certificates must be done at the web server that you use in front of the Mendix Runtime: IIS, Nginx, Jetty, etc. Searching Google for "configure client certificates [webserver]" should point you in the right direction.

Edit: Mendix allows plugging in a custom login action in Java to perform authentication, that's how the LDAP integration works for example. I have no idea how you would connect this to client authentication of a web server though.


You can register your own requesthandler via the Core API. If you allow anonymous users (that aren't allowed to do anything), you could setup the custom requesthandler to verify the request and login the user.

As Benny noted, this is how the LDAP appstore thingy works.



Did you find a solution to this problem? I am facing the same issue with my app. The app that I have built is for US Gov’t and it is a requirement for the government apps to only allow x509 client certificate/PKI based authentication using a smartcard (CAC/PIV). I was thinking of either custom java action or javascript but I am not java developer so I can’t write it on my own. 

I have found a potential solution that takes the user through a longer route to get into the app.  This solution involves IDP and SAML and its like this: User come to my app and accept terms on home page → Click on login button that will take them to IDP (okta) → IDP will do authentication using CAC/PIV → Send token back to me in SAML → Assuming everything is valid, the user gets logged in.

I’d prefer to keep the users in my own app and allow them to do authentication using x509 in my app. 

Any help is much appreciated…


P.S. I am trying to revive this very old post hence adding an issue/question in the answer section.