For SSO: Mendix apps using SAML, other app using OAuth

My client has SSO with Microsoft ActiveDirectory as IdentityProvider. They also have a platform with app-icons where users land as soon as they log in. Clicking on icon makes them start that app and log in. That platform implements SSO using OAuth. Now they claim that every app on the landing page needs to implement SSO using OAuth, not SAML. Are they right or can we have our Mendix-apps use SAML?
2 answers

I think technically this should not be a problem. It depends on the platform they are using. On most of these platforms (like Okta) SAML2.0 is supported. It could be company security policy to only allow OAuth. 


The good Consulting answer is always… it depends ;-)

It depends on the outcome you are trying to achieve. If you are simply trying to authenticate to your Mendix app using Office 365 Credentials then there are a couple of approaches I am aware of: 

  1. SAML: you can use the application proxy service in Azure AD to provide the IdP for your Mendix application. We have this working using:
  2. Use the Microsoft Graph API (via this module to login


SAML authentication does NOT provide you with authentication into the Office 365 platform. We need to access the OneDrive for Business service from our Mendix App so we’re attempting to use the resulting SAML Assertion to retrieve an OAUTH token from the Microsoft token service – not working yet. Once this is done we can also make calls to the Office 365 graph API based on the authorization of the logged in user.

I believe #2 will accomplish both of the steps we’re attempting on the SAML side (authentication to Mendix AND to Office 365) so we are testing that too. I don’t think it will provide desktop SSO though and it is not platform agnostic as SAML should be. I’m interested to see the outcome of our test. If anyone else has achieved SSO using the Graph API I would be interested to see the solution.