The incompatible part is that the Single Sign On will present its own login screen when there is no session available and the deeplink requires one (other than a guest user). This login screen however authenticates against the Mendix application and not against the Active Directory. (And i guess that after that login screen the browser build-in login screen will still be presented by the SSO, but i am not sure about that).

If you need Deeplink only for anonymous accessible deeplinks or if you can guarantee that a session is available, i assume it will work as intended.

I forgot to mention that I assumed LDAP authentication as well. This would achieve central identity management and also 1 place that has a password policy.

Reading your response I'm still not sure if it would work what I want. I'm not looking for guest users right now. But the business users using the application might login in to the application from a remote place (when opening the access to the application in the firewall) and thus not always are logged on to the domain.

I hope that the logon that Single Sign On presents in that case is authenticated against LDAP, since the Single Sign On option mentions 'This module combines well with the LDAP synchronization module, which can be used to synchronize the userbase with the Active Directory Domain server.'. And LDAP module mentions password authentication through LDAP.

So I have 2 more questions: 1) Does the above work as I hope/expect? 2) Does deeplink after the SSO login dialog present the screen/object requested?

1. Deeplink does authenticate against LDAP.
2. The deeplink will work after logging in as expected, as long as it is configured properly.

The problem might be that the deeplink redirects after the deeplink login to the SSO login again, but this can easily be fixed in the module itself. So in combination with LDAP stuff should work as expected. However I never tried your setup, so keep us up to date :)