Using Google SSO instead of Mendix Users

Is it ok to user the user ID from a Google SSO, and track the users using my own user entity without having to use the Mendix System.User users?  I realize it means I won’t be using the role system associated with System.User as normal, but I could manually do that anyhow.  I was thinking of just using anonymous user sessions and associating a Google SSO ID for that session only. Essentially that means unlimited users, but I wanted to see if I am allowed to do so.
3 answers

Hi James,

Personally i see no need to not use System.user. If you want to not use the default Mendix user and role structure, you are not using a very powerful way of managing security in your application. You will loose a large part of the speed and security of developing in Mendix.

Mendix can connect to external idps using SAML ( and openID ( for example. These modules both use System.user.

I am not familiar with “google SSO” but if one of the appstore components doesn't fit your need, you could use them as an inspiration for setting up your own sso connector.


James, here’s something especially for you;

Your idea of detaching the account from the process object isn’t a bad Idea. but it still needs a account and a reference.

If you do it as follows:

  1. create a entity (i.e. person) in your module covering the user process.
  2. add a 1-1 association between that entity and the Account entity (specialization of System.User)
  3. Implement Google SSO
  4. When a user logs in for the first time using Google account an account object & Person object needs to be created + applicable role will be assigned
  5. Everything the user does, link it to person
  6. When user logs off (or when certain amount of named users is reached), you can delete the account object. but keep the Person
  7. When user login a 2nd time; create the account object and MATCH it with existing person.
  8. BOOM; you are using System.User, the default security model AND your nr of named accounts is limited.
    Next to that, except of account deleting, this is THE way to handle your account vs process





You cannot simply skip using the systems user. Anyone using the app must always authenticate to the Mendix app, using a System.User /Name+PW

Using the Google SSO doesn’t change that. Only the HANDLING of the System.User is put somewhere else.


Answering your additional questions:

  1. No; the name cannot be translated.
    But since you are using the Google SSO; why do you need the User roles to be displayed?
    If it is just to let the user know which role they have; just add an extra attribute to your account entity type string, which you update with the userrole in chinese characters.
  2. MendixID and using the System.User are to different things. MendixID or Mendix SSO equals the concept of using Google SSO. Both are an account handler. Both will user the System.User, which is basically the database table where you store the app users and match their username/pw against.


I do suggest you first follow the rapid developer learning path:

It explains the security model, where after the answers will make a lot more sense.
Also the learning paths about security will help you: