We implemented SSO against AzureAD multiple times. Make sure to give Mendix-auto-created SSO users a random password upon generation and roles based upon the claims provided by the AD. You can even reset this password at every login to a new random value – there is even a community commons action to generate random passwords. If the user has no write access to their own password, then the password functionality effectively becomes useless for SSO users. Also make sure to update user data (eg roles) upon each login. You can also implement account deactivation here, etc. In other words, the user provisioning flow is crucial here.
Hope this helps.
Best regards,
Wouter
What is stopping you from putting an SSO button on the login page (simple HTML will suffice), and leaving the password form as is?
If users are logging in via SSO then they won’t have a password to begin with – they will have an account but it will be accessible only via SSO.
You don’t need to create app users beforehand because the SSO module can create new accounts automatically if one with a matching name wasn’t found.
That is an idea, but it means I have to ask users to first provision their account before I can assign them a role.
Also, my main concern is about Compliancy, I need to make sure a user cannot define/change his password to make sure I can rely on AzureAD for leavers.
If a user can manage his password and use the standard login, I’m not sure a leaver cannot access the application anymore.
Did you manage to get it done to satisfaction?
Did you manage to get it done to satisfaction?
not yet. something i’ll first have to experiment localy and then against a test environment.. I’ll keep you posted
I have been trying to solve the same challenge and recently came across this module from Mendix:
Similar to the module from Mendix, I created: