Single Sign On - MendixCloud

Hi,   We want to use the Kerberos module for SSO, End result which we want to achieve: People that log into the domain via their computer (which is in the domain), do not have to log into the (several) Mendix applications (which currently use the   The documentation says the following The Mendix server must be a member of the same AD domain as the users in order for SSO to work. This also means this module won’t be usable in Mendix cloud environments.   Is it possible to use the MendixCloud environment and use SSL certificate to redirect, so that the domain corresponds? Or is the only possible solution to run Mendix in our own (cloud) domain?  Or are there any other solutions where we can use Mendix Cloud but still have SSO    Cheers,   Rutger
1 answers

Kerberos relies on server to server trust, that means during setup you'll have to setup certificates for specific IP addresses, servernames, and for all the routes a request takes to go from the SP to IDP. 

With Mendix being a cloud platform that uses containers all of the above is impossible to achieve, a container only exists while the application is running. When you do a restart you'd get a new container and lose the pre-established kerberos trust.

Also kerberos has predictable ciphers, partially encrypted messages, and fairly long running tickets (the thing that allows you access to an app), this makes kerberos not the best tool to run through public internet (you should use a vpn to secure the messages). 

All of those things make it impossible to run on the Mendix Cloud architecture. To be complete if you truly wish to use kerberos you could set this up on your own IaaS servers, with VPNs and a lot of work, but I would recommend against that.


I would suggest to use something designed for secure internet communication, such as SAML,   or OpenID or OAuth.
In your case when authenticating to an AD SAML will probably be the easiest to setup