Mendix Licensing

0
Can someone please explain how Mendix determines that users across different applications are the same individual rather than different users? How is this audited or tracked within the platform? Considering that we have Mendix License premium unlimited apps plan with all users as internal users.   Thanks in Advance! Piyush :)
asked
2 answers
0

Hi Piyush,

In short, Mendix can only consistently recognize the same user across multiple applications if you use SSO modules. By configuring SAML or OIDC, the platform relies on a unique identifier from your identity provider to identify the same individual across apps. This also ensures proper auditing and tracking of user actions across your applications.

For more details, see the official documentation:

The doc explicitly mentions how correct identification of end users is crucial for consistent and accurate end‑user metering and deduplication across multiple applications. It introduces the User Metering Named Identifier and explains that if you persist the same value (e.g., email) for the same user across apps, Mendix can identify that end user consistently across apps.

answered
0

Mendix does not automatically know that users in different apps are the same person. Your SSO/Identity Provider decides this by issuing the same immutable ID for the user across all apps (for example, OIDC sub or SAML NameID). Each app stores its own local user and links it to that external ID.

Auditing across apps is done via your IdP’s sign‑in logs (or a central SIEM that aggregates each app’s login logs), not natively within Mendix. Control Center only manages platform users (developers), not end‑users.

With Premium Unlimited Apps and internal users, unique users are effectively the distinct internal identities in your IdP that sign in to any Mendix app; the same person using multiple apps counts once. For exact counting rules, confirm with your Mendix account team.

 

  • Scenario
    • Two Mendix apps: HR and Travel-
    • All users are internal employees
    • Both apps use the same corporate IdP (Azure AD) via OIDC
    • Both apps map the same immutable unique ID: OIDC `sub` (Azure AD `oid`)

 

  • Identity setup (once)
    •  IdP: Azure AD issues a stable `oid` per user
    • Mendix apps store a local user (`System.User` / `Administration.Account`) and link it to the IdP ID
    • Field example in each app: `ExternalId = 9f1c...` (the user’s `oid/sub`)

 

  • Login flow (example: Jane)
    •  Jane signs in to HR.   - Azure AD returns claims including `sub/oid = 9f1c...`   
    • HR app creates/updates `Administration.Account` and stores `ExternalId = 9f1c...`2. Jane signs in to Travel.   
    • Azure AD again returns `sub/oid = 9f1c...`   
    • Travel app creates/updates its own `Administration.Account` with `ExternalId = 9f1c...`
  • Result: Both apps have different local users, but each is linked to the same external ID `9f1c...`, so it’s the same individual.

 

  • How sameness is determined
    • Not by Mendix Runtime across apps- By the IdP’s immutable ID (here, OIDC `sub`/Azure AD `oid`)- If `ExternalId` matches across apps, it’s the same person
  • Auditing and tracking
    • In each app:  - Runtime login logs and SSO module data link the local account to `ExternalId`- Across apps: 
    • Use IdP sign‑in logs (Azure AD) and group by `oid` 
    • Or forward app logs to a SIEM and aggregate by `ExternalId`- Mendix Control Center does not track end‑users across apps (it’s for platform users)
  • Licensing (Premium Unlimited, internal users)
    • Count distinct internal identities in your IdP that authenticate to any Mendix app (distinct `oid/sub`)
    • The same employee using multiple apps counts once- For exact audit evidence, confirm with your Mendix account team
answered