You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/control-center/security/security.md
+7-5Lines changed: 7 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -73,7 +73,7 @@ You can turn application data replication back on by clicking **Activate**.
73
73
74
74
On the **Single Sign-On** tab, you can set up an identity federation between the Mendix Platform and your corporate identity provider. This feature is called [Bring Your Own Identity Provider (BYOIDP)](/control-center/security/set-up-sso-byoidp/).
Once you have set up Single Sign-On (SSO) for the Mendix platform, you can extend this Identity Provider (IdP) integration to control who is granted the Mendix Admin role. From an access management perspective, central management of privileged roles, such as the Mendix Admin, is a recognized best practice. This approach mitigates the risk of privilege creep, where existing Mendix Admins can freely give admin rights to others without proper control.
79
79
@@ -96,18 +96,20 @@ As a result, the overview of [Mendix Admins](/control-center/mendix-admins-page/
96
96
97
97
#### Onboarding Prerequisites
98
98
99
-
Before you request to be onboarded to the IdP-managed Mendix Admins feature, please ensure the following prerequisites are met:
99
+
Before you request to be onboarded to the IdP-managed Mendix Admins feature, ensure the following prerequisites are met:
100
100
101
-
1. You have a Premium platform license to use this feature.
101
+
1. You have a premium platform license to use this feature.
102
102
2. You have set up an active SSO or BYO-IdP configuration, as described in [Set Up an SSO (BYOIDP)](/control-center/security/set-up-sso-byoidp/).
103
-
3. You have a user group in your IdP that includes your current Mendix Admins. Typically, your IT department should manage this group, possibly with a request/approval process.
103
+
3. You have a user group in your IdP that includes your current Mendix Admins. Typically, your IT department should manage this group, possibly with a request or approval process.
104
104
4. The ID token sent by your IdP to the Mendix platform during SSO must include a claim that indicates whether a user is a member of the Mendix Admin group. For configuration, Mendix needs to know the name of the claim and the expected value. When using Entra ID, a typical setup should have the following claim in the ID token:
105
105
106
106
```text
107
107
“roles” : “Mendix-admin”
108
108
```
109
109
110
-
The Mendix platform has the flexibility of using any claim name and value.
110
+
The Mendix platform has the flexibility of using any claim name and value.
111
+
112
+
5. Note that when using the BYOIDP feature to manage your Mendix Admins (see the [IdP-managed Mendix Admins](#idp-managed-mendix-admins) section above), the Mendix platform does not include anything specific in the SSO request (such as a specific scope value or claims request parameter). It expects that your IdP includes the required claim based on the configurations in your IdP for Mendix as a client.
0 commit comments