diff --git a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md index ea193eabd7d..f0d46e29249 100644 --- a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md +++ b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md @@ -231,19 +231,23 @@ Ensure that you have allocated the following user roles to the OIDC module and U | User Role | OIDC Module Role | | --- | --- | | Administrator | OIDC.Administrator, UserCommons.Administrator | -| Anonymous | OIDC.Anonymous (for multiple IdPs only) | +| Anonymous | OIDC.Anonymous (optional) | | User | OIDC.User | -{{< figure src="/attachments/appstore/platform-supported-content/modules/oidc/user-roles.png" class="no-border" >}} +{{< figure src="/attachments/appstore/platform-supported-content/modules/oidc/user-roles.png" >}} -### User Roles for Single IdP +### Allowing Anonymous User Role + +#### User Roles for Single IdP If a single Identity Provider (IdP) is configured in the OIDC SSO module, end-users can be authenticated via the URL `https:///oauth/v2/login` This means you do not need to configure the *Anonymous* user role for a single IdP. -### Allowing Anonymous Users for Multiple IdPs (Optional) +#### Allowing Anonymous Users for Multiple IdPs (Optional) The OIDC module supports multiple OIDC/OAuth-compatible IdPs. Optionally, if you allow your end-users to choose from multiple IdPs, or to have the option to log back into the app after they have logged out, you will need to give them access to the app before they have signed in to the app. Therefore, you need to give anonymous users access to your app. +{{< figure src="/attachments/appstore/platform-supported-content/modules/oidc/user-roles-anonymous.png" class="no-border" >}} + In the **Anonymous** tab of the app security settings, do the following: 1. Set **Allow anonymous users** to **Yes** @@ -251,14 +255,14 @@ In the **Anonymous** tab of the app security settings, do the following: {{< figure src="/attachments/appstore/platform-supported-content/modules/oidc/anonymous-user.png" class="no-border" >}} -{{% alert color="info" %}} -For multiple IdPs, you may have to add the *Anonymous* user role if it does not exist already. -{{% /alert %}} - {{% alert color="warning" %}} Enabling anonymous users introduces a broader attack surface. If you choose this option, follow Mendix guidelines for [setting up anonymous user security](/howto/security/set-up-anonymous-user-security/) to mitigate potential risks. {{% /alert %}} +### Excluding Anonymous User Role + +If you do not want to enable anonymous user, you can use single or multiple IdPs using the login endpoint `oauth/v2/login`, and you will be landed on the IdP's login page. + ### Configuring Navigation{#configure-nav} The OIDC SSO module works without a specified sign-in page. Therefore, in the navigation section of your app, set **Sign-in page** (in the **Authentication** section) to *none*. diff --git a/static/attachments/appstore/platform-supported-content/modules/oidc/user-roles-anonymous.png b/static/attachments/appstore/platform-supported-content/modules/oidc/user-roles-anonymous.png new file mode 100644 index 00000000000..dcf645f31e6 Binary files /dev/null and b/static/attachments/appstore/platform-supported-content/modules/oidc/user-roles-anonymous.png differ diff --git a/static/attachments/appstore/platform-supported-content/modules/oidc/user-roles.png b/static/attachments/appstore/platform-supported-content/modules/oidc/user-roles.png index dcf645f31e6..353148e2bd6 100644 Binary files a/static/attachments/appstore/platform-supported-content/modules/oidc/user-roles.png and b/static/attachments/appstore/platform-supported-content/modules/oidc/user-roles.png differ