Automating client secret rotation for Mendix Platform SSO (BYOIDP) – Mendix

Issue

Because of the organization's security policies, it is required that the client secret used in Mendix Platform SSO (Single Sign-On), BYOIDP (bring your own identity provider), be rotated via a pipeline (automated process). However, the current process requires manually copying and pasting the client secret in the Mendix Control Center, which conflicts with the security policies.

Environment

Applications hosted in Mendix Cloud

Cause

Mendix does not provide an API (Application Programming Interface) or automation capability to update or rotate the client secret for Platform SSO configurations.

Mendix Pipelines are designed for CI/CD (Continuous Integration and Continuous Delivery/Deployment) automation (build, test, deploy) and do not cover platform-level security configuration, such as SSO client secrets.

Solution/Workaround

The client secret must be updated manually via the Mendix Control Center, either by cloning and updating the existing BYOIDP configuration or by disabling and re-enabling it with a new secret.

Internal information related

278351
Related KBA: [Internal] Disable BYOIDP or update expired client secret to resolve Mendix SSO Login Error

Additional information

Mendix documentation:
- Set Up SSO with BYOIDP – Changing the Client Secret
- Mendix Pipelines