mendix · Karuna-Mendix · May 6, 2026 · May 6, 2026 · May 6, 2026 · May 6, 2026
diff --git a/content/en/docs/catalog/register/register-data.md b/content/en/docs/catalog/register/register-data.md
@@ -98,7 +98,7 @@ The Catalog supports the following methods:
 
 * **Basic authentication** – Authenticate from a username and password
 * **Active session** – For Mendix services, authenticate from the open and active browser session
-* **Mendix SSO** – For Mendix services, authenticate from single sign-on using the [Mendix SSO](/appstore/modules/mendix-sso/) module
+* **Mendix SSO** – For Mendix services, authenticate from single sign-on using the [Mendix SSO](/appstore/modules/mendix-sso/) module. However, this module is deprecated as of May 1, 2026.
 * **OAuth** – Authenticate with [OAuth](https://oauth.net/)
 * **OpenID Connect** – Authenticate with [OpenID Connect](https://openid.net/connect/), built on top of [OAuth 2.0](https://oauth.net/2/) and used with the [OIDC SSO](/appstore/modules/oidc/) module
 * **Other** – Specify other ways to authenticate, including custom modules

diff --git a/content/en/docs/control-center/people/groups.md b/content/en/docs/control-center/people/groups.md
@@ -14,6 +14,10 @@ A member in Control Center means a user of the Mendix platform who participates
 
 A Mendix Admin can set up **App Access Groups**, which consist of end-users (who are active users of Mendix Platform in your company) who will have access to [Mendix SSO](/appstore/modules/mendix-sso/)-enabled apps with specific environments and roles.
 
+{{% alert color="warning" %}}
+Note that the Mendix SSO module has been deprecated as of May 1, 2026. As part of this deprecation, **App Access Groups** are also deprecated. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/) for Mendix SSO. For **App Access Groups**, use user groups or roles configured within your Identity Provider (IdP) of choice.
+{{% /alert %}}
+
 ## Adding Access Group
 
 To create a new group, click **Add Access Group**  on the upper-right corner and then enter the **Name** and **Description**.
@@ -25,7 +29,7 @@ Click a group name on the list to bring up the group details pop-up window. Then
 {{< figure src="/attachments/control-center/people/groups/access-group.jpg" class="no-border" >}}
 
 {{% alert color="warning" %}}
-You can only add apps that utilize [Mendix SSO](/appstore/modules/mendix-sso/) to App Access Groups.
+You can only add apps that utilize [Mendix SSO](/appstore/modules/mendix-sso/) to App Access Groups. However, this module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).
 {{% /alert %}}
 
 When you select groups in the list, Mendix Platform users in your company, or accessible apps in the group details page, a context menu will appear with options for exporting item details to an *.xlsx* file, deleting access groups, removing the Mendix Platform users in your company from access groups, and removing accessible apps.
diff --git a/content/en/docs/control-center/security/set-up-sso-byoidp.md b/content/en/docs/control-center/security/set-up-sso-byoidp.md
@@ -45,7 +45,7 @@ BYOIDP SSO has the following features:
 * When you add a domain to your company account, it is automatically added to the active IdP configuration. 
 * External users (with domains that are not part of your company) are unaffected. They still have access based on the way they normally sign in to Mendix.
 * When BYOIDP is used, a session at Mendix is valid for one hour. After the session has expired, Mendix will request a new `ID_token` from your IdP. If the user still has a session at your IdP, the token will be issued without any user input and the platform user continues to have access to the Mendix Platform. The effect of this mechanism is that users have access to the Mendix Platform as long as the session at your IdP is valid.
-* You can also use the [Mendix SSO](/appstore/modules/mendix-sso/) module in your non-production apps to provide an SSO experience. With BYOIDP, authentication of end-users of these apps will also be delegated by BYOIDP SSO. The end-users of these apps need to [sign up for a Mendix account](https://signup.mendix.com/) before they can sign in to your app.
+* You can also use the [Mendix SSO](/appstore/modules/mendix-sso/) module in your non-production apps to provide an SSO experience. With BYOIDP, authentication of end-users of these apps will also be delegated by BYOIDP SSO. The end-users of these apps need to [sign up for a Mendix account](https://signup.mendix.com/) before they can sign in to your app. However, this module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/) to delegate login to your IdP directly rather than via the platform services.
 
 #### Technical Integration
 

diff --git a/content/en/docs/deployment/mendix-cloud-deploy/mendix-sso.md b/content/en/docs/deployment/mendix-cloud-deploy/mendix-sso.md
@@ -13,6 +13,10 @@ description: "Use the Mendix SSO module to add Single Sign-on to your app using
 
 The [Mendix SSO](/appstore/modules/mendix-sso/) module enables your app end-users to sign in with their Mendix account when your app is deployed to Mendix Cloud.
 
+{{% alert color="warning" %}}
+This module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).
+{{% /alert %}}
+
 {{% alert color="warning" %}}
 Because your app end-users are signing in with a Mendix account, they will all need to [sign up for a Mendix account](https://signup.mendix.com/) before they can sign in to your app.
 

diff --git a/content/en/docs/developerportal/settings/_index.md b/content/en/docs/developerportal/settings/_index.md
@@ -88,9 +88,13 @@ To manage users or invite users for an app deployed on a specific environment, c
 
 On the tab, you can only see the environments that satisfy the following requirements:
 
-* [Mendix Single Sign-On](/developerportal/deploy/mendix-sso/) is implemented in the app using the [Mendix SSO](/appstore/modules/mendix-sso/) module. For more information, refer to [Mendix Single Sign-On](/developerportal/deploy/mendix-sso/).
+* [Mendix Single Sign-On](/developerportal/deploy/mendix-sso/) is implemented in the app using the [Mendix SSO](/appstore/modules/mendix-sso/) module. For more information, refer to [Mendix Single Sign-On](/developerportal/deploy/mendix-sso/). Note that the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).
 * You are currently assigned a user role in the app which allows you to manage other users. For more information, refer to the [User Management Properties](/refguide/user-roles/#user-management) section of *User Roles*.
 
+{{% alert color="warning" %}}
+Note that the Mendix SSO module has been deprecated as of May 1, 2026. As part of this deprecation, **Access Management** is also deprecated. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/) for Mendix SSO. For **Access Management**, use user groups or roles configured within your Identity Provider (IdP) of choice.
+{{% /alert %}}
+
 {{% alert color="info" %}}
 When deploying your application to a non-production environment, the deploying user and the Technical Contact are always assigned the Administrator user role.
 

diff --git a/content/en/docs/marketplace/genai/reference-guide/mcp-modules/mcp-server.md b/content/en/docs/marketplace/genai/reference-guide/mcp-modules/mcp-server.md
@@ -58,7 +58,7 @@ The selected microflow must adhere to the following principles:
 * The Input type should be `MCPServer` and/or `System.HttpRequest`, to extract required values, such as HttpHeaders, from the request.
 * The return value needs to be a `System.User` object which represents the user who sent the request.
 
-Within your microflow, you can implement your custom logic to authenticate the user. For example, you can use username and password (basic auth), Mendix SSO, or external identity providers (IdP) as long as a `User` is returned. Note that the example authentication microflow within the module only implements basic authentication.
+Within your microflow, you can implement your custom logic to authenticate the user. For example, you can use username and password (basic auth) or external identity providers (IdP) as long as a `User` is returned. Note that the example authentication microflow within the module only implements basic authentication.
 
 The `User` returned in the microflow is used for all subsequent prompt and tool microflows within the same session. This makes the `currentUser` and `currentSession` variables available, allowing you to apply entity access for user-based access control based on the default Mendix entity access settings.
 

diff --git a/content/en/docs/marketplace/platform-supported-content/modules/administration.md b/content/en/docs/marketplace/platform-supported-content/modules/administration.md
@@ -23,7 +23,7 @@ The [Administration](https://marketplace.mendix.com/link/component/23513) module
 * [Atlas Core](https://marketplace.mendix.com/link/component/117187): required for the Administration module versions 4.0.0 and above
 * [Combo Box](https://marketplace.mendix.com/link/component/219304): required for the Administration module versions 4.0.0 and above
 * [Atlas UI Resources](https://marketplace.mendix.com/link/component/104730): required for the Administration module versions 3.0.0 and below
-* [Mendix SSO](https://marketplace.mendix.com/link/component/111349): required for the Administration module versions 1.3.X (for example 1.3.2) and 2.1.X (for example 2.1.2)
+* [Mendix SSO](https://marketplace.mendix.com/link/component/111349): required for the Administration module versions 1.3.X (for example 1.3.2) and 2.1.X (for example 2.1.2). However, this module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).
 
 ## Installation
 
@@ -74,3 +74,7 @@ The [Administration](https://marketplace.mendix.com/link/component/23513) module
 2. Configure the **MendixSSO_AfterStartup** microflow from the Administration module as the [after startup](/refguide/runtime-tab/#after-startup) microflow. If there is already an after startup microflow, do not replace it, but add the **MendixSSO_AfterStartup** microflow as a sub-microflow in the existing microflow.
 
 {{% alert color="info" %}}If you previously used the Mendix SSO in your application, use the **MendixSSO_MigrateUsersToAccount** microflow to migrate users from the `MendixSSOUser` to the `Administration.Account` specialization. Before executing the migration, carefully read the instructions in the microflow.{{% /alert %}}
+
+{{% alert color="warning" %}}
+Note that the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).
+{{% /alert %}}
diff --git a/content/en/docs/marketplace/platform-supported-content/modules/mendix-feedback.md b/content/en/docs/marketplace/platform-supported-content/modules/mendix-feedback.md
@@ -236,7 +236,7 @@ You can configure the widget for certain actions in your app. All the configurat
 
 * **Authentication** tab
 
-    {{% alert color="info" %}}For the best user experience, your are strongly encouraged to apply Mendix SSO to your app and connect the Mendix SSO module to the Mendix Feedback widget version 8.2.1 or above. Choose only one of the authentication methods: either **MendixSSO** or **Custom Authentication**.</br></br>You need to enter the value of authentication items manually as currently the widget does not support a drop-down menu for selecting microflow or the attributes of an entity.{{% /alert %}}
+    {{% alert color="info" %}}For the best user experience, configure your app to use the Mendix Feedback widget version 8.2.1 or above with a supported authentication method. Choose only one authentication method: either **MendixSSO** or **Custom Authentication**. Note that the Mendix SSO module is deprecated as of May 1, 2026. **Custom Authentication** is the recommended approach going forward. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/) modules for authentication integration.</br></br>Enter the value of authentication items manually as currently the widget does not support a drop-down menu for selecting microflow or the attributes of an entity.{{% /alert %}}
 
     * **MendixSSO** – if Mendix SSO is applied and the following settings are configured correctly, the end-user can leave feedback without having to enter their name and email address
         * **ID token microflow** – recommended that you select the **DS_GetCurrentIdToken** microflow from the Mendix SSO module. 

diff --git a/content/en/docs/marketplace/platform-supported-content/modules/mendix-sso.md b/content/en/docs/marketplace/platform-supported-content/modules/mendix-sso.md
@@ -1,13 +1,22 @@
 ---
 title: "Mendix SSO"
 url: /appstore/modules/mendix-sso/
+deprecated: true
 description: "Describes the configuration and usage of the Mendix SSO module, which is available in the Mendix Marketplace."
 #If moving or renaming this doc file, implement a temporary redirect and let the respective team know they should update the URL in the product. See Mapping to Products for more details.
 #Please do not rename the anchor #supplements in this document as it is used in links from the module release notes.
 ---
 
 ## Introduction
 
+{{% alert color="warning" %}}
+This module is deprecated as of May 1, 2026, and will be removed from the public Marketplace on November 1, 2026.  
+
+To ensure uninterrupted single sign-on functionality for end users, Mendix recommends migrating to the [OIDC SSO](/appstore/modules/oidc/) module, which requires configuring an identity provider (IdP). 
+
+If an external IdP is not available, you may alternatively use local in-app credentials or implement a custom SSO solution using the [OIDC Provider](/appstore/services/oidc-provider/) module.
+{{% /alert %}}
+
 With the [Mendix SSO](https://marketplace.mendix.com/link/component/111349/) module, you can utilize single sign-on functionality by directly integrating with the Mendix identity provider and leveraging the [OpenID Connect](https://openid.net/connect/) framework.
 
 This module allows end-users to sign in with their Mendix account with the click of a button, instead of requiring their local user credentials. This module avoids having to deal with local user management or password reset flows for the test and acceptance phases of your app development.

diff --git a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
@@ -33,7 +33,7 @@ The OIDC SSO module works with both web/responsive applications and progressive
 Alternatives to using OIDC SSO for managing single sign-on are:
 
 * [SAML](https://marketplace.mendix.com/link/component/1174) – if your IdP supports the SAML protocol but not the OIDC protocol
-* [Mendix SSO](https://marketplace.mendix.com/link/component/111349) – if your app is targeted at end-users that have signed up to the Mendix platform
+* [Mendix SSO](https://marketplace.mendix.com/link/component/111349) – if your app is targeted at end-users that have signed up to the Mendix platform. However, this module is deprecated as of May 1, 2026. You may alternatively use [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).
 
 ### Typical Usage Scenarios
 

diff --git a/...refguide/modeling/application-logic/workflows/add-action-to-workflow-toolbox.md b/...refguide/modeling/application-logic/workflows/add-action-to-workflow-toolbox.md
@@ -28,7 +28,7 @@ Before starting this how-to, make sure you have completed the following prerequi
 
 * Familiarize yourself with workflow terms. For more information, see [Workflows](/refguide/workflows/). 
 * Install Atlas 3 from the Mendix Marketplace. As a result of installing Atlas 3, your app should contain the following modules that Workflow Commons depends on: Atlas_Core, Atlas_Web_Content, and DataGrid.
-* Your app has the following optional modules [Workflow Commons](https://marketplace.mendix.com/link/component/117066) and [Mendix SSO](https://marketplace.mendix.com/link/component/111349) modules for better developer experience. For more information on how to set up Workflow Commons in an existing app, see [Adding a Workflow to an Existing App: Using Workflow Commons](/refguide/workflow-setting-up-app/).
+* Your app has the following optional modules [Workflow Commons](https://marketplace.mendix.com/link/component/117066) and [Mendix SSO](https://marketplace.mendix.com/link/component/111349) modules for better developer experience. However, the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).For more information on how to set up Workflow Commons in an existing app, see [Adding a Workflow to an Existing App: Using Workflow Commons](/refguide/workflow-setting-up-app/).
 
 ## Exposing the Microflow as the Workflow Action
 

diff --git a/...ng/integration/odata-services/consumed-odata-services/consumed-odata-service.md b/...ng/integration/odata-services/consumed-odata-services/consumed-odata-service.md
@@ -55,6 +55,10 @@ Custom authentication can be done with the microflow where the authentication va
 
 Publishers can set up [custom authentication](/refguide/published-odata-services/#authentication-microflow) using [Mendix SSO](/appstore/modules/mendix-sso/) module. For more information, see the [Mendix SSO](/refguide/published-odata-services/#authentication-mendix-sso) section of *Published OData Services*. 
 
+{{% alert color="info" %}}
+Note that the Mendix SSO module is deprecated as of May 1, 2026. For new implementations, it is recommended to configure custom authentication using [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/) modules.
+{{% /alert %}}
+
 Consumers of an OData service that is set up with Mendix SSO authentication can use the **CreateAccessTokenAuthorizationHeaderList**.
 
 To learn more about how to publish an OData service with authentication (Mendix SSO, or other methods), see the [Authentication Methods](/refguide/published-odata-services/#authentication-methods) section of *Published OData Services*. 

diff --git a/...refguide/modeling/integration/odata-services/published-odata-services/_index.md b/...refguide/modeling/integration/odata-services/published-odata-services/_index.md
@@ -220,6 +220,10 @@ To set up authentication with Mendix SSO, do the following:
 1. Ensure the [Mendix SSO](/appstore/modules/mendix-sso/) module has been installed and configured in your app.
 2. In the published OData/GraphQL service, choose **Custom** authentication and select the **AuthorizeRequestWithAccessTokenFrom Request** microflow.
 
+{{% alert color="warning" %}}
+Note that the Mendix SSO module is deprecated as of May 1, 2026. You may alternatively use [OIDC SSO](/appstore/modules/oidc/), [SAML](/appstore/modules/saml/), or [LDAP](appstore/modules/ldap/).
+{{% /alert %}}
+
 #### Allowed Roles
 
 The allowed roles define which [module role](/refguide/module-security/#module-role) a user must have to be able to access the service. This option is only available when **Requires authentication** is set to **Yes**.