From 5df3874693388c94ec27f73d270e4be1f83dd3ce Mon Sep 17 00:00:00 2001
From: Karuna-Mendix <karuna.vengurlekar@mendix.com>
Date: Fri, 29 May 2026 14:03:27 +0200
Subject: [PATCH 1/3] Update multi-domain support

---
 .../platform-supported-content/modules/oidc.md     | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
index 0be40ae616f..98412edf312 100644
--- a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
+++ b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
@@ -521,6 +521,20 @@ Example: `OIDC.Default_SAM_TokenProcessing_CustomATP`
 When the `IsClientGrantOnly` constant is set to *true*, the OIDC SSO module considers the configuration as Client Credential grant configuration.
 {{% /alert %}}
 
+## Configuring Multi-Domain
+
+The OIDC SSO module supports multi-domain, enabling flexible deployment in multi-app or shared domain environments. When you enable multi-domain support, the module resolves the application URL from request headers rather than relying solely on the ApplicationRootUrl, allowing users to access the application through their custom domains.
+
+To enable multi-domain support, set the `EnableMultiDomainSupport` constant to *True* in the [Acceptance Environment Details](/developerportal/deploy/environments-details/#constants) for Mendix Cloud. By default, this constant is set to *False*.
+
+After enabling multi-domain support, configure the `AllowedHosts` constant to specify which custom domains are permitted. If you enable multi-domain support but leave `AllowedHosts` empty, the module redirects all users to the ApplicationRootUrl.
+
+The `AllowedHosts` constant accepts a comma-separated or space-separated list of hostnames in the following formats:
+
+* Exact match – `example.com` allows only that specific domain
+* Subdomain wildcard – `.example.com` allows any subdomain of example.com
+* Full wildcard – `*` allows any domain
+
 ## User Provisioning (End-User Onboarding)
 
 Initially, your app will not have any end-users. You can onboard end-users into your app using one of the following mechanisms: 

From 3ca20266004ad37b5a89eff49ddf13b48ba643aa Mon Sep 17 00:00:00 2001
From: Karuna-Mendix <karuna.vengurlekar@mendix.com>
Date: Fri, 29 May 2026 14:14:54 +0200
Subject: [PATCH 2/3] small fix

---
 .../docs/marketplace/platform-supported-content/modules/oidc.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
index 98412edf312..66600f061ef 100644
--- a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
+++ b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
@@ -532,7 +532,7 @@ After enabling multi-domain support, configure the `AllowedHosts` constant to sp
 The `AllowedHosts` constant accepts a comma-separated or space-separated list of hostnames in the following formats:
 
 * Exact match – `example.com` allows only that specific domain
-* Subdomain wildcard – `.example.com` allows any subdomain of example.com
+* Subdomain wildcard – `.example.com` allows any subdomain of `example.com`
 * Full wildcard – `*` allows any domain
 
 ## User Provisioning (End-User Onboarding)

From 574726e40637e9a061209a96f96e6a9641557dde Mon Sep 17 00:00:00 2001
From: Karuna-Mendix <karuna.vengurlekar@mendix.com>
Date: Fri, 29 May 2026 14:30:01 +0200
Subject: [PATCH 3/3] Update version specific info

---
 .../marketplace/platform-supported-content/modules/oidc.md     | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
index 66600f061ef..f6e6dd2bafc 100644
--- a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
+++ b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
@@ -205,6 +205,7 @@ This section provides an overview of updates for the OIDC SSO module across diff
 
 | Mendix Version | OIDC SSO Module Version | Important Migration Changes | Additional Information |
 | --- | --- | --- | --- |
+| 10.24.0 and above | 4.x.x | - | Supporting multi-domain using constant. See [Configuring Multi-Domain](#multi-domain) for more information. |
 | 10.24.0 and above | 4.4.0 | Move the `Encryption.Encryptionkey` value to the `OIDC.Encryptionkey` constant. | Dependencies on the Encryption and Nanoflow Commons modules have been removed. <br> **Issued Tokens** tab has been removed from the OIDC Client Configuration page. |
 | 10.24.0 and above | 4.3.0 | - | Supporting multi-domain and sub-path. |
 | 10.24.0 and above | 4.2.1 | In version 4.2.1, automatic migration of the UserCommons has been removed. | Since migration steps were removed in 4.2.1, you must upgrade to OIDC SSO version 4.2.0 first to prevent data loss. This applies to the UserCommons, if you are migrating from any version below 3.0.0, always upgrade to 4.2.0 first, then move to the latest v4.2.1. |
@@ -521,7 +522,7 @@ Example: `OIDC.Default_SAM_TokenProcessing_CustomATP`
 When the `IsClientGrantOnly` constant is set to *true*, the OIDC SSO module considers the configuration as Client Credential grant configuration.
 {{% /alert %}}
 
-## Configuring Multi-Domain
+## Configuring Multi-Domain {#multi-domain}
 
 The OIDC SSO module supports multi-domain, enabling flexible deployment in multi-app or shared domain environments. When you enable multi-domain support, the module resolves the application URL from request headers rather than relying solely on the ApplicationRootUrl, allowing users to access the application through their custom domains.