External IDP connectors let you integrate your existing identity providers with Mosaic via journeys. They are primarily used in Just-In-Time (JIT) migration scenarios, where users are authenticated against your existing IDP and provisioned in Mosaic as they log in. Social providers (Google, Meta, Apple) can also be used to enable social login in your journeys.
Mosaic provides pre-built connectors for the following identity providers. Available authentication methods vary by provider and are exposed as journey steps.
| Provider | OIDC | Password | Email OTP | SMS OTP | TOTP |
|---|---|---|---|---|---|
| Okta | ✓ | ✓ | – | – | ✓ |
| Auth0 | ✓ | ✓ | – | – | – |
| AWS Cognito | ✓ | ✓ | ✓ | ✓ | – |
| Microsoft Entra ID | ✓ | ✓ | – | – | – |
| Keycloak | ✓ | ✓ | – | – | ✓ |
| OneLogin | ✓ | ✓ | – | – | – |
| Ping Identity | ✓ | ✓ | – | – | – |
| ✓ | – | – | – | – | |
| Meta (Facebook) | ✓ | – | – | – | – |
| Apple | ✓ | – | – | – | – |
To add an external IDP connector:
- In the Admin Portal, navigate to Integration Hub > External IDP.
- Select your identity provider.
- Enable connector.
- Enter a name for the connector.
- Enable the authentication methods you want to use.
- Complete the connector fields:
| Field | Description |
|---|---|
| Authentication methods | The authentication methods to enable. Available methods vary by provider—see the provider sections below. |
| Domain / server / realm | The provider-specific identifier for your IDP instance (for example, your Okta domain, Cognito user pool details, or Keycloak realm URL). See the provider sections below for details. |
| Client credentials | The OAuth2 client ID and secret Mosaic uses to authenticate against your IDP. |
| Custom endpoints (Advanced) | Override default IDP endpoints if you use a custom domain. |
- Click Test to verify the connection.
- Click Save.
Mosaic supports OIDC and password authentication against Auth0.
- OIDC: Add the redirect URI from your application's client settings to the Allowed Callback URLs in your Auth0 application.
- Password: Enable the Password grant type in Advanced Settings > Grant Types. Also set the Default Directory to
Username-Password-Authenticationin Settings > API Authorization Settings—without this, the password grant fails.
| Field | Value |
|---|---|
| Auth0 domain | Your Auth0 tenant domain (e.g., your-tenant.us.auth0.com). |
| Client credentials | Client ID and secret from your Auth0 application. |
Mosaic supports OIDC, password, and OTP (email and SMS) authentication against AWS Cognito.
In your Cognito app client settings, enable the authentication flows for the methods you plan to use:
- OIDC: Enable
Authorization code grantin Hosted UI settings. Add the redirect URI from your application's client settings to the Allowed callback URLs. - Password: Enable
ALLOW_USER_PASSWORD_AUTH. - OTP: Enable
ALLOW_USER_AUTH. In the user pool's sign-in settings, also enable email or SMS OTP under Options for choice-based sign-in.
If you use OTP, ensure MFA is set to Optional or No MFA—setting it to Required is incompatible with OTP as a first-factor authentication method.
| Field | Value |
|---|---|
| AWS Region | The AWS region where your User Pool is located. |
| Client credentials | Client ID and secret from your Cognito app client. |
| User Pool ID | The ID of your Cognito User Pool (e.g., eu-north-1_xxxxxx). |
| Domain | Your Cognito Hosted UI domain (required for OIDC). |
Mosaic supports OIDC, password, and TOTP authentication against Okta.
In Okta, create a Native application (ROPC requires the Native type, not Web). Enable the grant types for the methods you plan to use:
- OIDC: Enable the Authorization Code grant type. Add the redirect URI from your application's client settings as a sign-in redirect URI.
- Password: Enable the Resource Owner Password grant type (under Advanced > Other grants).
- TOTP: Enable the Interaction Code grant type (under Advanced > Other grants) and turn on Embedded widget sign-in support in Settings > Account.
For each method, ensure the Authorization Server access policy (Security > API > Authorization Servers) includes the corresponding grant type. Configure the Authentication policy assigned to the application to allow Password factor for password and OIDC, or Possession factor for TOTP.
| Field | Value |
|---|---|
| Okta domain | Your Okta organization domain (e.g., your-org.okta.com). |
| Authorization Server ID | The ID of the Okta authorization server. Use default for the default authorization server. |
| Client credentials | Client ID and secret from the Native application. |
Mosaic supports OIDC and password authentication against Microsoft Entra ID.
In Azure Portal, create an App registration under Microsoft Entra ID.
- OIDC: Configure redirect URIs under Authentication > Platform configurations. Add the redirect URI from your application's client settings.
- Password: Enable Allow public client flows under Authentication > Advanced settings. This is required for the ROPC flow—without it, password authentication fails. Note that MFA must not be enforced for users authenticating via ROPC, as the flow cannot handle interactive MFA challenges.
Create a client secret under Certificates & secrets and note the Tenant ID and Client ID from the application overview.
| Field | Value |
|---|---|
| Tenant ID | Your Azure Directory (tenant) ID. |
| Client credentials | Client ID and client secret from your app registration. |
Mosaic supports OIDC, password, and TOTP authentication against Keycloak.
Create a confidential client in your Keycloak realm with Client authentication enabled. Configure the authentication flows for the methods you plan to use:
- OIDC: Enable Standard flow. Add the redirect URI from your application's client settings to the Valid redirect URIs.
- Password: Enable Direct access grants.
- TOTP: Create a custom Direct Grant authentication flow containing Username Validation and OTP executions (both Required), and bind it as the Direct grant flow. Users must have a TOTP authenticator enrolled before they can use this method.
| Field | Value |
|---|---|
| Keycloak Server URL | The base URL of your Keycloak realm (e.g., https://your-keycloak.com). |
| Realm | The Keycloak realm name to authenticate against. |
| Client credentials | Client ID and secret from your Keycloak client. |
Mosaic supports OIDC and password authentication against OneLogin.
Create an OpenID Connect application in your OneLogin admin console. Add the redirect URI from your application's client settings to the application's Redirect URIs.
Set the Token Endpoint Authentication Method in the application's SSO settings based on the methods you plan to use:
- OIDC: Set to Basic.
- Password: Set to POST.
These settings conflict—only one can be active per application. If you need both OIDC and password authentication, create two separate OneLogin applications and configure one connector for each.
Ensure users are assigned to the application.
| Field | Value |
|---|---|
| OneLogin subdomain | Your OneLogin subdomain (e.g., your-company.onelogin.com). |
| Client credentials | Client ID and secret from the SSO tab of your OneLogin application. |
Mosaic supports OIDC and password authentication against Ping Identity (PingOne).
Create an OIDC application in your PingOne environment.
- OIDC: Add the redirect URI from your application's client settings to the application's redirect URIs.
- Password: Enable the Resource Owner Password Credentials grant type for the application.
| Field | Value |
|---|---|
| PingOne Environment ID | The ID of your PingOne environment. |
| Region | The PingOne region to use in authentication requests. |
| Client credentials | Client ID and secret from your PingOne application. |
Mosaic supports OIDC authentication with Google, enabling Sign in with Google in your journeys.
In the Google Cloud Console, create an OAuth 2.0 client (type: Web application). Add the redirect URI from your application's client settings to the Authorized redirect URIs.
| Field | Value |
|---|---|
| OAuth 2.0 Client Credentials | Client ID and secret from your Google OAuth 2.0 client. |
Mosaic supports OIDC authentication with Meta, enabling social login with Facebook accounts in your journeys.
In Meta for Developers, create an app and configure the Facebook Login product. Add the redirect URI from your application's client settings to the Valid OAuth Redirect URIs.
| Field | Value |
|---|---|
| OAuth 2.0 Client Credentials | App ID and App Secret from your Meta application. |
| API version | API version to use for the Meta integration . |
Mosaic supports OIDC authentication with Apple, enabling Sign in with Apple in your journeys.
In the Apple Developer portal, create a Services ID for Sign in with Apple. Add the redirect URI from your application's client settings to the Return URLs. You also need a private key to generate the client secret.
| Field | Value |
|---|---|
| OAuth 2.0 Client Credentials | Services ID (used as Client ID) and the generated client secret. |
Once configured, use the connector in your migration journey. See Set up JIT migration for a step-by-step guide.