Migrating to Mosaic from another authentication provider is designed to be seamless and secure. Whether you're transitioning from legacy systems or established identity providers like Okta, Auth0, Azure AD, or AWS Cognito, Mosaic supports flexible migration strategies that minimize disruption for your users.
There are two primary ways to migrate users to Mosaic, depending on your requirements:
Full migration: Transition entirely from your current provider to Mosaic, moving all user data, credentials, and roles. This approach is ideal when you want to fully replace your existing identity solution.
Just-In-Time (JIT) migration: Migrate users gradually as they authenticate. When a user logs in, Mosaic validates their credentials against your existing IDP and automatically creates or updates their Mosaic profile. This approach allows for a smooth transition without requiring downtime or bulk data exports.
Mosaic supports multiple authentication methods for JIT migration, allowing you to validate users against your existing identity provider:
| Method | Description |
|---|---|
| Password authentication | Validates username/password credentials directly against your existing IDP using ROPC (Resource Owner Password Credentials). |
| Email OTP authentication | Sends and verifies email one-time passcodes through your existing IDP. |
| SMS OTP authentication | Sends and verifies SMS one-time passcodes through your existing IDP. |
| TOTP authentication | Validates time-based one-time passcodes generated in the user's authenticator app against your existing IDP. |
| OIDC redirect | Redirects users to your existing IDP for authentication using the OIDC Authorization Code flow. |
Mosaic's Integration Hub provides pre-built connectors for major identity providers. Journeys expose only the authentication methods an IDP supports.
| Provider | OIDC | Password | Email OTP | SMS OTP | TOTP |
|---|---|---|---|---|---|
| Okta | ✓ | ✓ | – | – | ✓ |
| Auth0 | ✓ | ✓ | – | – | – |
| AWS Cognito | ✓ | ✓ | ✓ | ✓ | – |
| Microsoft Entra ID | ✓ | ✓ | – | – | – |
| Keycloak | ✓ | ✓ | – | – | ✓ |
| OneLogin | ✓ | ✓ | – | – | – |
| Ping Identity | ✓ | ✓ | – | – | – |
| ✓ | – | – | – | – | |
| Meta (Facebook) | ✓ | – | – | – | – |
| Apple | ✓ | – | – | – | – |
Currently, user migration doesn't provision user roles and groups.
Consider the following when planning your migration:
- Timeline: JIT migration happens gradually as users log in. Plan for a transition period where both systems may be active.
- Authenticator registration: Decide whether to prompt users to register new authenticators immediately or during subsequent logins.
- Data synchronization: Determine which user attributes to migrate and how to handle data that may exist in both systems.
- Rollback strategy: Maintain your existing IDP during the transition period to ensure you can roll back if needed.