Skip to content

Set up JIT migration

This guide walks you through the process of migrating users from your existing identity provider to Mosaic using Just-In-Time (JIT) migration.

How it works

When a user requests to log in, the client invokes a journey that collects user input (for example, user credentials for password authentication or email address for OTP).Then Mosaic uses this input to authenticate the user in the external IDP. If authentication succeeds, Mosaic creates a user record and signals to the client that the user has logged in.

Source IDPMosaicClientUserSource IDPMosaicClientUserAuthenticationLog instartJourney()Collect dataCollect dataUser input dataSubmit dataAuthenticate userAuth successfulCreate/update user in MosaicLogged inLogged in
Source IDPMosaicClientUserSource IDPMosaicClientUserAuthenticationLog instartJourney()Collect dataCollect dataUser input dataSubmit dataAuthenticate userAuth successfulCreate/update user in MosaicLogged inLogged in

Before you start

If this is your first time integrating with Mosaic, create an application in the Admin Portal as described here.

Step 1: Configure your source IDP

Once you decided on the authentication method, configure your existing IDP:

  • For password or OTP authentication: Enable API access or ROPC (Resource Owner Password Credentials) flow in your IDP settings. Generate API credentials or keys that Mosaic will use to validate user credentials.
  • For OIDC redirect: Register Mosaic as an OAuth/OIDC client in your source IDP. Configure redirect URIs pointing to Mosaic.
  • For SAML redirect: Register Mosaic as a Service Provider (SP) in your source IDP. Configure the assertion consumer service URL.

Step 2: Connect your existing IDP

Configure your existing identity provider in Mosaic's Integration Hub. This establishes connectivity using standard protocols and prepares your IDP for user validation during migration.

  1. Navigate to Admin Portal > Integration Hub > External IDP.
  2. Select your identity provider from the available connectors.
  3. Enable the authentication methods.
  4. Configure the connector settings (client credentials, endpoints, etc., obtained in Step 1)–these vary per IDP and authentication method.
  5. Enable the connector.

For more see, Connect external IDP.

Step 3: Map user schema

Before migrating users, ensure Mosaic can store the user data from your existing IDP:

  1. Explore the user schema in your existing IDP to identify the attributes and identifiers you need to migrate.
  2. Review the default Mosaic user schema to understand which attributes are supported out of the box.
  3. If your IDP uses custom attributes or identifiers not available in Mosaic by default, customize the user schema to add them.

Step 4: Build your migration journey

Use journeys to create authentication flows that validate users against your existing IDP (Admin Portal > B2C Identity or B2B Identity > Journeys). Migration-specific journey steps handle credential validation and user provisioning automatically.

  1. Create a new journey for user migration.
  2. Collect user input with Collect information journey step.
  3. Add the appropriate migration step for source IDP and your chosen authentication method, for example Auth0 Password Authentication or Apple. Configure this step with your IDP connection details.
  4. Add a Create user step to provision the user in Mosaic.
Note

Implement the client-side code in your app accordingly. See SDK quickstarts for Web, Android, and iOS.

Step 5: Register new authenticators (optional)

After successful migration, prompt users to register modern authenticators like passkeys or PIN for enhanced security. This can be done within the same journey or during a subsequent login.

To add authenticator registration to your migration journey:

  1. After the user is provisioned, add a registration step such as:
  2. Configure the step to guide users through the registration process.
  3. Optionally, allow users to skip registration and complete it later.

Next steps