This page is the detail for Setup overview — Step 2: Implement authentication.
Your application can authenticate members in many ways (WebAuthn, magic link, OTP, password, SSO, external IdP) — choose the integration model that fits your setup.
| Option | What this means | Docs |
|---|---|---|
| Mosaic SSO Service (recommended) | Mosaic coordinates sign-on for you using the SSO Service, journeys, and relying parties—the applications that trust that login. Choose this when you want a single, managed SSO setup rather than wiring everything by hand. Note: Does not support email magic link. For supported methods (for example, push and TOTP), see the SSO documentation. | Mosaic SSO & Federation |
| Mosaic APIs or journeys | You build your own screens and flow: Mosaic still runs the real authentication work—you call Mosaic APIs and/or define journeys for each step (password, OTP, WebAuthn, and so on). Note: Does not enable SSO by default—add it in the journey where required. Available methods depend on the journey steps you implement. | Journeys intro; B2B context in B2B in journeys |
| Hosted login | Users sign in on pages hosted by Mosaic. Your application connects using a normal OIDC integration. For B2B—how the organization is chosen and which screen appears first—see B2B hosted login experience below. Note: Does not cover OIDC/SAML IdP-only sign-in for an organization as the primary integration—use Organization’s external IdP and its guides for that. | Hosted login quick start |
| Organization’s external IdP | People from a given customer company sign in with that company’s own login (for example their corporate IdP), using OIDC or SAML. You configure this per organization in the Admin Portal so each customer can use their preferred provider. | Custom OIDC IDP (B2B), Federate with your SAML IdP |
Whatever option you use, the flow must resolve which organization the member belongs to:
- Hosted OIDC:
org_idand email domain are described in Hosted login deployment. - Journeys: use org context and steps such as Set organization in Org context (B2B).
- Mosaic-hosted B2B screens (which step users see first, org vs app): B2B hosted login experience below.
Hosted login supports B2B scenarios in which organization members sign in using Mosaic-hosted screens. At the application level, you configure the login flow, the branding and language, and the authentication methods. Each setting can later be overridden per organization (see Configure org roles & auth).
In Admin Portal > B2B Identity > Experience management, select your app from the dropdown at the top of the page and configure the initial login screen, the user identifier, the primary and secondary authentication methods, MFA, and the user information to collect.
The B2B-specific decision is the initial login screen: B2B flows need an organization context, so you choose whether members are asked to provide the organization first, the identifier first, or another supported combination. For step-by-step configuration, see Manage your hosted login experience.
In Admin Portal > B2B Identity > Experience management > Branding & language, customize the screen colors, the default and additional languages, and the default country code applied to the hosted screens for this app. For step-by-step configuration, see Brand your hosted login experience.
In Admin Portal > B2B Identity > Authentication methods, configure each authenticator's behavior and policy — for example password complexity and lockout, passkey relying-party settings, and OTP expiration. For step-by-step configuration, see Customize login methods.
Each of the settings above can be overridden per organization, and an organization can also federate sign-in with its own OIDC identity provider or SAML identity provider. Once an organization has its own override, later changes to the application default do not apply to that organization. See Configure org roles & auth.
The same applies to public sign-up: an organization can disable it for all its connected applications. See Configure B2B — Manage public sign-up.