Login members into B2B apps
This describes how to implement member login for a business-to-business (B2B) application. To learn more about B2B authentication, see How B2B auth works.
Before you start
Before you start implementing member login, you'll need an application configured in Mosaic. If you don't already have one, create an application.
Step 1: Create organizations
Organizations represent your business customers or partners. They're created on the tenant level, and then assigned to one or more applications. Create an organization from the Admin Portal (Identity management > Organizations) with:
- Organization name : Name that represents your business customer or partner
- Domain : Domain used during authentication along with the member's email address to determine the organization (if it isn't explicitly specified in the request)
- Applications : Which applications the organization members can access
Step 2: Implement authentication
Your application can authenticate members in various ways—such as using WebAuthn biometrics, email magic links, OTP, password, or SSO using the organization's identity provider.
Implement member authentication using any of these integration options:
- Integrate Mosaic authentication APIs — either using a redirect-based , backend , or OIDC integration
- Add support for SSO via the organization's OIDC or SAML identity provider
- Implement Transmit’s hosted login experience , which also supports SSO
Note
-
The organization can be specified in the authentication request using the
org_id
parameter. If unspecified, the organization is determined by the domain of the member's email address. - For B2B hosted login implementations, there are several ways to determine the organization context and customize the login experience. See Manage B2B hosted login .
Step 3: Set up Organization Portal
Mosaic offers a dedicated self-serve portal that allows organization admins to manage their own memberships. This portal is available at the domain configured in the application settings of the tenant Admin Portal (from the Applications page) using the Org Admin portal domain field. The portal URL has the following format https://[your-choice].org.transmitsecurity.io
, where [your-choice]
is the value you configure in the settings.
Once the domain is configured, a tenant admin must manually add the first admin via the Organization Admin Portal. This is done by adding a member (Members page) and assigning them the Organization admin role. This organization admin can then add additional organization admins as needed.
Step 4: Invite members
The organization can invite members manually from the Organization Admin Portal (Members page) by specifying the member's email or phone, and assigning them the role of Organization member.
There's also an option to send an email invitation to the member to join the organization. To support this flow, the tenant admin must configure the URL to redirect to when the member clicks the email invitation link (configured from the Application URI for inviting members field in the application settings) and optionally, can configure the expiration of this link. If the organization admin wants to use an email invitation flow, they can select Send invitation to user when creating the member.
Note
Members can be automatically created upon their first SSO login, if both SSO is supported and public sign up is enabled for the application. However, if the app also supports member authentication using Mosaic methods, enabling public sign up would also allow users to invite themselves to any organization that's not configured for SSO.
Next steps
Once you've completed the basic setup, here are some additional steps you can take.
Manage organizations
You can manage your organizations via the Admin Portal (Identity Management > Organizations) or Organization APIs. The organization itself can manage their membership using the Organization Admin Portal.
Add role-based access
You can add support for role-based access controls to allow organizations to manage a member's access to the application based on their role in the organization (see Manage access by roles).