This describes how to implement member login for a business-to-business (B2B) application. To learn more about B2B authentication, see How B2B auth works.
Before you start implementing member login, you'll need an application configured in Transmit. If you don't already have one, create an application.
Organizations represent your business customers or partners. They're created on the tenant level, and then assigned to one or more applications. Create an organization from the Admin Portal (Identity management > Organizations) with:
- Organization name : Name that represents your business customer or partner
- Domain : Domain used during authentication along with the member's email address to determine the organization (if it isn't explicitly specified in the request)
- Applications : Which applications the organization members can access
Your application can authenticate members in various ways—such as using WebAuthn biometrics, email magic links, OTP, password, or SSO using the organization's identity provider.
Implement member authentication using any of these integration options:
- Integrate Transmit authentication APIs — either using a redirect-based , backend , or OIDC integration
- Add support for SSO via the organization's OIDC or SAML identity provider
- Implement Transmit’s hosted login experience , which also supports SSO
The organization can be specified in the authentication request using the
org_idparameter. If unspecified, the organization is determined by the domain of the member's email address.
- For the hosted login experience, the user can choose the organization but only after authenticating. If they've previously logged in to another organization, they will first authenticate for that organization; otherwise, they will perform a regular app authentication.
Transmit offers a dedicated self-serve portal that allows organization admins to manage their own memberships. This portal is available at the domain configured in the application settings of the tenant Admin Portal (from the Applications page) using the Org Admin portal domain field. The portal URL has the following format
[your-choice] is the value you configure in the settings.
Once the domain is configured, a tenant admin must manually add the first admin via the Organization Admin Portal. This is done by adding a member (Members page) and assigning them the Organization admin role. This organization admin can then add additional organization admins as needed.
The organization can invite members manually from the Organization Admin Portal (Members page) by specifying the member's email or phone, and assigning them the role of Organization member.
There's also an option to send an email invitation to the member to join the organization. To support this flow, the tenant admin must configure the URL to redirect to when the member clicks the email invitation link (configured from the Application URI for inviting members field in the application settings) and optionally, can configure the expiration of this link. If the organization admin wants to use an email invitation flow, they can select Send invitation to user when creating the member.
Members can be automatically created upon their first SSO login, if both SSO is supported and public sign up is enabled for the application. However, if the app also supports member authentication using Transmit methods, enabling public sign up would also allow users to invite themselves to any organization that's not configured for SSO.
Once you've completed the basic setup, here are some additional steps you can take.
You can manage your organizations via the Admin Portal (Identity Management > Organizations) or Organization APIs. The organization itself can manage their membership using the Organization Admin Portal.
You can add support for role-based access controls to allow organizations to manage a member's access to the application based on their role in the organization (see Manage access by roles).