Manage SSO authentication policy

When you implement SSO, you can customize the behavior and appearance of the supported authentication methods (SSO Service > Authentication policy).

Passkey

The Passkey settings enable you to configure the WebAuthn for your SSO Service. For Relying party ID, add Mosaic's default SSO domain sso-app.transmitsecurity.io. This is the domain to which WebAuthn credentials are registered and used to authenticate. By default, Mosaic will accept any origin that matches this domain, which includes all subdomains.

To restrict usage to specific subdomains, you can toggle the Relying Party Origins and add one or more subdomains of the Relying Party ID. Define subdomains based on your implementation:

# Export the signing certificate in DER format, hash, base64 encode, trim  '=' and url encode

keytool -exportcert -alias <your-keystore-alias> -keystore <your-keystore> | openssl sha256 -binary | openssl base64 | sed 's/=//g'| sed s/\\+/-/g | sed s/\\//_/g | sed -E s/=+$//

private String getFacetID(Context aContext) {
   try {
       PackageInfo info = aContext.getPackageManager().getPackageInfo(getPackageName(), PackageManager.GET_SIGNATURES);
       byte[] cert = info.signatures[0].toByteArray();
       InputStream input = new ByteArrayInputStream(cert);
       CertificateFactory cf = CertificateFactory.getInstance("X509");
       X509Certificate c = (X509Certificate) cf.generateCertificate(input);
       MessageDigest md = MessageDigest.getInstance("SHA256");
       return "android:apk-key-hash:" +
               Base64.encodeToString(md.digest(c.getEncoded()), Base64.DEFAULT | Base64.NO_WRAP | Base64.NO_PADDING | Base64.URL_SAFE);
   }
   catch (PackageManager.NameNotFoundException e) {
       e.printStackTrace();
   }
   catch (CertificateException e) {
       e.printStackTrace();
   }
   catch (NoSuchAlgorithmException e) {
       e.printStackTrace();
   }
   return null;
}

Passwords

The password settings enable you to define your app's password policy:

• Complexity : configure the strength of your password policy by selecting from a list of requirements including uppercase and lowercase letters, special characters, numbers, and more. The system guides as you navigate the complexity options.
• Expiration time : manage the password expiration option and, if needed, set the password expiration period in days.
• Reuse of recent passwords : allow or prevent the reuse of recent passwords.
• Failed attempts lockout policy : set the number of failed login attempts that trigger a temporary user lockout and specify the lockout duration in minutes.
• Reset policy : set the reset link expiration period in minutes, the length of the reset OTP, and the option to require MFA for password resets.
• Temporary password : Set the validity period for temporary passwords in hours.

Additionally, you can customize the appearance of the Reset password email by choosing a custom color to apply to buttons and dynamic content such as email addresses.

Email magic links

The email magic links settings enable you to:

• define the email magic link validity period in minutes.
• customize the appearance of the Email template by selecting a custom color for buttons and dynamic content like email addresses.

One-time passcodes

The one-time passcodes configuration options enable you to establish your OTP policy, regardless the delivery method (email or SMS):

• Expiration time : set the OTP expiration period in minutes.
• Failed attempts lockout policy : set the number of failed login attempts that trigger a temporary user lockout and specify the lockout duration in minutes.
• Code length : set the length of the one time code.

The OTP emails section allows you to customize the appearance of OTP emails by selecting a custom color for buttons and dynamic content like email addresses. Additionally, you can preview the login, sign-up, and verification email templates.

TOTP

The TOTP settings enable you to customize the passcode token and the passcode validation experience. By default, the passcode includes 6 digits and changes every 30 seconds. You can adjust the passcode behavior, for example, set up a shorter rotation period or update the lockout duration in case the user entered the passcode incorrectly several times in a row.

Configuration settings control the logic how Mosaic manages the login procedure:

• Window : determines if the passcode can be used after a new passcode has been generated. This can be helpful in case a new code was generated while the user was inputting the old code, or if there are network delays. By default, Mosaic will accept a current code and also the previous code that was generated. If you want the user to input the code strictly within its token period, set the window to 0. To extend code validity for longer interval, increase the window setting up to 5.
• Display : defines the issuer.
• Lockout : specifies the number of failed attempts before Mosaic will lockout the user for a certain period of time.

Advanced settings affect token generation:

• Hash algorithm : the algorithm for code generation.
• Token digits : the number of digits in the code.
• Token period : how often the code changes. The default period is 30 seconds which means a new code is generated every 30 seconds. Token period is used together with the window to determine if the code is valid.