Manage SSO authentication policy

When you implement SSO, you can customize the behavior and appearance of the supported authentication methods (SSO Service > Authentication policy).

Passkey

The Passkey settings enable you to configure the WebAuthn for your SSO Service. For Relying party ID, add Mosaic's default SSO domain sso-app.transmitsecurity.io. This is the domain to which WebAuthn credentials are registered and used to authenticate. By default, Mosaic will accept any origin that matches this domain, which includes all subdomains.

To restrict usage to specific subdomains, you can toggle the Relying Party Origins and add one or more subdomains of the Relying Party ID. Define subdomains based on your implementation:

Web Origins

To specify iOS mobile origins, toggle the Relying Party Origins and for Web Origins ensure to provide the full URL.

Mobile Origins

iOS

To specify iOS mobile origins, toggle the Relying Party Origins, and for Mobile origins use ios:bundle-id:YOUR_APP_BUNDLE_ID, where YOUR_APP_BUNDLE_ID is your iOS app unique identifier. This is the origin that will be provided when requesting passkeys registration and authentication.

Android

To specify Android mobile origins toggle the Relying Party Origins, and for Mobile origins use android:apk-key-hash:YOUR_APK_KEY_HASH, where YOUR_APK_KEY_HASH is your base64 encoded sha256 hash of your apk signing certificate. This is the origin that will be provided when requesting passkeys registration and authentication.

To obtain the apk key hash, you can use one of the following methods:

Command lineAndroid native code
Copy
Copied
# Export the signing certificate in DER format, hash, base64 encode, trim  '=' and url encode

keytool -exportcert -alias <your-keystore-alias> -keystore <your-keystore> | openssl sha256 -binary | openssl base64 | sed 's/=//g'| sed s/\\+/-/g | sed s/\\//_/g | sed -E s/=+$//
Copy
Copied
private String getFacetID(Context aContext) {
   try {
       PackageInfo info = aContext.getPackageManager().getPackageInfo(getPackageName(), PackageManager.GET_SIGNATURES);
       byte[] cert = info.signatures[0].toByteArray();
       InputStream input = new ByteArrayInputStream(cert);
       CertificateFactory cf = CertificateFactory.getInstance("X509");
       X509Certificate c = (X509Certificate) cf.generateCertificate(input);
       MessageDigest md = MessageDigest.getInstance("SHA256");
       return "android:apk-key-hash:" +
               Base64.encodeToString(md.digest(c.getEncoded()), Base64.DEFAULT | Base64.NO_WRAP | Base64.NO_PADDING | Base64.URL_SAFE);
   }
   catch (PackageManager.NameNotFoundException e) {
       e.printStackTrace();
   }
   catch (CertificateException e) {
       e.printStackTrace();
   }
   catch (NoSuchAlgorithmException e) {
       e.printStackTrace();
   }
   return null;
}
TIP

For testing and development, configure the login method for your local environment by setting the RP ID to localhost and the RP origin to http://localhost:(PORT) (e.g., http://localhost:1234).

Passwords

The password settings enable you to define your app's password policy:

  • Complexity : configure the strength of your password policy by selecting from a list of requirements including uppercase and lowercase letters, special characters, numbers, and more. The system guides as you navigate the complexity options.
  • Expiration time : manage the password expiration option and, if needed, set the password expiration period in days.
  • Reuse of recent passwords : allow or prevent the reuse of recent passwords.
  • Failed attempts lockout policy : set the number of failed login attempts that trigger a temporary user lockout and specify the lockout duration in minutes.
  • Reset policy : set the reset link expiration period in minutes, the length of the reset OTP, and the option to require MFA for password resets.
  • Temporary password : Set the validity period for temporary passwords in hours.

Additionally, you can customize the appearance of the Reset password email by choosing a custom color to apply to buttons and dynamic content such as email addresses.

Email magic links

The email magic links settings enable you to:

  • define the email magic link validity period in minutes.
  • customize the appearance of the Email template by selecting a custom color for buttons and dynamic content like email addresses.
NOTE

The From field references as the email sender the value of Application name, that is specified in the app settings. It cannot be modified.

One-time passcodes

The one-time passcodes configuration options enable you to establish your OTP policy, regardless the delivery method (email or SMS):

  • Expiration time : set the OTP expiration period in minutes.
  • Failed attempts lockout policy : set the number of failed login attempts that trigger a temporary user lockout and specify the lockout duration in minutes.
  • Code length : set the length of the one time code.

The OTP emails section allows you to customize the appearance of OTP emails by selecting a custom color for buttons and dynamic content like email addresses. Additionally, you can preview the login, sign-up, and verification email templates.

TOTP

The TOTP settings enable you to customize the passcode token and the passcode validation experience. By default, the passcode includes 6 digits and changes every 30 seconds. You can adjust the passcode behavior, for example, set up a shorter rotation period or update the lockout duration in case the user entered the passcode incorrectly several times in a row.

Configuration settings control the logic how Mosaic manages the login procedure:

  • Window : determines if the passcode can be used after a new passcode has been generated. This can be helpful in case a new code was generated while the user was inputting the old code, or if there are network delays. By default, Mosaic will accept a current code and also the previous code that was generated. If you want the user to input the code strictly within its token period, set the window to 0. To extend code validity for longer interval, increase the window setting up to 5.
  • Display : defines the issuer.
  • Lockout : specifies the number of failed attempts before Mosaic will lockout the user for a certain period of time.

Advanced settings affect token generation:

  • Hash algorithm : the algorithm for code generation.
  • Token digits : the number of digits in the code.
  • Token period : how often the code changes. The default period is 30 seconds which means a new code is generated every 30 seconds. Token period is used together with the window to determine if the code is valid.
Important

Before changing advanced settings, verify which authenticator apps support this configuration and instruct your users to use them. If you pass the secret as a code for inputting it manually instead of presenting a QR code, your users might need to manually configure their authenticator app to match the configuration. These instructions should be presented on a dedicated page, see Login with TOTP.