This page guides you through integrating your app with the Mosaic SSO Service using SAML, assuming you're using the Mosaic-hosted experience. If you're building your own SSO page, be sure to also read this guide.
When you integrate SSO using the Mosaic-hosted experience with SAML, your clients need to initiate a SAML authentication flow by redirecting users to the Mosaic SSO URL. This page provides an overview of how your system interacts with Mosaic during a SAML SSO flow, detailing the steps required to handle SAML assertions and complete the authentication process.
Before you start the integration, you need to have the SSO Service and SSO journeys configured.
If you're using the Mosaic-hosted experience and want to customize its branding and styling to match your app's visual identity, see Manage styling for the Mosaic-hosted SSO experience.
Mosaic supports SAML for user authentication. Integrating SSO using the Mosaic-hosted experience involves redirecting users to Mosaic's SAML SSO URL, which initiates the SAML authentication process. This URL serves as the entry point for the SSO journey within Mosaic. Once the journey completes, Mosaic generates a SAML response and redirects it back to your Service Provider (SP). The SP then processes the SAML assertion and, upon successful validation, logs the user in. Mosaic handles the entire SAML flow, ensuring secure and seamless authentication. Mosaic APIs are shown in pink along with the relevant implementation steps.
When a user attempts to access a protected resource (e.g., they click on a login button), the Service Provider (SP) initiates a SAML login request by redirecting the user to the SAML SSO URL provided by Mosaic (Step 1). This URL, configured in your SP’s SAML client, automatically sends the SAML request to the Mosaic-hosted experience when the user clicks the login button in your application. This process initiates the SSO journey, where the user is authenticated.
The SAML SSO URL is generated by Mosaic and can be found in SSO and Federation > Configuration > Clients Groups > SAML Client > SAML SSO URL. It will appear similar to https://sso-app.transmitsecurity.io/cis/v1/auth/saml/rL8T2NBI6MB-9t1P8CZ2c/signin.
Once redirected, the user is taken to the Mosaic-hosted experience, where they will be authenticated (Step 2). This experience processes the SAML request and executes the SSO login journey, which includes validating the user credentials.
After successful authentication, Mosaic generates a SAML response and redirects it to the ACS URL configured for your Service Provider (SP). The SP then processes and verifies the SAML response, extracting the necessary user information to grant access to the requested resource (Step 3).
Once the SAML response is successfully processed and verified, the user is logged in and granted access to the requested resource.