Launch SAML SSO with Mosaic hosted UI

Note

This page guides you through integrating your app with the Mosaic SSO Service using SAML, assuming you're using the Mosaic-hosted UI for the SSO page. If you're building your own SSO page, be sure to also read this guide.

When you integrate SSO using Mosaic's hosted UI with SAML, your clients need to initiate a SAML authentication flow by redirecting users to the Mosaic SSO URL. This page provides an overview of how your system interacts with Mosaic during a SAML SSO flow, detailing the steps required to handle SAML assertions and complete the authentication process.

Before you start

Before you start the integration, you need to have the SSO Service and SSO journeys configured.

How it works

Mosaic supports SAML for user authentication. Integrating SSO using Mosaic's hosted SSO login page involves redirecting users to Mosaic's SAML SSO URL, which initiates the SAML authentication process. This URL serves as the entry point for the SSO journey within Mosaic. Once the journey completes, Mosaic generates a SAML response and redirects it back to your Service Provider (SP). The SP then processes the SAML assertion and, upon successful validation, logs the user in. Mosaic handles the entire SAML flow, ensuring secure and seamless authentication. Mosaic APIs are shown in pink along with the relevant implementation steps.

UserService Provider (SP)IDP (Mosaic)SSO Page (Mosaic)Step 1Step 2Step 3Access protected resourceRedirect to SAML SSO URLRedirectRun journey logicRedirectGenerate and send SAML responseVerifies SAML responseUser is logged inUserService Provider (SP)IDP (Mosaic)SSO Page (Mosaic)

Initiate SSO login request

When a user attempts to access a protected resource (e.g., they click on a login button), the Service Provider (SP) initiates a SAML login request by redirecting the user to the SAML SSO URL provided by Mosaic (Step 1). This URL, configured in your SP’s SAML client, automatically sends the SAML request to the Mosaic-hosted SSO page when the user clicks the login button in your application. This process initiates the SSO journey, where the user is authenticated.

The SAML SSO URL is generated by Mosaic and can be found in SSO Service > Service Definition > Client Groups > SAML Client > SAML SSO URL. It will appear similar to https://sso-app.transmitsecurity.io/cis/v1/auth/saml/rL8T2NBI6MB-9t1P8CZ2c/signin.

SSO Login and Response Handling

Once redirected, the user is taken to the Mosaic hosted SSO page where they will be authenticated (Step 2). This page processes the SAML request and executes the SSO login journey, which includes validating the user credentials.

After successful authentication, Mosaic generates a SAML response and redirects it to the ACS URL configured for your Service Provider (SP). The SP then processes and verifies the SAML response, extracting the necessary user information to grant access to the requested resource (Step 3).

Once the SAML response is successfully processed and verified, the user is logged in and granted access to the requested resource.