Configure Mosaic SSO Service to streamline login for users. Create and manage SSO clients group to control your SSO login experience.
SSO Clients Groups
Download OpenAPI description
Languages
Servers
Sandbox environment
https://api.sbx.transmitsecurity.io/cis/
Production environment (US)
https://api.transmitsecurity.io/cis/
Production environment (EU)
https://api.eu.transmitsecurity.io/cis/
Production environment (CA)
https://api.ca.transmitsecurity.io/cis/
Production environment (AU)
https://api.au.transmitsecurity.io/cis/
Bodyapplication/jsonrequired
Configuration of the clients group
Session timeout in seconds/minutes/hours/days/weeks (depending on value in session_timeout_granularity).
- Sandbox environmenthttps://api.sbx.transmitsecurity.io/cis/v1/sso-service/sso-group
- Production environment (US)https://api.transmitsecurity.io/cis/v1/sso-service/sso-group
- Production environment (EU)https://api.eu.transmitsecurity.io/cis/v1/sso-service/sso-group
- Production environment (CA)https://api.ca.transmitsecurity.io/cis/v1/sso-service/sso-group
- Production environment (AU)https://api.au.transmitsecurity.io/cis/v1/sso-service/sso-group
- cURL
- Node.js
- Go
- JavaScript
- Java
- Python
curl -i -X POST \
https://api.sbx.transmitsecurity.io/cis/v1/sso-service/sso-group \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"name": "My Clients Group",
"description": "string",
"configuration": {
"journey": "string",
"allowSilentLogin": true,
"sessionTimeout": 0,
"sessionTimeoutGranularity": "seconds"
}
}'Bodyapplication/json
Short description of your application, displayed in the Admin Portal
Login preferences
Email one time password login configuration
PIN authenticator configuration
List of service providers this application is allowed to explicitly redirect to
Configures the application as the Authentication Hub of this tenant, allowing other apps to use it to perform a centralized login.
Indicates whether to set the application as the Authentication Hub for this tenant
Default false
Determines if the application is allowed to request to create new users via login flows
PKCE configuration
Enum"enforcePkceInsteadOfClientCredentials""enforcePkceAlongsideClientCredentials""allowPkceAlongsideClientCredentials"
If the app has opted in to password sharing, this identifies the group of apps that it shares passwords with.
URI used to redirect the user to the login page of the application (when needed)
Example: "https://www.example.com/login"
URI used to redirect the member to the login page of the application (when needed)
Example: "https://www.example.com/login"
Subdomain of Org admin portal that can be offered for organizations to manage their users (when needed)
Example: "myapp"
Member invite email link expiration in minutes
Default 2880
Custom domain of the application that can be offered for the application to be accessed from
Refresh token invalidation trigger configuration
Client name of the default client to display when needed
Client secret of the default client used to obtain tokens for API authorization
List of URI approved for redirects for your default client
List of resources the default client is allowed to explicitly request access to
This field is deprecated- to configure pkce use "pkce" field instead
Enum"client_secret_basic""self_signed_tls_client_auth""tls_client_auth""none""private_key_jwt"
Configuration for an OAuth Device Authorization Flow of the default client
Response
application/json
{ "result": { "app_id": "string", "tenant_id": "string", "app_name": "string", "app_description": "string", "client_type": "web", "logo": "string", "client_id": "string", "client_display_name": "string", "client_description": "string", "client_secret": "string", "redirect_uris": [ … ], "login_preferences": { … }, "created_at": "2019-08-24T14:15:22Z", "created_by": "string", "updated_at": "2019-08-24T14:15:22Z", "resources": [ … ], "service_providers": [ … ], "authenticator_preferences": { … }, "allow_public_signup": true, "client_auth_method": "client_secret_basic", "pkce": "enforcePkceInsteadOfClientCredentials", "device_authorization": { … }, "ciba_authorization": { … }, "password_sharing_group_id": "string", "login_uri": "https://www.example.com/login", "invite_member_uri": "https://www.example.com/login", "invite_client_id": "string", "subdomain": "myapp", "invite_member_email_expiration_minutes": 2880, "custom_domain": { … }, "external_communication": { … }, "signing_key_enabled": true, "refresh_token_invalidation_trigger_configuration": { … } } }
- Sandbox environmenthttps://api.sbx.transmitsecurity.io/cis/v1/sso-service/sso-group
- Production environment (US)https://api.transmitsecurity.io/cis/v1/sso-service/sso-group
- Production environment (EU)https://api.eu.transmitsecurity.io/cis/v1/sso-service/sso-group
- Production environment (CA)https://api.ca.transmitsecurity.io/cis/v1/sso-service/sso-group
- Production environment (AU)https://api.au.transmitsecurity.io/cis/v1/sso-service/sso-group
- cURL
- Node.js
- Go
- JavaScript
- Java
- Python
curl -i -X GET \
https://api.sbx.transmitsecurity.io/cis/v1/sso-service/sso-group \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'Bodyapplication/json
Configuration for the SSO group
The time in seconds/minutes/hours/days/weeks after which the session will expire. Default in seconds.
List of clients in the SSO group
Client secret used to obtain tokens for API authorization
PKCE configuration for client
Enum"enforcePkceInsteadOfClientCredentials""enforcePkceAlongsideClientCredentials""allowPkceAlongsideClientCredentials"
Short description of your client, displayed in the Admin Portal
List of resources this client is allowed to explicitly request access to
List of URIs approved for redirects for your client
Authentication protocol used by the client
Enum"oidc""saml"
Response
application/json
{ "result": [ { … } ] }
- Sandbox environmenthttps://api.sbx.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}
- Production environment (US)https://api.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}
- Production environment (EU)https://api.eu.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}
- Production environment (CA)https://api.ca.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}
- Production environment (AU)https://api.au.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}
- cURL
- Node.js
- Go
- JavaScript
- Java
- Python
curl -i -X GET \
'https://api.sbx.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'Bodyapplication/json
Configuration for the SSO group
The time in seconds/minutes/hours/days/weeks after which the session will expire. Default in seconds.
List of clients in the SSO group
Client secret used to obtain tokens for API authorization
PKCE configuration for client
Enum"enforcePkceInsteadOfClientCredentials""enforcePkceAlongsideClientCredentials""allowPkceAlongsideClientCredentials"
Short description of your client, displayed in the Admin Portal
List of resources this client is allowed to explicitly request access to
List of URIs approved for redirects for your client
Authentication protocol used by the client
Enum"oidc""saml"
Response
application/json
{ "result": { "id": "string", "name": "string", "description": "string", "configuration": { … }, "clients": [ … ] } }
Bodyapplication/jsonrequired
Configuration of the clients group
Session timeout in seconds/minutes/hours/days/weeks (depending on value in session_timeout_granularity).
- Sandbox environmenthttps://api.sbx.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}
- Production environment (US)https://api.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}
- Production environment (EU)https://api.eu.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}
- Production environment (CA)https://api.ca.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}
- Production environment (AU)https://api.au.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}
- cURL
- Node.js
- Go
- JavaScript
- Java
- Python
curl -i -X PUT \
'https://api.sbx.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"name": "My Clients Group",
"description": "string",
"configuration": {
"journey": "string",
"allowSilentLogin": true,
"sessionTimeout": 0,
"sessionTimeoutGranularity": "seconds"
}
}'- Sandbox environmenthttps://api.sbx.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}
- Production environment (US)https://api.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}
- Production environment (EU)https://api.eu.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}
- Production environment (CA)https://api.ca.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}
- Production environment (AU)https://api.au.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}
- cURL
- Node.js
- Go
- JavaScript
- Java
- Python
curl -i -X DELETE \
'https://api.sbx.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'Bodyapplication/jsonrequired
Any of:
Authentication protocol used by the client
Default "oidc"
Enum"oidc""saml"
List of client default custom claims
Items Enum"tid""fname""lname""mname""email""email_verified""phone_number""phone_number_verified""groups""new_user"
Short cookies samesite type. Possible values: "none", "lax", "strict". Default: "lax"
Default "lax"
Enum"lax""none"
List of URIs approved for redirects for your client
Example: ["https://www.example.com/login"]
Configuration for an OAuth Device Authorization Flow
PKCE configuration
Enum"enforcePkceInsteadOfClientCredentials""enforcePkceAlongsideClientCredentials""allowPkceAlongsideClientCredentials"
Supported prompts for the OIDC authentication flow
Items Enum"login""consent""none"
Example: ["login","consent","none"]
Default ["code","id_token"]
Items Enum"code""id_token"
Example: ["code"]
- Sandbox environmenthttps://api.sbx.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients
- Production environment (US)https://api.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients
- Production environment (EU)https://api.eu.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients
- Production environment (CA)https://api.ca.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients
- Production environment (AU)https://api.au.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients
- cURL
- Node.js
- Go
- JavaScript
- Java
- Python
curl -i -X POST \
'https://api.sbx.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"name": "My Client",
"description": "string",
"resources": [
"string"
],
"authentication_protocol": "oidc",
"client_group_id": "string",
"default_custom_claims": [
"tid"
],
"short_cookies_samesite_type": "lax",
"redirect_uris": [
"https://www.example.com/login"
],
"client_type": "web",
"device_authorization": {
"enabled": false,
"approval_uri": "https://www.example.com/device/approval",
"success_uri": "https://www.example.com/device/complete",
"input_uri": "https://www.example.com/device/start"
},
"ciba_authorization": {
"enabled": false,
"login_uri": "https://www.example.com/ciba/login"
},
"is_third_party": true,
"allowed_scopes": [
"string"
],
"consent_uri": "string",
"consent_validity_period": 0,
"pkce": "enforcePkceInsteadOfClientCredentials",
"supported_prompts": [
"login",
"consent",
"none"
],
"token_expiration": {
"access_token_ttl": 0,
"refresh_token_ttl": 0,
"max_refresh_rotate": 0
},
"session_expiration": 0,
"enforce_par": true,
"role_ids": [
"string"
],
"fapi_version_compliancy": true,
"token_endpoint_auth_method": "client_secret_basic",
"response_types": [
"code"
],
"authentication_configuration": {
"method": "client_secret_basic",
"tls_client_auth": {
"certificate_chain": "string",
"distinguished_name": 6,
"ocsp_on": true,
"ocsp_responder_uri": "string",
"ocsp_responder_certificate": "string",
"ocsp_fail_open": true
},
"isMtlsCertTokenBound": true,
"jwks": {}
}
}'Response
application/json
{ "result": { "client_id": "string", "client_secret": "string", "client_type": "web", "name": "string", "pkce": "enforcePkceInsteadOfClientCredentials", "description": "string", "resources": [ … ], "created_at": "2019-08-24T14:15:22Z", "updated_at": "2019-08-24T14:15:22Z", "redirect_uris": [ … ], "authentication_protocol": "oidc", "is_third_party": true, "optional_acs_url": true, "sp_acs_url": "string", "sp_entity_id": "string", "metadata_url": "string", "sso_url": "string", "entity_id": "string", "x509_certificate": "string", "default_custom_claims": [ … ] } }
Bodyapplication/jsonrequired
Any of:
List of client default custom claims
Items Enum"tid""fname""lname""mname""email""email_verified""phone_number""phone_number_verified""groups""new_user"
Short cookies samesite type. Possible values: "none", "lax", "strict". Default: "lax"
Default "lax"
Enum"lax""none"
List of URIs approved for redirects for your client
Example: ["https://www.example.com/login"]
Configuration for an OAuth Device Authorization Flow
PKCE configuration
Enum"enforcePkceInsteadOfClientCredentials""enforcePkceAlongsideClientCredentials""allowPkceAlongsideClientCredentials"
Supported prompts for the OIDC authentication flow
Items Enum"login""consent""none"
Example: ["login","consent","none"]
Default ["code","id_token"]
Items Enum"code""id_token"
Example: ["code"]
- Sandbox environmenthttps://api.sbx.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients/{clientId}
- Production environment (US)https://api.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients/{clientId}
- Production environment (EU)https://api.eu.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients/{clientId}
- Production environment (CA)https://api.ca.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients/{clientId}
- Production environment (AU)https://api.au.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients/{clientId}
- cURL
- Node.js
- Go
- JavaScript
- Java
- Python
curl -i -X PUT \
'https://api.sbx.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients/{clientId}' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"name": "My Client",
"description": "string",
"resources": [
"string"
],
"client_group_id": "string",
"default_custom_claims": [
"tid"
],
"short_cookies_samesite_type": "lax",
"redirect_uris": [
"https://www.example.com/login"
],
"client_type": "web",
"device_authorization": {
"enabled": false,
"approval_uri": "https://www.example.com/device/approval",
"success_uri": "https://www.example.com/device/complete",
"input_uri": "https://www.example.com/device/start"
},
"ciba_authorization": {
"enabled": false,
"login_uri": "https://www.example.com/ciba/login"
},
"is_third_party": true,
"allowed_scopes": [
"string"
],
"consent_uri": "string",
"consent_validity_period": 0,
"pkce": "enforcePkceInsteadOfClientCredentials",
"supported_prompts": [
"login",
"consent",
"none"
],
"token_expiration": {
"access_token_ttl": 0,
"refresh_token_ttl": 0,
"max_refresh_rotate": 0
},
"session_expiration": 0,
"enforce_par": true,
"role_ids": [
"string"
],
"fapi_version_compliancy": true,
"token_endpoint_auth_method": "client_secret_basic",
"response_types": [
"code"
],
"authentication_configuration": {
"method": "client_secret_basic",
"tls_client_auth": {
"certificate_chain": "string",
"distinguished_name": 6,
"ocsp_on": true,
"ocsp_responder_uri": "string",
"ocsp_responder_certificate": "string",
"ocsp_fail_open": true
},
"isMtlsCertTokenBound": true,
"jwks": {}
}
}'Response
application/json
{ "result": { "client_id": "string", "client_secret": "string", "client_type": "web", "name": "string", "pkce": "enforcePkceInsteadOfClientCredentials", "description": "string", "resources": [ … ], "created_at": "2019-08-24T14:15:22Z", "updated_at": "2019-08-24T14:15:22Z", "redirect_uris": [ … ], "authentication_protocol": "oidc", "is_third_party": true, "optional_acs_url": true, "sp_acs_url": "string", "sp_entity_id": "string", "metadata_url": "string", "sso_url": "string", "entity_id": "string", "x509_certificate": "string", "default_custom_claims": [ … ] } }
- Sandbox environmenthttps://api.sbx.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients/{clientId}
- Production environment (US)https://api.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients/{clientId}
- Production environment (EU)https://api.eu.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients/{clientId}
- Production environment (CA)https://api.ca.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients/{clientId}
- Production environment (AU)https://api.au.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients/{clientId}
- cURL
- Node.js
- Go
- JavaScript
- Java
- Python
curl -i -X DELETE \
'https://api.sbx.transmitsecurity.io/cis/v1/sso-service/sso-group/{groupId}/clients/{clientId}' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'