{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"redocly_category":"Guides","product":"Identity Management","type":"markdown"},"seo":{"title":"Configure B2B application settings","description":"Everything about Mosaic Journeys, SDKs, and APIs","siteUrl":"https://developer.transmitsecurity.com/","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"configure-b2b-application-settings","__idx":0},"children":["Configure B2B application settings"]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This page is the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["detail"]}," for ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/b2b/b2b_setup-overview#step-1-configure-b2b"},"children":["Setup overview — Step 1: Configure B2B"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Configure the B2B application settings to activate the invite flow, expose the Organization admin portal to org admins, and define how refresh tokens are invalidated based on member events."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-1-create-app-and-oauth-client","__idx":1},"children":["Step 1: Create app and OAuth client"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If you don't have an application yet, in the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Admin Portal"]},", open ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Applications"]}," >",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/create_new_application"},"children":["create an app"]}," before proceeding."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To create the client:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["In the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Admin Portal"]},", open ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Applications"]}," > [your app] > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Clients"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/manage_clients"},"children":["Add a new client"]}," and set ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PKCE"]}," to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["disabled"]},". Only clients with PKCE ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["disabled"]}," can be used for inviting members."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Note the client name — you will select it in ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"#configure-the-invite-flow"},"children":["Configure the invite flow"]}," below."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-2-configure-b2b-app-settings","__idx":2},"children":["Step 2: Configure B2B app settings"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Admin Portal"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Applications"]}," > [your app], locate the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["B2B application"]}," section."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"1-configure-the-invite-flow","__idx":3},"children":["1. Configure the invite flow"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Configure the addresses for redirecting users after completing the invite flow."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Application URI for inviting members"]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"The URL in your app where users are redirected when they accept a membership invite — for example, ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["https://your-app.example.com/login"]},". The URL must be reachable by the invited user."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client for inviting members"]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Select the OAuth client you created in Step 1 of this guide."]}]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Using a B2B invite journey"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If you configure a B2B invite journey in ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["SSO and Federation"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Configuration"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["B2B invite journey"]},", the journey is only invoked when the member belongs to an organization that is associated with the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["IDO SSO service app"]},". Make sure the target organization is linked to that application before sending invitations."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"2-configure-the-org-admin-portal-domain","__idx":4},"children":["2. Configure the Org admin portal domain"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Configure the URL to reach the Org admin portal:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Org admin portal domain"]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"A subdomain prefix for the Org admin portal. The full URL will be: ",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]}," ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["<your-subdomain>.org.<environment-suffix>"]}," ",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For example, ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["yourcompany.org.sbx.transmitsecurity.io"]},". Each application must use a unique subdomain."]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"3-set-member-invite-link-expiration","__idx":5},"children":["3. Set member invite link expiration"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Set how long invite links remain valid after they are sent. Adjust to match your onboarding policy."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Member invite link expiration in minutes"]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Accepted range: ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["5–10080 minutes"]}," (up to 7 days)."," ","Default: ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["2880 minutes"]}," (48 hours)."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"4-configure-refresh-token-invalidation","__idx":6},"children":["4. Configure refresh token invalidation"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["These toggles control whether a member's refresh tokens are invalidated when specific events occur. Enabling them forces re-authentication the next time the client tries to renew an access token."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Member suspension"]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Trigger: A member is suspended from an organization.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Recommendation: Enable — suspended members should not retain active sessions."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Member password reset"]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Trigger: A member resets their password.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Recommendation: Enable — ensures sessions end after a credential change."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Member role update"]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Trigger: A member's roles change.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Recommendation: Enable — ensures tokens reflect the updated role set immediately."]}]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"How refresh token invalidation works"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Enabling a toggle does not immediately end an active session. It invalidates the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["refresh token"]},", so the session ends the next time the client attempts to obtain a new access token — at which point the user must re-authenticate."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-3-manage-public-sign-up","__idx":7},"children":["Step 3: Manage public sign-up"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Public sign-up is an application setting that allows non-federated login flows to automatically create new users on first login. For B2B applications, the setting behaves with two specifics:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Public sign-up doesn't gate SSO provisioning."]}," Members are always created on their first successful login through the organization's identity provider, regardless of the public sign-up setting."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Organizations can override the application setting."]}," When an application is connected to an organization, the organization can disable public sign-up across all its connected applications. The organization-level setting takes precedence."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Non-federated login attempts that would create a user when public sign-up is disabled return ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["403 public_signup_disabled"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For B2B applications that use an ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["invite-only"]}," model — where users must be invited by an organization admin — disable public sign-up so that self-registration is not available outside the invite flow. To review or change this setting:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Per application:"]}," open ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Applications"]}," > [your app] > general settings and check the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Public sign-up"]}," option (see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/manage_apps#advanced-settings"},"children":["Manage applications"]},")."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Per organization:"]}," open ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["B2B Identity"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Organizations"]}," > [your org] and toggle ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Public sign-up"]},"."]}]},{"$$mdtype":"Tag","name":"style","attributes":{},"children":["\n    [data-component-name=\"Markdown/Markdown\"] blockquote {\n        border-left: 4px solid #BBC5FF !important;\n        border-radius: 2px;\n        background-color: #F1F2FF !important;\n        padding: 20px 10px 15px 10px;\n        margin: 10px 1px;\n    }\n"]}]},"headings":[{"value":"Configure B2B application settings","id":"configure-b2b-application-settings","depth":1},{"value":"Step 1: Create app and OAuth client","id":"step-1-create-app-and-oauth-client","depth":2},{"value":"Step 2: Configure B2B app settings","id":"step-2-configure-b2b-app-settings","depth":2},{"value":"1. Configure the invite flow","id":"1-configure-the-invite-flow","depth":3},{"value":"2. Configure the Org admin portal domain","id":"2-configure-the-org-admin-portal-domain","depth":3},{"value":"3. Set member invite link expiration","id":"3-set-member-invite-link-expiration","depth":3},{"value":"4. Configure refresh token invalidation","id":"4-configure-refresh-token-invalidation","depth":3},{"value":"Step 3: Manage public sign-up","id":"step-3-manage-public-sign-up","depth":2}],"frontmatter":{"markdown":{"toc":{"depth":2}},"navigation":{"previousButton":{"text":"Previous:","hide":false,"label":"Setup overview","link":"/guides/user/b2b/b2b_setup-overview"},"nextButton":{"text":"Next:","hide":false,"label":"Implement B2B authentication","link":"/guides/user/b2b/b2b_implement_authentication"}},"seo":{"title":"Configure B2B application settings"}},"lastModified":"2026-05-07T12:32:01.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/user/b2b/b2b_configure_b2b","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}