{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"redocly_category":"Guides","product":"Identity Management","type":"markdown"},"seo":{"title":"Implement B2B authentication","description":"Everything about Mosaic Journeys, SDKs, and APIs","siteUrl":"https://developer.transmitsecurity.com/","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"implement-b2b-authentication","__idx":0},"children":["Implement B2B authentication"]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This page is the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["detail"]}," for ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/b2b/b2b_setup-overview#step-2-implement-authentication"},"children":["Setup overview — Step 2: Implement authentication"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Your application can authenticate members in many ways (WebAuthn, magic link, OTP, password, SSO, external IdP) — choose the integration model that fits your setup."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"integration-options","__idx":1},"children":["Integration options"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Option"},"children":["Option"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"What this means"},"children":["What this means"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Docs"},"children":["Docs"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Mosaic SSO Service"]}," ",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["(recommended)"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Mosaic coordinates sign-on for you using the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["SSO Service"]},", ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["journeys"]},", and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["relying parties"]},"—the applications that trust that login. Choose this when you want a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["single, managed SSO setup"]}," rather than wiring everything by hand.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note"]},": Does not support email magic link. For supported methods (for example, push and TOTP), see the SSO documentation."]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/sso_orchestration/sso_overview"},"children":["Mosaic SSO & Federation"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Mosaic APIs or journeys"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["You ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["build your own screens and flow"]},": Mosaic still runs the real authentication work—you call ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Mosaic APIs"]}," and/or define ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["journeys"]}," for each step (password, OTP, WebAuthn, and so on).",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note"]},": Does not enable SSO by default—add it in the journey where required. Available methods depend on the journey steps you implement."]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/journeys_intro"},"children":["Journeys intro"]},"; B2B context in ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/concepts/b2b"},"children":["B2B in journeys"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Hosted login"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Users sign in on ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["pages hosted by Mosaic"]},". Your application connects using a normal ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OIDC"]}," integration. For B2B—how the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["organization"]}," is chosen and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["which screen appears first"]},"—see ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"#b2b-hosted-login-experience"},"children":["B2B hosted login experience"]}]}," below.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note"]},": Does not cover OIDC/SAML IdP-only sign-in for an organization as the primary integration—use ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Organization’s external IdP"]}," and its guides for that."]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/hosted_login_quick_start"},"children":["Hosted login quick start"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Organization’s external IdP"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["People from a given customer company sign in with ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["that company’s own login"]}," (for example their corporate IdP), using ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OIDC or SAML"]},". You configure this ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["per organization"]}," in the Admin Portal so each customer can use their preferred provider."]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/sso_login_oidc_idp"},"children":["Custom OIDC IDP (B2B)"]},", ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/sso_login_saml_idp"},"children":["Federate with your SAML IdP"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Whatever option you use, the flow must resolve ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["which organization"]}," the member belongs to:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Hosted OIDC:"]}," ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["org_id"]}," and email ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["domain"]}," are described in ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/hosted_login_quick_start"},"children":["Hosted login deployment"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Journeys:"]}," use org context and steps such as ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Set organization"]}," in ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/concepts/b2b"},"children":["Org context (B2B)"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Mosaic-hosted B2B screens"]}," (which step users see first, org vs app): ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"#b2b-hosted-login-experience"},"children":["B2B hosted login experience"]}]}," below."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"b2b-hosted-login-experience","__idx":2},"children":["B2B hosted login experience"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Hosted login supports B2B scenarios in which organization members sign in using Mosaic-hosted screens. At the application level, you configure the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["login flow"]},", the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["branding and language"]},", and the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["authentication methods"]},". Each setting can later be overridden per organization (see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/b2b/b2b_configure_org_roles_auth#configure-authentication-per-organization-and-application"},"children":["Configure org roles & auth"]},")."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"login-flow","__idx":3},"children":["Login flow"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Admin Portal"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["B2B Identity"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Experience management"]},", select your app from the dropdown at the top of the page and configure the initial login screen, the user identifier, the primary and secondary authentication methods, MFA, and the user information to collect."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The B2B-specific decision is the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["initial login screen"]},": B2B flows need an organization context, so you choose whether members are asked to provide the organization first, the identifier first, or another supported combination. For step-by-step configuration, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/auth_custom_flow"},"children":["Manage your hosted login experience"]},"."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"branding-and-language","__idx":4},"children":["Branding and language"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Admin Portal"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["B2B Identity"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Experience management"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Branding & language"]},", customize the screen colors, the default and additional languages, and the default country code applied to the hosted screens for this app. For step-by-step configuration, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/auth_custom_branding"},"children":["Brand your hosted login experience"]},"."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"authentication-methods","__idx":5},"children":["Authentication methods"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Admin Portal"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["B2B Identity"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authentication methods"]},", configure each authenticator's behavior and policy — for example password complexity and lockout, passkey relying-party settings, and OTP expiration. For step-by-step configuration, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/auth_methods_customize"},"children":["Customize login methods"]},"."]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Org-level overrides"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Each of the settings above can be overridden per organization, and an organization can also federate sign-in with its own ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/sso_login_oidc_idp"},"children":["OIDC identity provider"]}," or ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/sso_login_saml_idp"},"children":["SAML identity provider"]},". Once an organization has its own override, later changes to the application default do not apply to that organization. See ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/b2b/b2b_configure_org_roles_auth#configure-authentication-per-organization-and-application"},"children":["Configure org roles & auth"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The same applies to public sign-up: an organization can disable it for all its connected applications. See ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/b2b/b2b_configure_b2b#step-3-manage-public-sign-up"},"children":["Configure B2B — Manage public sign-up"]},"."]}]},{"$$mdtype":"Tag","name":"style","attributes":{},"children":["\n    [data-component-name=\"Markdown/Markdown\"] blockquote {\n        border-left: 4px solid #BBC5FF !important;\n        border-radius: 2px;\n        background-color: #F1F2FF !important;\n        padding: 20px 10px 15px 10px;\n        margin: 10px 1px;\n    }\n"]}]},"headings":[{"value":"Implement B2B authentication","id":"implement-b2b-authentication","depth":1},{"value":"Integration options","id":"integration-options","depth":2},{"value":"B2B hosted login experience","id":"b2b-hosted-login-experience","depth":2},{"value":"Login flow","id":"login-flow","depth":3},{"value":"Branding and language","id":"branding-and-language","depth":3},{"value":"Authentication methods","id":"authentication-methods","depth":3}],"frontmatter":{"markdown":{"toc":{"depth":2}},"navigation":{"previousButton":{"text":"Previous:","hide":false,"label":"Configure B2B","link":"/guides/user/b2b/b2b_configure_b2b"},"nextButton":{"text":"Next:","hide":false,"label":"Define app roles","link":"/guides/user/b2b/b2b_define_app_roles"}},"seo":{"title":"Implement B2B authentication"}},"lastModified":"2026-05-14T12:07:42.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/user/b2b/b2b_implement_authentication","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}