SAML Single Sign-On Flow

Single Sign-On (SSO) is a user authentication process that allows end-users to access the Mobb application with a single login provided by their Identify Provider (IdP). The following diagram explains the SSO flow in Mobb.

1. User Navigates to Mobb

   • The user opens the Mobb application.

2. Mobb Checks for Existing Session

   • Mobb looks for a valid session

   • If no valid session is found, Mobb initiates the SSO flow through Auth0.

3. Auth0 Redirects User to IdP

   • Auth0 redirects the user to the IdP (i.e. Microsoft Entra ID) login page to authenticate.

4. User Authenticates with IdP

   • The user enters their credentials on the IdP sign-in page.

   • IdP verifies the user’s identity against the organization’s directory.

5. IdP Issues Security Token

   • Upon successful authentication, IdP provides Auth0 with a security token (e.g., a JWT or SAML assertion).

   • Auth0 validates the IdP token and creates a session for the user.

6. User Is Redirected Back to Mobb

   • Auth0 redirects the user’s browser back to Mobb, along with the Auth0 token in the callback parameters.

   • Mobb verifies the token signature, checks its validity (expiry, issuer, audience, etc.), and extracts user attributes (e.g., email, roles).

   • If valid, Mobb creates or updates a session on its side and applies any role-based access control configured by the Mobb administrator.

7. User Gains Access to Mobb Platform

   • The user is now authenticated in Mobb’s system and can use the platform as permitted by their assigned roles/permissions.

   • Subsequent actions during this session are validated via Mobb’s session or tokens.

8. Ongoing Access and Session Renewal

   • As the user continues to work in Mobb, the session remains valid until it expires or the user signs out.

   • If/when the session expires, Mobb may prompt re-authentication through IdP again, re-initiating the SSO flow if needed.