# SAML Single Sign-On Flow

{% hint style="info" %}
Mobb supports SSO with your Identity Provider (i.e. Microsoft Entra ID) if required. If this is a requirement, please reach out to us via <support@mobb.ai>.
{% endhint %}

Single Sign-On (SSO) is a user authentication process that allows end-users to access the Mobb application with a single login provided by their Identify Provider (IdP). The following diagram explains the SSO flow in Mobb.

<figure><img src="https://2539741639-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8WF4UBNkXMHG7Dz0RXI7%2Fuploads%2Fgit-blob-23aee22033d2690463ef286e229878a0a0d98323%2FSAML%20Diagram.drawio.png?alt=media" alt=""><figcaption></figcaption></figure>

1. **User Navigates to Mobb**
   * The user opens the Mobb application.
2. **Mobb Checks for Existing Session**
   * Mobb looks for a valid session
   * If no valid session is found, Mobb initiates the SSO flow through Auth0.
3. **Auth0 Redirects User to IdP**
   * Auth0 redirects the user to the IdP (i.e. Microsoft Entra ID) login page to authenticate.
4. **User Authenticates with IdP**
   * The user enters their credentials on the IdP sign-in page.
   * IdP verifies the user’s identity against the organization’s directory.
5. **IdP Issues Security Token**
   * Upon successful authentication, IdP provides Auth0 with a security token (e.g., a JWT or SAML assertion).
   * Auth0 validates the IdP token and creates a session for the user.
6. **User Is Redirected Back to Mobb**
   * Auth0 redirects the user’s browser back to Mobb, along with the Auth0 token in the callback parameters.
   * Mobb verifies the token signature, checks its validity (expiry, issuer, audience, etc.), and extracts user attributes (e.g., email, roles).
   * If valid, Mobb creates or updates a session on its side and applies any role-based access control configured by the Mobb administrator.
7. **User Gains Access to Mobb Platform**
   * The user is now authenticated in Mobb’s system and can use the platform as permitted by their assigned roles/permissions.
   * Subsequent actions during this session are validated via Mobb’s session or tokens.
8. **Ongoing Access and Session Renewal**
   * As the user continues to work in Mobb, the session remains valid until it expires or the user signs out.
   * If/when the session expires, Mobb may prompt re-authentication through IdP again, re-initiating the SSO flow if needed.