Prior to setting up the 2FA, you need to set up the SSO provider for the Tipalti app. Tipalti supports several SSO providers, select the provider below to view the instructions on setting up 2FA.
Google Workspace
To set up 2FA:
- In the "Admin console" page, go to Security > Authentication > Login challenges.
- On the left, select the organizational unit where you want to set the policy.
Select the top-level organizational unit for all users. Initially, organizational units inherit the settings of their parent. - Click "Post-SSO verification".
- Select "Logins using SSO are subject to additional verifications (if appropriate) and 2-Step Verification (if configured)".
Google creates an entry in the Admin audit log to indicate the policy change. With the new policy, Google can present risk-based authentication login challenges and 2-Step Verification if it’s configured. The default is to bypass additional verification. - On the bottom right, click "Save".
For additional information, see Protect Google Workspace accounts with security challenges.
Okta
An Okta admin can configure MFA at the organization or application level. If both levels are enabled, end users are prompted to confirm their credentials with factors when signing in to Okta and when accessing an application.
For additional information, see MFA factor configuration.
OneLogin
To use multi-factor authentication with OneLogin, you must enable one or more authentication factors for your OneLogin account. You can also create multiples of the same factor (remember to name them descriptively) for different audiences, such as partners or new business units.
- Log in to your OneLogin account as an Administrator.
- Go to Security > Authentication Factors.
- On the "Authentication Factors" tab, click "New Auth Factor".
- Select an authentication factor and click "Choose".
OneLogin provides a number of authentication factors including OneLogin Protect, OneLogin Security Questions, and others such as Google Authenticator and Yubikey.
As of May 2019, Duo, Symantec VIP, RSA SecurID, and Yubikey allow multiple instance creation. OneLogin Protect, SMS, Voice, and security questions do not, and support for those will follow in subsequent releases. - Enter your client account information and name the factor, especially if you configure multiple Yubikeys or multiple Duo instances.
For additional information, see Enabling Authentication Factors.