Articles in this section

SSO

Why SSO?

SSO offers you a simple way to manage offboarding while increasing security and making signing in simpler and more convenient for employees. With SSO, lost credentials become a thing of the past, and a faster, more secure sign-in process becomes the norm.

SSO providers

We support the following SSO providers. If you are using a different provider, please submit a request to our Support Team.

OneLogin

Google Workspace

Okta

Azure

SSO in Tipalti

Authentication options

You can define the authentication method that you prefer for your users to log into Tipalti (which is completely separate from the authentication method your payees use to log into the Supplier Hub).

We offer 3 types of authentication:

  • Username and password - Each user creates a unique password

  • SSO - All your users must use SSO to log in

  • Dual login - Each user chooses whether to connect with a password or SSO for each login. We recommend using this configuration only during setup, until you verify that your key users can log in with SSO.

Technical notes

  1. We use the OpenID Connect technology for SSO.

  2. A user can log in using SSO only after they have been created in the Tipalti Hub and assigned at least one permission.

  3. Users must have the same email in Tipalti and in your SSO provider to be authenticated.

  4. If a user tries logging into Tipalti with email A, and has an active SSO session under email B, they will be authenticated with email B.

  5. When you are using SSO, 2FA is managed by your SSO provider. When using a username and password, we manage 2FA using SMS text messaging and phone calls.

Configure your SSO

To configure the SSO connection, you need to create a new app for Tipalti in your SSO provider (we recommend creating 2 apps - one for Sandbox and one for Production). One of our representatives works with you to open the SSO connection—first in the Sandbox, and then in Production in a dual-login mode. Once you verify that all your users can log in using SSO, we remove the option to log in with a password.

When creating the new app, you will need to set the Authorized redirect URI, which is a safelist of possible landing pages within Tipalti.

For Sandbox:

  • https://console2.sandbox.tipalti.com/api/v0/account/authorizesso

  • https://sso.sandbox.tipalti.com/api/authorization/v1/authorizesso

For Production:

  • https://hub.tipalti.com/api/v0/account/authorizesso

  • https://sso.tipalti.com/api/authorization/v1/authorizesso

Once the app is created, you need to provide us with the following data from your SSO provider:

  1. Client ID - A unique “user name” for Tipalti in your provider

  2. Client secret - A unique “password” for Tipalti in your provider

  3. Authentication URI - the URI we call to get your configurations metadata

You can see step-by-step instructions on how to configure your SSO for the SSO providers. If you are using a different provider, please submit a request to our Support Team.