Okta setup
Follow these steps to set up Okta as an SSO provider for the Tipalti app.
- In Okta, go to Applications > Applications.
- On the "Applications" screen, click "Create App Integration".
- On the "Create a new app integration" screen:
- For the "Sign-in method" field, select "OIDC - OpenID Connect".
- For the "Application type" field, select "Web Appplication"
- Click "Next" to open the "New Web App Integration" screen.
On the "New Web App Integration" screen, complete the following fields:
- In the "App integration name" field, type:
- "Tipalti-Sandbox", if you are setting up the Sandbox app.
- "Tipalti-Production", if you are setting up the Production app.
- In the "Logo" field, upload Tipalti's logo.
- In the "Sign-in redirect URIs" field, click "Add URI", and add 2 URIs for each environment. Copy and paste the following URIs.
- For Sandbox:
- https://console2.sandbox.tipalti.com/api/v0/account/authorizesso
- https://sso.sandbox.tipalti.com/api/authorization/v1/authorizesso
- For Production:
- https://hub.tipalti.com/api/v0/account/authorizesso
- https://sso.tipalti.com/api/authorization/v1/authorizesso
- For Sandbox:
-
In the "Assignments" section, you can assign the app to users/ groups and configure their roles:
For the "Controlled access" field, select "Limit access to selected groups".
For the "Selected group(s)" field, enter the group in your organization to whom you want to assign the app integration.
- Click "Save".
You need to copy the credential values from Okta, and paste into a secured text password-sharing application (e.g., 1Password, Value), as you need to provide Tipalti with these values for each application (Sandbox and Production) to complete the setup process.
- You can build the "Well-known authorization URL" as follows: https://YOUR_OKTA_DOMAIN/.well-known/openid-configuration where "YOUR_OKTA_DOMAIN" is the domain of the Okta application's Issuer.
- On the "Tipalti-Sandbox" screen, click "General":
- In the "Client Credentials" section:
- Copy the value in the "Client ID" field and paste it into the secured text password-sharing application.
- In the "Client secret" field, click the eye icon, copy the value and paste it into the secured text password-sharing application.
If required, you can generate a new "Client secret". In the "Client Credentials" section, click "Edit" and then the "Generate New Client Secret" button.
- In the "Allowed Grant Types" section, select "Implicit".
- In the "Login" section, for the "Login initiated by" field, click the dropdown and select "App Only".
- Click "Save.
- Send the document containing your "Client ID", "Client secret" and "Well-known authorization URL" to Tipalti to finish the SSO configuration process.
Once Tipalti confirms that your credentials have been received, destroy the document.
- In the "Client Credentials" section:
For example, if the Issuer was https://your-company.okta.com, then the well-known URL would be https://your-company.okta.com/.well-known/openid-configuration
If you want to support launching your application from the Okta dashboard, on the "Tipalti-Sandbox" screen, click "General" and in the "Login" section:
- For the "Sign-in redirect URIs" field, enter one or more URI values where Okta sends the OAuth responses.
- (Optional) For the "Sign-out redirect URIs" field, add a URI where Okta redirects the browser after it receives the sign-out request from the relying-party and terminates the end user's session.
- For the "Login initiated by" field, click the dropdown and select "Either Okta or App" to give your integration an tile.
- For the "Application visibility" field, select "Display application icon to users".
- For the "Login flow" field, for OIN app integrations, select "Redirect to app to initiate login (OIDC Compliant)".
- For the "Initiate login URI" field, enter or change the URI used to initiate the sign-in request.
- Click "Save".
When you select the "Either or App" option, an "App Embed Link" section appears at the bottom of the page with the URL that can be used to sign in to the OIDC client from outside .