Set up single sign-on (SSO)
SSO offers you a simple way to manage offboarding while increasing security and making signing in simpler and more convenient for employees. With SSO, lost credentials become a thing of the past, and a faster, more secure sign-in process becomes the norm.
Activate SSO
Required user roles: Finance manager or Technical admin
Required permission: Payer admin
You can change your organization’s login method to SSO (Single Sign-On) in the Tipalti Hub.
SSO offers increased security for employees. It also minimizes password errors due to lost credentials and gives you greater control over your employees' logins.
If you activate SSO, employees will be offered this login option first, but they can still log in with their email and password as a backup option. You can activate either OIDC or SAML single sign-on authentication.
All standard SSO clients (with SAML) are supported using similar parameters, but names may vary depending on your provider.
To activate SSO logins for your users:
- Go to Administration > General > Single Sign-On.
- Toggle right Activate Single Sign-On (SSO).
When activated, the SSO setting fields are displayed. When deactivated, the SSO setting fields are hidden. - In Type, select OIDC (OpenID Connect) or SAML (Security Assertion Markup Language).
- Next, provide the SSO details from your SSO provider.
Set up using OIDC
OpenID Connect (OIDC) is an authentication protocol built on top of OAuth 2.0. It’s designed for secure, lightweight communication between clients (e.g., mobile apps, web apps) and identity providers.
If you select OIDC for your SSO type, you'll need to:
- Enter your client ID
- Enter client secret key
- Enter base URL from your SSO provider
- Click Save.
Set up using SAML
Security Assertion Markup Language (SAML), is an XML-based authentication protocol designed primarily for web-based applications.
If you select SAML for your SSO type, you'll need to:
- Upload a link or XML file to your metadata.
- Enter your SAML response audience.
- Enter your response issuer (optional).
This identifies the entity issuing the SAML response (typically the identity provider). - Add the callback URL for Tipalti's production environment to your SAML provider's safelist.
https://sso.tipalti.com/api/v1/authorization/authenticate-saml - Click Save.
For more info on setting up SAML, go to Common questions below.
SSO providers
We support all SSO providers. Here are links to guides on how to set up SSO for the most popular providers:
Common questions
Does Tipalti support both OIDC and SAML types for SSO login?
Yes, we support both OIDC (OpenID Connect) and SAML (Security Assertion Markup Language). However, OIDC and SAML cannot be used as providers simultaneously. OIDC is the more commonly used type for SSO. Please note that SAML has a slightly different setup process.
What is the ACS URL? Where can I find info needed to configure SAML?
The ACS URL (also called the Callback URL or Reply URL) stands or Assertion Consumer Service URL. It is the specific web address on a Service Provider (SP) where an Identity Provider (IdP) sends a user's authenticated SAML assertion (security token) after successful login. The ACS URL for Tipalti is:
https://sso.tipalti.com/api/v1/authorization/authenticate-saml
These are the properties your payer admin needs to define SAML for SSO:
- ACS URL (or Callback URL) - copy from above. You should define this URL in your SSO provider’s configuration and, if necessary, safelist it as well.
- Metadata - this can be a link or an XML file that your payer admin copies from your SSO provider. It needs to be entered in the metadata field in the Tipalti Hub under Administration > General > Single Sign-On (either paste the link or upload the XML file).
- Audience/Entity ID - refer to the question below.
- Response issuer - not a mandatory field, but if your provider requires, it should be the same value as Audience.
If you’re having trouble setting up SSO, contact your Tipalti rep. We can help you understand what is your SAML URL (e.g., https://okta.com).
Where can I find the EntityID that is provided by Tipalti?
The EntityID is a string you define on your SSO SAML provider. You need to make sure that you enter the same string in Tipalti in the SAML response audience field.
The same value can also be used for the Response issuer, which is an optional property. You must use the exact same value as defined in your provider in Tipalti.
Our recommendation is to simply use ‘Tipalti’ on both sides.
I get a "400: malformed_request" error during login. What could be causing this?
The login error could be caused by several factors, such as an incorrect SSO URL, response audience URL, or metadata. We suggest you check that you have exactly the same details in both your SSO provider and Tipalti. If you continue to have issues setting up SSO, please contact Tipalti support.
What should I do if we use a different SSO provider?
Tipalti supports all SSO providers. If you use an HRIS (Human Resources Information System) or another provider for SSO, you may need to read their documentation. All SSO providers use the same standard properties; however, sometimes the naming of fields may differ (e.g., ACS URL or Callback URL).