Articles in this section

Okta setup

Follow these steps to set up Okta as an OIDC SSO provider for the Tipalti app.

Set up OIDC

Step 1. Create a new app integration
  1. In Okta, go to Applications > Applications.
    Okta Application
  2. On the "Applications" screen, click "Create App Integration".
    Add application button
  3. On the "Create a new app integration" screen:
    1. For the "Sign-in method" field, select "OIDC - OpenID Connect".
    2. For the "Application type" field, select "Web Appplication"
    3. Click "Next" to open the "New Web App Integration" screen.
      Create a new app integration page in Okta
Step 2. Identify the Tipalti app to Okta's OpenID servers

On the "New Web App Integration" screen, complete the following fields:

  1. In the "App integration name" field, type:
    • "Tipalti-Sandbox", if you are setting up the Sandbox app.
    • "Tipalti-Production", if you are setting up the Production app.
  2. In the "Logo" field, upload Tipalti's logo.
  3. In the "Sign-in redirect URIs" field, click "Add URI", and add 2 URIs for each environment. Copy and paste the following URIs.
    1. For Sandbox: 
      • https://console2.sandbox.tipalti.com/api/v0/account/authorizesso
      • https://sso.sandbox.tipalti.com/api/authorization/v1/authorizesso
    2. For Production:
      • https://hub.tipalti.com/api/v0/account/authorizesso
      • https://sso.tipalti.com/api/authorization/v1/authorizesso
  4. In the "Assignments" section, you can assign the app to users/ groups and configure their roles:
    1. For the "Controlled access" field, select "Limit access to selected groups".
    2. For the "Selected group(s)" field, enter the group in your organization to whom you want to assign the app integration.
  5. Click "Save".

Step 3. Send your OIDC SSO credentials to Tipalti

To set up OneLogin as your SSO provider for Tipalti, you'll need to enter your client ID, client secret key, and base URL (sometimes known as 'Issuer URL', 'Callback URL', etc).

You need to copy the credential values from Okta, and paste into a secured text password-sharing application (e.g., 1Password, Value), as you need to provide Tipalti with these values for each application (Sandbox and Production) to complete the setup process.

  1. You can build the "Well-known authorization URL" as follows: https://YOUR_OKTA_DOMAIN/.well-known/openid-configuration where "YOUR_OKTA_DOMAIN" is the domain of the Okta application's Issuer.
    For example, if the Issuer was https://your-company.okta.com, then the well-known URL would be https://your-company.okta.com/.well-known/openid-configuration
  2.  On the "Tipalti-Sandbox" screen, click "General":
    1. In the "Client Credentials" section:
    2. Copy the value in the "Client ID" field and paste it into the secured text password-sharing application.
    3. In the "Client secret" field, click the eye icon, copy the value and paste it into the secured text password-sharing application.
      Clien credentials section
      If required, you can generate a new "Client secret". In the "Client Credentials" section, click "Edit" and then the "Generate New Client Secret" button.
  1. In the "Allowed Grant Types" section, select "Implicit". 
  2. In the "Login" section, for the "Login initiated by" field, click the dropdown and select "App Only". 
    Login initiated by field
  3. Click "Save.
  4. Send the document containing your "Client ID", "Client secret" and "Well-known authorization URL" to Tipalti to finish the SSO configuration process.
    Once Tipalti confirms that your credentials have been received, destroy the document.

If you want to support launching your application from the Okta dashboard, on the "Tipalti-Sandbox" screen, click "General" and in the "Login" section:

  1. For the "Sign-in redirect URIs" field, enter one or more URI values where Okta sends the OAuth responses.
  2. (Optional) For the "Sign-out redirect URIs" field, add a URI where Okta redirects the browser after it receives the sign-out request from the relying-party and terminates the end user's session.
  3. For the "Login initiated by" field, click the dropdown and select "Either Okta or App" to give your integration an tile.
    When you select the "Either or App" option, an "App Embed Link" section appears at the bottom of the page with the URL that can be used to sign in to the OIDC client from outside .
  4. For the "Application visibility" field, select "Display application icon to users".
  5. For the "Login flow" field, for OIN app integrations, select "Redirect to app to initiate login (OIDC Compliant)".
  6. For the "Initiate login URI" field, enter or change the URI used to initiate the sign-in request.
  7. Click "Save".
    Login section

Set up SAML

Step 1. Add the SAML app
  1. Go to Applications → <your application> → Addons → SAML2 Web App.
  2. Configure the SAML callback url by pasting the appropriate IDS SAML URL into the callback textbox.

Make sure there is an audience property in the Settings textbox. Save this value (in this case: unified-login-dev) for later use.

Step 2. Provide the metadata URL or file

The metadata URL points to the metadata file. IDS supports both approaches: either saving the URL (at which point the IDS will automatically fetch the file contents) or supplying the entire file (which will be saved to the DB as-is).

The metadata file contains the public signing key for the SAML responses.

Under the Usage tab, there is a link to the metadata file. Copy the link and save it for later use.