OneLogin setup
Follow these steps to set up OneLogin as an OIDC SSO provider for the Tipalti app.
Step 1. Add a new application
- In OneLogin, go to "Applications" and click "Add App" to add a new application.
- On the "Find Applications" screen, in the search bar, type "OpenId Connect" or "oidc" and click "Enter".
- From the search result, select the "OpenId Connect (OIDC)" app.
Step 2. Identify the Tipalti app to OneLogin's OpenID servers
On the "Add OpenId Connect (OIDC)" screen:
- Go to "Info" and complete the following fields.
- In the "Display Name" field, type:
- "Tipalti-Sandbox", if you are setting up the Sandbox app.
- "Tipalti-Production", if you are setting up the Production app.
- (Optional) You can add icons for the app tiles. Please adhere to the following guidelines for the icons.
- Rectangular icon: A transparent PNG or SVG file with aspect ratio 2.64:1
- Square icon: A transparent PNG or SVG file with minimum 512px x 512px
- Click "Save" to be taken to the "Application Info" page.
- In the "Display Name" field, type:
- Go to "Configuration" and complete the following fields.
- (Optional) In the "Login URL", copy and paste the following URLs for the
- For Sandbox: https://aphub2.sandbox.tipalti.com/#/login/login-user-name
- For Production: https://aphub2.tipalti.com/#/login
- (Optional) In the "Login URL", copy and paste the following URLs for the
- In the "Redirect URI" field, copy and paste the following URIs as a comma-separated list, or each on a separate line. You need to add 2 URIs for each environment.
- For Sandbox:
- https://console2.sandbox.tipalti.com/api/v0/account/authorizesso
- https://sso.sandbox.tipalti.com/api/authorization/v1/authorizesso
- For Production:
- https://hub.tipalti.com/api/v0/account/authorizesso
-
https://sso.tipalti.com/api/authorization/v1/authorizesso
- Click "Save".
- For Sandbox:
Step 3. Send your OIDC SSO credentials to Tipalti
To set up OneLogin as your SSO provider for Tipalti, you'll need to enter your client ID, client secret key, and base URL (sometimes known as 'Issuer URL', 'Callback URL', etc).
You need to copy the credential values from OneLogin, and paste into a secured text password-sharing application (e.g., 1Password, Vault), as you need to provide Tipalti with these values for each application (Sandbox and Production) to complete the setup process.
On the "Add OpenId Connect (OIDC)" screen, go to "SSO" and complete the following steps.
- Copy the value in the "Client ID" field and paste it into the secured text password-sharing application.
- In the "Client secret" field, click the "Show client secret" link or the "Regenerate client secret" link, copy the value, and paste it into the secured text password-sharing application.
-
In the "Issuer URL", right-click the "Well known Configuration" link, copy the value, and paste it into the secured text password-sharing application.
Typically, the well-known URL has the following format:https://<YOUR_ONELOGIN_DOMAIN>/oidc/2/.well-known/openid-configuration where "YOUR_ONELOGIN_DOMAIN" is the domain of the OneLogin application's Issuer. For example, if the Issuer was https://<your-company>.OneLogin.com, then the well-known URL would be https://<your-company>.onelogin.com/oidc/2/.well-known/openid-configuration -
Send the document to Tipalti to finish the SSO configuration process.
Once Tipalti confirms that your credentials have been received, destroy the document. - In the "Token Endpoint" field, for the "Authentication Method", select "Post" .
- Go to Users > Role and complete the following steps.
- In the search bar, type Tipalti Sandbox/ Tipalti Production and click "Search".
- From the search result, click the app. On the "Role Apps" screen, a check mark displays beside the app.
- To add users to that role, click "Users" and add users manually.
- In the search bar, type Tipalti Sandbox/ Tipalti Production and click "Search".
- Assign access to the application to all your employees that require access to