Articles in this section

Google Workspace setup

Follow these steps to set up Google Workspace (formerly G Suite) as a SSO provider for the Tipalti app.

Set up OIDC 

Step 1. Create your OAuth client ID
  1. Sign in to your "Google Cloud Platform Console".
  2. Go to "Credentials".
  3. Click "+ CREATE CREDENTIALS" and select "OAuth client ID" to open the "Create OAuth client ID" screen.
    CredentialsScreen_760x291.png
Step 2. Identify the Tipalti app to Google's OAuth servers
  1. From the "Application type" dropdown, select "Web Application".
  2. In the "Name" field, type:
    • "Tipalti-Sandbox" , if you are setting up the Sandbox app.
    • "Tipalti-Production" , if you are setting up the Production app.
  3. In the "Authorized redirect URIs" section, click "Add URI", and add 2 URIs for each environment. Copy and paste the following URIs.
    • For Sandbox: 
      • https://console2.sandbox.tipalti.com/api/v0/account/authorizesso
      • https://sso.sandbox.tipalti.com/api/authorization/v1/authorizesso
    • For Production:
      • https://hub.tipalti.com/api/v0/account/authorizesso
      • https://sso.tipalti.com/api/authorization/v1/authorizesso
  4. Click "Create" to view the "OAuth client created" dialog.
    CreateOAuthClientID2_760x752.png
Step 3. Send your OIDC SSO credentials to Tipalti

To set up OneLogin as your SSO provider for Tipalti, you'll need to enter your client ID, client secret key, and base URL (sometimes known as 'Issuer URL', 'Callback URL', etc).

You need to copy the OAuth values from Google Workspace, and paste into a secured text password-sharing application (e.g., 1Password, Vault), as you need to provide Tipalti with these values for each application (Sandbox and Production) to complete the setup process.

  1. In the "OAuth client created" dialog, copy the values for "Your Client ID" and "Your Client Secret" and paste into the secured text password-sharing application. (This information is sensitive, so it is blacked out in the image below.)
  2. Click "OK".
    OAuthClientCreatedDialog_760x379.png
  3. On the "Credentials" screen, if you have multiple apps listed in the "OAuth 2.0 Client IDs" section, select the Tipalti app that you added and click the pencil icon or the app name to open the "Client ID for Web application" screen.
    OAuth2.0ClientIDs_760x326.png
  4. Click "DOWNLOAD JSON" .
    ClientIDForWebApplication2_760x488.png
  5. From the JSON file, copy the values for "Client ID", "Client secret" (if you haven't done so in step 3.1) and "Well-known authorization URL", and paste into the secured text password-sharing application.
  6. Send the document to Tipalti to finish the SSO configuration process.
    Once Tipalti confirms that your credentials have been received, destroy the document.

Set up SAML

Step 1. Add the SAML app
  1. Go to the Google Workspace Admin page.
  2. Navigate to Apps and then to Web and mobile apps.
  3. Add app and select Add custom SAML app.
  4. Give the app a name and click Continue.
    The name is for display purposes only.
Step 2. Configure the app
  1. On the Google Identity Provider details page:
    1. Click Download metadata. It will download a file called GoogleIDPMetadata.xml.
    2. Copy the Entity ID value and keep it. 
       
    3. Click Continue.
  2. On the Service provider details page:
    1. Fill out ACS URL with the appropriate URL (see top of confluence for table per environment).
    2. Paste the "Entity ID" you copied in step 2-1b in the Entity ID field here.
    3. Click Continue.
  3. On the Attribute mapping page:
    1. Click Add mapping.
    2. For field, select Primary email.
    3. For name, enter email (case sensitive).
  4. Click Finish.
Step 3. Set up access control

You need to set up access control, i.e., who in the organization is allowed to use this SAML application:

  1. On the SAML app page, click User access.
  2. Enable the application. 
    You can enable it for everyone in the organization, or on a per-group, or per organizational unit basis. 
  3. Click Save. This concludes the Google side for configuration.

You can update the SSO configuration on the Tipalti side. You can either:

  1. Update the configuration with an API call. See below for details. Simply send an API call, as written below, with the following fields:
    • audience = The Entity ID you copied in step 2-1b
    • issuer = The Entity ID you copied in step 2-1b
    • metadataContents = The contents of the metadata XML file you downloaded in step 2-1a
  2. Update the configuration via the SSO configuration screen in the Hub - if you have access to the payer's instance.
    This screen is located under Administration → General → Single Sign On.
    • Under metadata, select "Metadata".
    • Copy the contents of the GoogleIDPMetadata.xml file you downloaded in step 5a into the metadata field
    • Audience - The Entity ID you copied in step 2-1b
    • Issuer - The Entity ID you copied in step 2-1b