Articles in this section

Azure (Entra) setup

Follow these steps to set up Azure as an SSO provider for the Tipalti app.

Set up OIDC

Step 1. Register a new application
  1. Log in to your Azure account.
    Use the same email you use to log into Tipalti
  2. Under Azure services, click Microsoft Entra ID.
    Azure active directory
    The company details display.
Step 2. Identify the Tipalti app to Microsoft Azure servers

Before you begin, have a secured text password-sharing application (for example, 1Password) ready to paste your app registration details in to share with Tipalti.

  1. Click App registrations in the left menu. Then, click + New registration in the top tab menu.
    App regisrations page
    The Register an application page displays.
  2. Complete the form:
    1. In the Name field, enter the name of the application.
    2. In the Supported account types field, select Accounts in this organizational directory only (tipalti.com only - Single tenant).
    3. Scroll down to the Redirect URI section.
    4. From the Select a platform dropdown, select Web.
    5.  Copy and paste the following URLs for the Tipalti app.
      1. For Sandbox:
        • https://console2.sandbox.tipalti.com/api/v0/account/authorizesso
        • https://sso.sandbox.tipalti.com/api/authorization/v1/authorizesso
      2. For Production:
        • https://hub.tipalti.com/api/v0/account/authorizesso
        • https://sso.tipalti.com/api/authorization/v1/authorizesso
    6. Click Register.
      Register an application page
  3. Click Authentications in the left menu:
    1. In the Web section, click Add URl.
    2. Copy and paste a second URl (for the selected environment).
      1. For Sandbox:
        • https://console2.sandbox.tipalti.com/api/v0/account/authorizesso
        • https://sso.sandbox.tipalti.com/api/authorization/v1/authorizesso
      2. For Production:
        • https://hub.tipalti.com/api/v0/account/authorizesso
        • https://sso.tipalti.com/api/authorization/v1/authorizesso
    3. Click Add URI.
      Authentication page
    4. Click Save.
  4. Click Certificates & secrets in the left menu.
    App details page
  5. In Client secrets, click + New client secret.
    The Add a client secret right panel displays. 
  6. Complete the fields:
    1. In the Description field, enter a description for this client secret.
    2. Select the expiration period from the Expires dropdown based on your company policy. We recommend 365 days (12 months).
    3. Click Add.
      Add a client secret side pane
      The new client secret displays.
    4. Immediately, in the Value column, click the copy icon.
      Once you leave the page, the value is no longer visible.
    5. Paste and save the value to a secured text password-sharing application of your choice.
Step 3. Send your OIDC SSO credentials to Tipalti

To set up OneLogin as your SSO provider for Tipalti, you'll need to enter your OpenID Connect metadata document endpoint, Application (client ID), and Client secret key. 

To complete the setup process, you need to provide Tipalti with the application registration details you generated in Azure using your secured text password-sharing application.

To get your Application (client ID) and OpenID Connect metadata document endpoint:

  1. In Azure, click App registrations.
  2. In either the All applications or Owned applications tab, go to your application listing.
  3. In the Application (client) ID field, copy the ID and paste it into your secured text password-sharing application.
    Application (client) ID value
  4. Click Endpoints in the top menu..
  5. In the Endpoint right-pane, click the copy icon in the OpenID Connect metadata document field.
  6. Paste it into the secured text password-sharing application.
    Enpoints right pane
  7. Send the document to Tipalti through the secured text password-sharing application. Check the document contains the app:
  8. Destroy the document as soon as you receive this confirmation.

Set up SAML

Step 1. Add the SAML app
  1. In the Azure Portal, go to Microsoft Entra ID.
  2. On the side panel, go to Enterprise applications.
  3. Click New application, then select Create your own application.

  4. Give the application a name and click Save.
    You will now be redirected to the enterprise application page.

At this point, you may need to configure the user whitelist for this application.

Step 2. Configure the app
  1. On the side bar, go to "Manage → Single sign-on".
  2. Select SAML as the sign-in method.
    You should now see a SAML configuration page.
  3. Click "edit" on the basic SAML configuration box.
  4. Click both the add identifier and add reply URL links.
    You now need to decide on an application identifier for this SAML application. We recommend tipalti.
    This application identifier (or Entity ID) will be used for both the audience and issuer fields in IDS.
Step 3. Set up access control
  1. Under Entity ID, enter your chosen application identifier.
  2. Under reply URL, enter the appropriate callback URL.
  3. The rest of the fields are not required. Click Save.
    The basic SAML configuration box should now be updated with the values you put in.
  4. Copy and keep the value in the App Federation Metadata Url box. This is the metadata URL for configuring IDS.

After following these steps, you should have:

  • Your configured Entity ID → audience + issuer
  • The App Federation Metadata URL → metadata URL

You can now call the IDS API to configure SAML for this payer. Example:

{
  "payerId": 1234,
  "ssoMandatory": false,
  "samlConfiguration": {
    "audience": "tipalti",
    "metadataUrl": "https://login.microsoftonline.com/6d9ed0f0-d90e-4251-9e94-078ded31a127/federationmetadata/2007-06/federationmetadata.xml?appid=5836eeb0-51a2-44e0-9864-421614edd0cd",
    "issuer": "tipalti"
  }
}