Skip to main content

Single Sign-On (SSO)

What is SSO?

Single Sign-On allows your team to sign in to Tripl-i using their existing corporate credentials — the same username and password they use for Microsoft 365, Google Workspace, or your organization's identity provider. No separate passwords to remember.

Why Use SSO?

  • One password for everything — Users sign in with their existing corporate credentials
  • Stronger security — Leverage your organization's multi-factor authentication (MFA)
  • Automatic access control — When you disable a user in your identity provider, they lose access to Tripl-i immediately
  • Compliance — Centralized authentication meets SOX, HIPAA, and PCI-DSS requirements
  • Less IT overhead — No password reset tickets for Tripl-i

Supported Identity Providers

ProviderBest For
Microsoft Entra ID (Azure AD)Organizations using Microsoft 365, Azure
Google WorkspaceOrganizations using Google Workspace
Custom OIDCAny OpenID Connect compatible provider (Okta, Auth0, OneLogin, etc.)

How SSO Works for Users

Once SSO is configured, the sign-in experience changes:

  1. Enter your email address and click Continue
  2. Tripl-i detects your organization uses SSO
  3. Click Sign in with Microsoft (or Google)
  4. You're redirected to your organization's login page
  5. Sign in with your corporate credentials (+ MFA if configured)
  6. You're automatically redirected back to Tripl-i — signed in
info

SSO users don't need a separate Tripl-i password. Your organization's MFA (multi-factor authentication) is trusted, so you won't be asked for a second Tripl-i 2FA code.

Setting Up SSO

Prerequisites

Before you begin, you'll need:

  • Tenant Admin role in Tripl-i
  • Admin access to your identity provider (Microsoft Entra, Google Admin, etc.)
  • Your organization's email domain (e.g., yourcompany.com)

Step 1: Open SSO Settings

  1. Sign in to Tripl-i as a Tenant Admin
  2. Navigate to Settings in the sidebar
  3. Click Single Sign-On (SSO)

Step 2: Choose Your Provider

Select your identity provider:

  • Microsoft Entra ID — for Microsoft 365 organizations
  • Google Workspace — for Google Workspace organizations
  • Custom OIDC — for other identity providers

Microsoft Entra ID Setup

In the Microsoft Entra Admin Center

  1. Go to Microsoft Entra Admin Center
  2. Navigate to ApplicationsApp registrationsNew registration
  3. Configure the app:
    • Name: Tripl-i Platform
    • Supported account types: Accounts in this organizational directory only
    • Redirect URI: Copy the callback URL shown in Tripl-i SSO settings
      • Production: https://api.tripl-i.com/api/auth/sso/callback
  4. Click Register
  5. Copy the Application (client) ID — you'll need this
  6. Copy the Directory (tenant) ID — you'll need this
  7. Go to Certificates & secretsNew client secret
    • Description: Tripl-i SSO
    • Expiry: 24 months (recommended)
    • Click Add and immediately copy the Value (you won't see it again)
  8. Go to API permissions → Verify these are present:
    • openid
    • email
    • profile

In Tripl-i SSO Settings

  1. Select Microsoft Entra ID as the provider
  2. Enter your Entra Tenant ID (Directory ID from step 6 above)
  3. Enter the Client ID (Application ID from step 5)
  4. Enter the Client Secret (Value from step 7)
  5. Add your Email Domain (e.g., yourcompany.com)
  6. Click Test Connection to verify everything works
  7. Toggle Enable SSO to ON
  8. Click Save
tip

You can add multiple email domains if your organization uses more than one (e.g., yourcompany.com and yourcompany.co.uk).

Google Workspace Setup

In Google Cloud Console

  1. Go to Google Cloud Console
  2. Select or create a project
  3. Navigate to APIs & ServicesCredentials
  4. Click Create CredentialsOAuth client ID
  5. Configure:
    • Application type: Web application
    • Name: Tripl-i Platform
    • Authorized redirect URIs: Add the callback URL from Tripl-i SSO settings
      • Production: https://api.tripl-i.com/api/auth/sso/callback
  6. Click Create
  7. Copy the Client ID and Client Secret
  8. Go to APIs & ServicesLibrary → Enable Google People API

In Tripl-i SSO Settings

  1. Select Google Workspace as the provider
  2. Enter the Client ID
  3. Enter the Client Secret
  4. Add your Email Domain (e.g., yourcompany.com)
  5. Click Test Connection
  6. Toggle Enable SSO to ON
  7. Click Save

Custom OIDC Provider Setup

For identity providers like Okta, Auth0, OneLogin, or any OIDC-compliant system:

  1. In your IdP, create a new OIDC application
  2. Set the Redirect URI to the callback URL shown in Tripl-i SSO settings
  3. Note the Client ID, Client Secret, and Discovery URL
    • The discovery URL typically ends with /.well-known/openid-configuration
  4. In Tripl-i SSO settings:
    • Select Custom OIDC
    • Enter the Discovery URL
    • Enter Client ID and Client Secret
    • Add your Email Domain
    • Test and enable

Partner Portal SSO

SSO works identically in the Partner Portal. If SSO is configured for your organization:

  • Partners sign in at the Partner Portal login page
  • Enter email → detected as SSO → redirected to your IdP
  • After authentication, redirected back to the Partner Portal dashboard

No additional configuration needed — the same SSO setup covers both the main app and the Partner Portal.

Managing SSO

Adding Email Domains

You can associate multiple email domains with your SSO configuration. All users with matching email domains will be directed to SSO.

  1. Go to SettingsSSO
  2. In the Email Domains section, type a new domain and press Enter
  3. Click Save

Disabling SSO

If you need to disable SSO temporarily:

  1. Go to SettingsSSO
  2. Toggle Enable SSO to OFF
  3. Click Save

Users will fall back to password-based login. Their Tripl-i passwords remain valid.

Rotating Client Secrets

When your IdP client secret expires:

  1. Generate a new secret in your identity provider
  2. Go to Tripl-i SettingsSSO
  3. Enter the new Client Secret
  4. Click Test Connection to verify
  5. Click Save
warning

Update the secret before the old one expires to avoid login interruptions.

Frequently Asked Questions

Q: Do users need a Tripl-i password if SSO is enabled? A: No. SSO users authenticate entirely through your identity provider. They don't need a separate Tripl-i password.

Q: What happens if SSO goes down? A: Users can still sign in with their Tripl-i password if they have one set. You can also disable SSO temporarily in Settings to force password login.

Q: Is multi-factor authentication (MFA) supported? A: Yes — Tripl-i trusts your identity provider's MFA. If your organization enforces MFA in Entra ID or Google, that MFA applies to Tripl-i sign-ins too.

Q: Can I use SSO for some users and passwords for others? A: Yes. SSO is based on email domain. Users whose email domain matches the SSO configuration use SSO. Others use password login.

Q: Does SSO work with the Partner Portal? A: Yes. The same SSO configuration applies to both the main Tripl-i app and the Partner Portal.

Q: How do I know if SSO is working? A: Use the Test Connection button in SSO settings. It verifies connectivity to your identity provider without affecting users.

Q: Can I have SSO for multiple identity providers? A: Currently, each tenant supports one SSO configuration. If you need multiple providers, contact support.

Troubleshooting

IssueSolution
"SSO not configured" errorVerify the email domain matches your SSO configuration
Redirect loop after sign-inCheck the callback URL in your IdP matches exactly
"No account found" after SSOThe user needs a Tripl-i account with the same email address
"Account disabled" errorRe-enable the user in Tripl-i Settings → Users
Test Connection failsVerify Client ID, Secret, and Discovery URL are correct
Secret expiredGenerate a new secret in your IdP and update in SSO settings