Single Sign-On (SSO)

Single Sign-On (SSO)

Tungsten e-Invoice Connect (TeC) supports Single Sign-On (SSO) via the OpenID Connect (OIDC) protocol, built on OAuth 2.0. Once SSO is configured for a Business Group, users of that group authenticate through your corporate Identity Provider (IDP) rather than with an e-Invoice Connect-specific password.

This guide covers SSO configuration using Microsoft Azure AD (Entra ID) as the Identity Provider. Configuration for PingID follows the same general structure.

When SSO is enabled for an account or member, mandatory two-factor authentication (MFA) cannot also be enabled for that account from the TeC side. SSO provider may provide MFA, so you would get both SSO and MFA from one provider when you enable Microsoft Azure AD (Entra ID) or PingID as SSO providers.

Supported Identity Providers

Microsoft Azure AD and PingID are the officially verified and tested identity providers. Other OIDC-compliant providers (such as Google, Okta, or Auth0) may work but are not officially supported or documented. Compatibility with unsupported providers is not guaranteed.

Prerequisites

Before configuring SSO in TeC, make sure the following conditions are met:

For Business Group Administrators

  • You have TeC Business Group Administrator access.

  • You know which accounts (members) in your Business Group should use SSO.

  • You have received the following values from your Azure AD administrator:

    • Application (Client) ID

    • Client Secret

    • Tenant ID (used to construct the OpenID discovery URL)

For Azure AD / Entra ID Administrators

  • You have permission to register applications in your Azure AD tenant.

  • You know the TeC Redirect URI and Post Logout Redirect URI (provided by your TeC administrator). These URIs must be registered exactly as provided (1:1 match).