Skip to main content

What can we help you with?

Troubleshoot SSO login issues

General FAQs

 

My company has Google SSO enabled, but we also need to include some users from the Microsoft workspace. Is it possible to integrate both login options?

We do not support login through multiple SSO providers. You can configure your Google SSO via Oauth and set it as not enforced. With this:

  • Employees with Google SSO can use it to log in.
  • Employees without a Google email and SSO can log in with their own email and password.

Can I give new hires access to Personio before their start date when Okta SSO is enabled?

  1. For employees in Onboarding to be able to sign in with Okta, you need to first verify that the email in Personio matches the one in the primary email field in Okta ( Directory > People > Primary).
  2. Onboarding employees are by default in the status Staged in Okta. To be able to use SSO, the employees must have the status Active in Okta. 

Once your employees have the status Active in Okta, and their email addresses match in both tools, they should be able to log in to Personio using SSO.

Does Personio support SSO with an external identity provider using SAML protocol?

We don’t currently support the SAML SSO protocol within Personio.

Once SSO is enabled, can employees still log in to Personio using credentials, e.g., email address and password?

  • Google SSO cannot be set as optional, unless you configure it via OAuth. If you have enabled Google SSO, then it is the only way for your employees to log in.
  • If you have enabled an OAuth provider, your employees can choose whether they wish to log into Personio via OAuth or using their Personio credentials. You can also make it mandatory for employees to log in via OAuth .

If SSO is enabled, can a new employee log in to their account without an invitation or activating their account?

When SSO is enabled, employees can still log in without an invitation if they have the URL of their Personio account, and their employee status in Personio is Active. After they log in, they start receiving notification emails.

Before attempting further solutions, try the following:

  • Use a different browser.
  • Clear your browser cache.
  • Use incognito mode.
  • Logout and make sure you log in with the correct credentials.
  • Create a new profile on your browser of choice.
  • Disable extensions.

Google SSO

If Then

You receive this error message: 

"Could not find employee for Google login"

 Try the following steps:
  1. Log out from Google.
  2. Log into Personio. When google asks you to select your account, make sure to select the correct one.
Your company changes its email domain If your company changes its email domain, Personio won’t recognize the email addresses anymore, and employees won’t be able to log in. Contact our Support Team for further assistance.
The integration worked in the past, but now your employees can’t log in Your company might have changed its email domain. Contact our Support Team for further assistance.

OAuth 2.0 protocol (including Microsoft Entra ID and Okta)

If Then
An employee (or group of employees) can’t log in Try the following steps:
  1. Go to the Employees List and filter for those affected.
  2. Check that the employees’ email addresses are correct.
  3. If the above doesn’t work, check if the email addresses in Personio and the OAuth provider match.
Your employees can’t log in after the initial setup

Go to Settings > Integration > Authentication > OAuth 2.0
  • Check IDPs (For example Microsoft Entra, Okta.)
    Settings:

    ▶︎ Set to “openid email”. Different scopes might be necessary depending on the IDP.
    ▶︎ If you have a custom IDP, add it.
    ▶︎ Check the Authorization URI.
    ▶︎ Check the Token URI.
    ▶︎ Check the Required Scopes.
    ▶︎ Check if the Callback URI is correctly set in the IDP.
  • If you use OAuth in connection with Active Directory Federation Services (ADFS):
    ▶︎ Check that the checkbox Skip reading entities from id token is enabled under Userinfo URI.
  • Check if the affected employees’ email addresses are stored in one of the fields “email”, “unique_name” in the authentication provider. Select the appropriate value “on” from the "read email from claim" input.
  • Check if credentials need to be included in the query string. Note: For Microsoft Entra ID, this is required. The checkbox Include credential in query string has to be checked under the field Token URI.
  • Test your configuration by pressing Perform a configuration test.
The integration worked in the past, but now your employees can’t log in

There are three main reasons why this may happen:

  1. Your company changed its email domain.
  2. The client secret has expired.
  3. Your company changed its Personio hostname.

For all of the above, contact our Support Team for further assistance.
Your company uses different email domains, for example, .com, .es, .de, etc. Check that the domain you are using matches exactly the one you have entered for the OAuth provider.



Help us improve. Is this page helpful?