This article provides troubleshooting steps for Google SSO and OAuth 2.0 providers like Microsoft Entra ID and Okta.
Before you start
- If you use SSO via OpenID Connect / OAuth 2.0:
- If you can’t log in, it might be because your client secret has expired. When your client secret expires, Personio emails your Account Owner a recovery link and instructions. Before attempting further solutions, ask them to check their email account. They need to follow the link in the email to authenticate using email and password. They can then access Personio and update the secret. The token expires after three days.
- If you’re not experiencing the issue above, try the following:
- Use a different browser.
- Clear your browser cache.
- Use incognito mode.
- Log out and make sure you log in with the correct credentials.
- Create a new profile on your browser of choice.
- Disable extensions.
- Read the frequently asked questions on SSO
- If SSO works on desktop but not in the mobile app, the problem is usually device-related and not a configuration issue. Troubleshoot mobile app login issues.
Google SSO issues
| If | Then |
|
You receive this error message: "Could not find employee for Google login" |
Try the following steps:
|
| Your company changes its email domain | If your company changes its email domain, Personio doesn't recognize the email addresses anymore, and employees can't log in. |
| The integration worked in the past, but now your employees can’t log in | Your company might have changed its email domain. |
OpenID Connect / OAuth 2.0 (including Microsoft Entra ID and Okta) issues
| If | Then |
| An employee (or group of employees) can’t log in |
Try the following steps:
|
| Your employees can’t log in after the initial setup |
Try the following steps:
Check the settings you have in place for your identity provider:
We also recommend you do the following:
If you use OAuth in connection with Active Directory Federation Services (ADFS):
|
| The integration worked in the past, but now your employees can’t log in |
There are three main reasons why this may happen:
|
| Your company uses different email domains, such as, .com, .es, or .de | Check that the domain you are using matches exactly the one you have entered for the OAuth provider. |
| You receive the Microsoft Entra ID error: AADSTS50146 (application ID URI configuration) | Learn how to fix the error: "AADSTS50146: This application is required to be configured with an application ID URI". |