This article explains the different authentication methods that Personio offers. The methods that are available to you depend on your Personio plan.
Two-factor authentication
All Personio customers can activate two-factor authentication for any employee role to better protect the data they have stored in Personio.
If two-factor authentication is enabled for an employee role, all employees assigned to that role must, in addition to their email address and password (knowledge, first factor), enter a token generated on their mobile device (possession, second factor) when they log in.
To activate two-factor authentication and to learn how your employees can set it up on their devices, follow the instructions in our article Set up two-factor authentication for employee roles.
Google single sign-on (SSO)
Notes
▶︎ This option only works if you use Google Workspace in your company.
▶︎ If you enable Google single sign-on, this authentication method will apply to all of your employees, and logging in with the Personio credentials (email and password) will not be possible.
If Google single sign-on is activated, your employees can log into Personio via their work-related Google accounts.
This has the following benefits:
- Access is managed entirely within Google Workspace. When an employee leaves your company and is deactivated as a user in Google, their access to Personio is automatically revoked.
- Employees do not need to create an additional password for Personio.
To activate Google SSO, follow the instructions in our article Google Single Sign-On.
Tip
We recommend that you activate Google single sign-on only after your account setup has been completed, as your employees will be able to log into Personio as soon as SSO is activated. Access to their accounts is then controlled exclusively via Google.
OAuth 2.0
Notes
▶︎ It is recommended that you work with an IT administrator to implement this type of authentication.
Personio supports login via the OAuth 2.0 protocol. This provides for secure and standardized management of access to applications.
You can integrate Personio with various OAuth providers such as Microsoft Entra ID or Okta. Read the relevant article below to learn how to set up OAuth authentication with one of these providers:
- Set up single-sign on (SSO) in Personio with Microsoft Entra ID
- Set up single sign-on (SSO) in Personio with Okta.
If you are using another OAuth provider, follow the instructions below.
Set up the redirection to the Callback URI in your OAuth provider
- Go to Settings
- In the Integrations section, click Authentication.
- In OAuth 2.0, under Provider settings, copy the URL from the Callback URI field.
- Enter this URL into the relevant field in your OAuth provider settings.
- You also need to enter the following URLs into the relevant field in your OAuth provider settings: https://login.personio.de/login/callback
https://login.personio.com/login/callback
Tip
If users should be able to log in via the Personio mobile app, you also need to allowlist the following callback URL: https://auth.personio.de/providers/oauth/callback
Configure the OAuth 2.0 settings in Personio
- Go back to Settings > Integrations > Authentication > OAuth 2.0 in Personio.
- Under Configuration, click Edit.
Note
All the data that you need to enter into the fields must be taken from your OAuth provider settings.
- In the Authorization URI field, enter the Authorization URI. Users will be forwarded to the Authorization URI page when they click Login with OAuth.
- In the Token URI field, enter the Token URI. Personio will call this endpoint to get a token to verify that the credentials entered are correct.
- Under Userinfo URI, select "GET" from the drop-down menu and paste the Userinfo endpoint "https://graph.microsoft.com/oidc/userinfo" into the field. The Skip reading entities from ID token checkbox is selected by default. This means that user information, specifically the user email address, will be read upon login from the Userinfo URI instead of the token URI.
Note
If you want user information to be read upon login from the token URI instead of the Userinfo URI, deselect the checkbox, making it possible to implement OAuth with Active Directory Federation Services (ADFS). - In the Scopes field, enter the desired scope. This field specifies how user information is transferred to Personio. For many OAuth providers, the correct value is "openid, email".
- In the Client ID field, enter the client ID that will be used for authentication.
- In the Client secret field, enter the secret of the client used for authentication
- Under Claim Field, select the field in your OAuth provider where the email addresses of your employees are stored. To validate that an employee exists in Personio, we will check if the value in this field corresponds to the email address used in Personio. You can choose between "email", "unique_name", "sub" and "upn".
Tip
If you select Use default, we will check the fields "email", "unique_name", and "sub" in sequential order until we find one that contains a value. - Optional: In the Authentication Context Class Reference field, enter the authentication context class reference. This reference is equal to the acr_values field within your OAuth provider. This reference can be used to set up additional processes on the side of your identity provider, such as two-factor authentication.
Review and test
- Review the data that you have entered in Personio.
- When you are certain that you have entered everything correctly, click Submit to save the data.
- To test the OAuth connection, click Perform a configuration test.
You will be asked to sign in to your OAuth provider. If there are errors, a message will be shown to help with your troubleshooting.
Note
Employees will only be able to log in via OAuth if the email address that is stored for the attribute "email", "unique_name" or "sub" in your OAuth provider matches the email address used in Personio.
Optional: Enforce OAuth authentication
After setting up the authentication, your employees can choose whether they wish to log into Personio via OAuth or using their Personio credentials. If you want to make it mandatory for all employees to log in via OAuth, click the Enforce OAuth button.
Note
If OAuth is enforced and the employee profile has been created, the employee can log in to the account without an invitation or activating their account.
LDAP/Active Directory via OAuth 2.0
If you want to integrate your Active Directory with your Personio account, you need to implement this option via an identity provider. The identity provider serves as an OAuth interface between your Active Directory and Personio.
The WSO2 Identity Server is a good choice of tool for identity and access management. A free download is available.
If you are already using one of the following providers, you can also implement your OAuth integration through them: