This article presents the options for integrating an existing authentication system with your Personio account.
1. Google Single Sign-On (SSO)
If Google Single Sign-On is activated, all employees whose Google-based email addresses are stored in their employee profiles in Personio can log in via Google authentication.
You can activate Google SSO with a single click in the Settings under Authentication > Google Auth.
When your employees launch Personio, they will see the following view, which allows them to log into Personio by simply clicking on Login via Google.
Please note that it is best to activate Google SSO only after your account has been fully implemented, as your employees will be able to log into Personio from the time SSO is activated. Access to their accounts is then controlled via Google.
2. OAuth 2.0
Personio supports login via the OAuth 2.0 protocol, which provides for secure, standardized management of access to applications. Please work with an IT administrator to implement this type of authentication.
Set up the OAuth 2.0 login directly in Personio by clicking on Settings > Authentication > OAuth 2.0. You will need the following data for authentication:
Note that completing the Authentication Context Class Reference Values (acr_values) field is optional. This can be used to set up additional processes for your identity provider, such as two-factor authentication.
When setting up Login via oAuth in Personio, you need to enter the "scope". Within the scope, one of the following fields needs to be transferred: "email", "unique_name" or "sub". This field needs to contain the e-mail address of the user trying to log in. Note that the user's e-mail address must be identical to the e-mail address stored in their Personio profile.
Once you have entered all the data into the corresponding input fields and saved your settings, you will need to configure a redirection to the Callback URI for your account. You'll find this in the Provider settings.
You will also need to whitelist the following callback URL as a client with your oAuth provider in order to use Login via oAuth with the app: https://auth.personio.de/providers/oauth/callback.
Click on Test configuration to verify that authentication has been set up successfully.
Login via OAuth is initially optional. Your employees can choose whether they wish to log into Personio using their Personio access data or via OAuth. If you want to make login via OAuth mandatory for all employees, activate this setting by clicking on the relevant button in Enforcement.
3. LDAP/Active Directory via OAuth2
If you wish to integrate your Active Directory, you need to implement this option via an identity provider, which serves as an OAuth interface between your Active Directory and Personio.
The WSO2 Identity Server is a good choice of tool for identity and access management. It can be downloaded free of charge here: http://wso2.com/products/identity-server/.
If you are already using one of the following providers, you can also implement your OAuth integration through them:
- Auth0 (href="https://auth0.com/"target="_blank" rel="noopener">https://auth0.com/)
- Onelogin (https://www.onelogin.com/)
- Okta (https://www.okta.com/)
Please work with an IT administrator to implement this type of authentication.
Can't find what you're looking for?
We are happy to help you! Just write us a message with your questions and we will get back to you as soon as possible.Submit a request