Skip to main content

What can we help you with?

As an Admin, you can take a peek into the new Personio experience!

Head to the homepage and switch on the toggle to explore the new Intelligent HR platform, complete with a fresh design and new features. Go ahead and test freely — your changes won't be visible to your employees during this early access phase.

Set up single sign-on (SSO) in Personio with Okta

This article explains how to set up single sign-on (SSO) in Personio with Okta. Follow the steps to complete the setup.

Understand SSO and OAuth

SSO allows you to connect Personio to an identity provider such as Okta or Microsoft Entra ID. Personio supports the OAuth 2.0 protocol, an open-source standard for access delegation. When set up, users authenticate through an identity provider. They don't have to use their Personio credentials. If you enable OAuth, employees with a Personio profile can log in to their account without an invitation email.

Note:
Setting up SSO with Okta doesn't automatically sync Personio application users with Okta. To do this, you need to set up the integration with Okta separately. Learn more about our integration with Okta.

1. Create a new application in Okta

  1. Optional: open Personio and Okta in separate tabs to simplify setup.
  2. On the Okta administrator dashboard, go to APPLICATIONS > Applications.
  3. Click Create App Integration.
  4. In the Create a new app integration window, select OIDC - OpenID Connect as the sign-in method. Select Web Application as the application type that integrates with Okta. Click Next.
  5. Under New Web Integration > General Settings, enter the integration name. For example, enter "Personio" into the App integration name field. Select the Client Credentials checkbox.

  6. In Personio, go to Settings. In the Integrations section, click Authentication. Then, click OAuth 2.0. Under Provider settings, copy the URL from the Callback URI field.
  7. In Okta, go to New Web Integration > General Settings. Paste the URL that you copied earlier into the field under Sign-in redirect URIs. Under Assignments, select the appropriate access level.
  8. You also need to enter the following addresses into the field under Sign-in redirect URIs:
  9. Save your changes.

Tip:
If users need to log in with the Personio mobile app, you also need to allowlist the following callback URL: https://auth.personio.de/providers/oauth/callback 

2. Build and enter URIs in Personio

To build all the Uniform Resource Identifiers (URIs) to configure OAuth 2.0, follow these steps:

  1. Go to Okta Administrator Dashboard > APPLICATIONS > Applications > General Settings. Copy the Okta domain "https://{yourOktaDomain}/oauth2". The Okta domain must always end with "okta.com". You must use the standard domain (for example, "yourcompany.okta.com") to build the URI. Don't use a custom domain that doesn't include "okta.com" that has been set up for your company to build the URI.
  2. In Personio, go to Settings. In the Integrations section, click Authentication. Then, click OAuth 2.0.
  3. Under Configuration, click Edit.

  4. In the Authorization URI field, paste the Okta domain that you copied earlier. Use this as a basis to build the URI (for example, "https://{yourOktaDomain}/oauth2/v1/authorize").
  5. In the Token URI field, enter "https://{yourOktaDomain}/oauth2/v1/token".
  6. Under Userinfo URI, select GET from the drop-down menu. Paste the Userinfo endpoint "https://{yourOktaDomain}/oauth2/v1/userinfo" into the field. The system selects the Skip reading entities from ID token checkbox by default. This means that, upon login, the system reads user information, including the email address, from the Userinfo URI instead of the Token URI. When setting up OAuth with Okta, you must select this checkbox.
  7. In the Scopes field, enter "openid, email". The "Email" field stores the user's email address.
  8. Go to Okta administrator dashboard >  APPLICATIONS > Applications > General Settings. Under Client Credentials, copy the Client ID.
  9. Return to Personio. Paste the Client ID that you copied earlier from Okta into the Client ID field.
  10. Return to Okta. Under Client Credentials, copy the Client secret.
  11. Return to Personio. Paste the Client secret that you copied earlier from Okta into the Client secret field.
  12. Under Claim Field, select Use default.

Configure issuer and JWKs URI fields

  • The issuer is the issuer identifier of the authorization server in the authorization response. In this field, enter the value of the issuer field from the .well-known/openid-configuration endpoint of your SSO provider.
  • The JSON Web Key Sets (JWKs) URI is the discovery URI to a set of public keys. These keys verify any JSON Web Token (JWT) issued by the authorization server. In this field, enter the value of the jwks_uri field from the .well-known/openid-configuration endpoint of your SSO provider.

You can find the issuer and jwks_uri fields in the discovery document endpoint of your SSO provider. You can usually access this through one of these URLs:

Tip:
For more information about building URIs, see the Okta reference document OpenID Connect & OAuth 2.0 API.

3. Review and test

  1. Review the data you've entered in Personio.
  2. Submit your changes.
  3. To test the OAuth connection, click Perform a configuration test.
  4. You need to sign in to Okta. If there are errors, a message appears to help with troubleshooting.

To use SSO, employees need to have user profiles in both Okta and Personio. The email address entered in Okta under Directory > People > Primary must match the email address used in Personio.

Optional: enforce SSO with Okta

After setting up SSO with Okta, login through OAuth is optional. Your employees can choose to log in to Personio using their Personio credentials or through OAuth. To make it mandatory for all employees to log in through OAuth, click Enforce OAuth

Help us improve. Is this page helpful?