Skip to main content

What can we help you with?

Back

Set up single sign-on (SSO) in Personio with Okta

 

This article explains how to set up single sign-on (SSO) in Personio with Okta.

SSO allows you to connect Personio to an identity provider such as Okta or Azure Active Directory (Azure AD). Personio supports the OAuth 2.0 protocol, an open-source standard for access delegation. When set up correctly, users can carry out an authentication via the identity provider without having to use the credentials provided by Personio.

Notes
▶︎ Setting up SSO with Okta does not automatically sync Personio application users to Okta. To do this, you need to set up the integration with Okta separately. Learn more about our integration with Okta.
▶︎ Even if SSO is enabled, you still need to send an invitation email to your employees. Otherwise, they will not receive notification emails from Personio.

To set up SSO in Personio with Okta, follow the steps below.

 

1. Create a new application in Okta

Tip
When carrying out this configuration, open the Personio application and Okta in separate tabs.

  1. On the Okta administrator dashboard, go to APPLICATIONS > Applications.
  2. Click Create App Integration.
  3. In the Create a new app integration window, select OIDC - OpenID Connect as the sign-in method. Select Web Application as the application type that is integrated with Okta. Click Next.
  4. Under New Web Integration > General Settings, enter the integration name, for example "Personio", into the App integration name field. Select the Client Credentials checkbox.

    okta-new_web_integration-general_settings-client_credentials_en-us.png
  5. In Personio, go to Settings > Integrations > Authentication > OAuth 2.0. Under Provider settings, copy the URL from the Callback URI field.
  6. In Okta, go to New Web Integration > General Settings. Paste the URL that you copied earlier into the field under Sign-in redirect URIs. Under Assignments, select the appropriate access level.
  7. Click Save.

Tip
If users should be able to log in via the Personio mobile app, you also need to whitelist the following callback URL: https://auth.personio.de/providers/oauth/callback 

 

2. Build and enter URIs in Personio

To build all the Uniform Resource Identifiers (URIs) that are needed for configuring OAuth 2.0, follow these steps.

  1. Go to Okta Administrator Dashboard >  APPLICATIONS > Applications > General Settings. Copy the Okta domain "https://{yourOktaDomain}/oauth2".

    Note
    The Okta domain must always end with "okta.com". You must use the standard domain (for example "yourcompany.okta.com") to build the URI. Don't use a custom domain that does not include "okta.com" that has been set up for your company to build the URI. 

  2. In Personio, go to Settings > Integrations > Authentication > OAuth 2.0.
  3. Under Configuration, click Edit.

    okta-authentication-configuration_en-us.png
  4. In the Authorization URI field, paste the Okta domain that you copied earlier and use it as a basis to build the URI (for example "https://{yourOktaDomain}/oauth2/v1/authorize").
  5. In the Token URI field, enter "https://{yourOktaDomain}/oauth2/v1/token".
  6. Under Userinfo URI, select "GET" from the drop-down menu and paste the Userinfo endpoint "https://{yourOktaDomain}/oauth2/v1/userinfo" into the field. The Skip reading entities from ID token checkbox is selected by default. This means that user information, specifically the user email address, will be read upon login from the Userinfo URI instead of the token URI.

    Note
    When setting up OAuth with Okta, this checkbox must be selected.

  7. In the Scopes field, enter "openid, email". "Email" represents the field in which the user's email address is stored.
  8. Go to Okta administrator dashboard >  APPLICATIONS > Applications > General Settings. Under Client Credentials, copy the Client ID.
  9. Return to Personio. Paste the Client ID that you copied earlier from Okta into the Client ID field.
  10. Return to Okta. Under Client Credentials, copy the Client secret.
  11. Return to Personio. Paste the Client secret that you copied earlier from Okta into the Client secret field.
  12. Under Claim Fieldselect Use default.

3. Review and test

  1. Review the data that you have entered in Personio.
  2. When you are certain that you have entered all the data correctly, click Submit to save the data.
  3. To test the OAuth connection, click Perform a configuration test.

You will be asked to sign in to Okta. If there are errors, a message will be shown to help with your troubleshooting.

Note
To be able to use SSO, employees must have user profiles in both Okta and Personio. The email address that is entered in Okta under Directory > People > Primary must match the email address used in Personio.

 

Optional: Enforce single sign-on with Okta

After setting up single sign-on with Okta, login via OAuth is optional. Your employees can choose whether they wish to log into Personio using their Personio credentials or via OAuth.

If you want to make it mandatory for all employees to log in via OAuth, click the Enforce OAuth button.

 

More information

For more information about building URIs, see the Okta reference document OpenID Connect & OAuth 2.0 API.                       

Still not sure about the solution?

Ask the Community View FAQ