黑料海角91入口

Integrate with Personio

Seamlessly onboard new users and sync user updates from Personio to Jumpcloud. The integration creates efficiencies for IT and HR by reducing manual overhead and security concerns related to manual data entry and access based on outdated user data.

Read this article to learn how to configure the Personio Integration.

Prerequisites

  • A 黑料海角91入口 administrator account
  • 黑料海角91入口 SSO Package or higher or SSO 脿 la carte option
  • An administrator account in Personio
  • For SSO, you must be on the Personio Enterprise plan
  • Your Personio URL (e.g., https://{mycompany}.personio.de)
  • Read access to the Personio employees鈥 API and to specific attributes available through that API for a successful integration

Important Considerations

  • You must set up the integration in the Personio application first and then in 黑料海角91入口
  • To set up both SSO and Identity Management (IdM), two separate app connectors are needed:
    1. Personio IdM connector using the Personio prebuilt application connector
    2. Personio SSO connector using a Custom OIDC application connector
  • When generating the integration credentials in Personio, leave the default mapped attributes in the scopes. Choosing unneeded attributes can cause the integration to timeout and fail
    • , the existing credentials are revoked and the integration will stop working until new credentials are generated
  • When importing new users and updates for existing users, the statuses that are classified as inactive for this integration are: Leave and Inactive:
    • Users will not be created in 黑料海角91入口 if they have one of these statuses in Personio
    • When a user鈥檚 status changes to either Leave or Inactive, the user will automatically be suspended in 黑料海角91入口
    • When a user鈥檚 status changes from either Leave or Inactive to Onboarding or Active and the reactivationAllowed option is set to true, the user鈥檚 state in 黑料海角91入口 will change from Suspended to Active
    • When a user鈥檚 status changes from either Leave or Inactive to Onboarding or Active and the reactivationAllowed option is set to false, the user will remain suspended in 黑料海角91入口 until you change the user state back to Active
  • 鈥嬧嬧嬧嬧嬧婽he timestamp in the User Import Complete email is UTC

Attribute Considerations

  •  A default set of attributes are managed for users. See the Attribute Mappings section for more details

鈥嬧嬧嬧嬧嬧婥onfiguring the Identity Management Integration

To configure Personio

  1. Log into Personio.
  2. Go to Marketplace from the left navigation panel.
  3. Search for 黑料海角91入口 and click it.
  4. Click Connect.
  5. Click Generate new credentials.
  6. Copy the Client ID and Client Secret.

Warning:

The Client ID and Secret (token) may only be shown once. Copy them to a secure location, like the 黑料海角91入口 Password Manager, for future reference.

To configure 黑料海角91入口

  1. Log in to .

Tip:

If you would like to use the Staged user state to make it easier to identify users who have been imported and to complete the onboarding process without granting access, complete the following steps. You can learn more about the Staged user state in the Manage User States article.

  • Go to Users > Settings.
  • In the Application / Directory Integrations dropdown, select Staged.
  • Click Save.
  1. Navigate to DIRECTORY INTEGRATIONS > HR Directories.
  2. In the Personio tile, click Configure > + Create New Application.
  3. Click Next and then enter a Display Label. Optionally, you can enter a Description and Display Option for the application.
  4. In the Bookmark field, enter your application URL (e.g., https://{mycompany}.personio.de).
  5. Optionally, if you are configuring a separate SSO connector, we recommend unchecking the Show this application in User Portal option, to avoid confusion for users about which Personio app to select for SSO in the User Portal.
  6. Click Save Application and then Configure Application
  7. On the Identity Management tab, click Configure.
  8. You鈥檙e presented with two fields:
    • Client ID - copy and paste the Client ID generated in the previous section
    • Client Secret - copy and paste the Client Secret generated in the previous section
  9. Click Activate.

To rotate the Personio credentials

  1. In 黑料海角91入口, deactivate the existing Identity Management integration.
  2. In Personio, go to Settings > API credentials.
  3. Click Generate new credential and select 黑料海角91入口 from the dropdown menu.
  4. Select the needed permissions and attributes.
  5. Click Generate new credential.
  6. Copy the Client ID and Client Secret.

Warning:

The Client ID and Secret (token) may only be shown once. Copy them to a secure location, like the 黑料海角91入口 Password Manager, for future reference.

  1. In 黑料海角91入口, select the Identity Management tab of the Personio app and click Configure.
  2. You鈥檙e presented with two fields:
    • Client ID - copy and paste the Client ID generated in the previous steps
    • Client Secret - copy and paste the Client Secret generated in the previous steps
  3. Click Activate.

Attribute Mappings

The following table lists attributes that 黑料海角91入口 sends to the application. See Attribute Considerations for more information regarding attribute mapping considerations. 

Learn about 黑料海角91入口 Properties and how they work with system users in our . 

Personio User Attributes

Personio Attribute Display Label Personio API Attribute JC systemuser property 黑料海角91入口 User Field in Admin Portal Notes
Subcompany subcompany company Company (suggested) Optional
Cost center cost_centers costCenter Cost Center (suggested) Optional (Multiple cost_centers can be assigned in Personio. Only the first cost_center value in the list will be used)
Department department department Department (suggested) Optional
Email email email Company email REQUIRED
Employment Type employment_type employeeType Employee Type (suggested) Optional
First name first_name firstname First Name (suggested) Optional
Position position jobTitle Job Title (suggested) Optional
Last name last_name lastname Last Name (suggested) Optional
Office office location Location (suggested) Optional
Supervisor supervisor.email managerEmail Manager (suggested) Optional
N/A organization INHERITED
Email email username Username REQUIRED
Status status state User State CALCULATED
Personio Attribute Display Label Personio API Attribute JC systemuser property 黑料海角91入口 User Field in Admin Portal Notes

Configuring the SSO Integration

Important:

OAuth SSO is only available with the Personio Enterprise plan.

Creating a new 黑料海角91入口 Custom Application Integration

  1. Log in to the .
  2. Navigate to USER AUTHENTICATION SSO Applications.
  3. Click + Add New Application.
  4. In the the Custom Application tile, click Select.
  5. Verify your selection by clicking Next.
  6. Select Manage Single Sign-On (SSO) > Configure SSO with OIDC and then click Next.
  7. In the Display Label, type Personio SSO for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.
  8. Click Save Application.
  9. If successful, click Close or Configure Application.

To configure 黑料海角91入口

  1. Create a new custom OIDC application or select it from the Configured Applications list.
  2. Select the SSO tab.
  3. Enter the following information into the fields listed below:
    • Redirect URIs - https://{mycompany}/oauth/callback
    • Client Authentication Type - Client Secret Post
    • Login URL -  https://{mycompany}/oauth/authorise 
    • Attribute Mapping - email | email 
  4. Click activate.
  5. Copy the Client ID and Client Secret. You will need this in the next section.

Warning:

The Client ID and Secret (token) may only be shown once. Copy them to a secure location, like the 黑料海角91入口 Password Manager, for future reference.

  1. Click Got It.

To configure Personio

  1. Log into Personio.
  2. Navigate to Settings > Integrations > Authentication.
  3. Enter the following information:
    • Authorization URI - https://oauth.id.jumpcloud.com/oauth2/auth
    • Token URI - https://oauth.id.jumpcloud.com/oauth2/token
    • Userinfo URI - Get | https://oauth.id.jumpcloud.com/userinfo
    • Scopes - openid
    • ClientID - paste the Client ID you copied from 黑料海角91入口.
    • ClientSecret - paste the Client Secret you copied from 黑料海角91入口.
    • Claim field - email
  4. Click Submit.

Tip:

If you select Enforce oAuth (optional), this will mandate all Personio users to login through 黑料海角91入口.

Authorizing User SSO Access

Users are implicitly denied access to applications. After you connect an application to 黑料海角91入口, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel. 

To authorize user access from the Application Configuration panel

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
  3. Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
  4. Select the check box next to the group of users you want to give access.
  5. Click save

To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.

Validating SSO user authentication workflow(s)

IdP-initiated user workflow

  • Access the
  • Go to听Applications and click an application tile to launch it
  • 黑料海角91入口 asserts the user's identity to the SP and is authenticated without the user having to log in to the application

SP-initiated user workflow

  • Go听to the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO

Note:

This varies by SP.

  • Login redirects the user to 黑料海角91入口 where the user enters their 黑料海角91入口 credentials
  • After the user is logged in successfully, they are redirected听back to the SP and automatically logged in

Importing new users and updates from Personio

To import with the 黑料海角91入口 Admin Portal

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO.
  3. Search for Personio and click to open its configuration panel. 
  4. Select the Identity Management tab.
  1. There are several settings available for importing users from Personio to 黑料海角91入口.

Warning:

Selected import options will apply to both manual and scheduled imports. 

Import Users

  1. Manual Import - clicking the Start Manual Import button kicks off the process flow for doing an immediate and one-time import of users from Personio to 黑料海角91入口. 
  2. Scheduled Imports (hourly) - enabled by default for all new connectors. The first scheduled import will start within an hour after the new connector is saved. Scheduled imports will then run at the same time every hour as the initial scheduled import.

Important:

Any connectors created prior to the availability of scheduled imports will have this option disabled. To run scheduled imports, you must enable this option.

  1. Selecting the Receive summary email after each scheduled import results in user import complete emails being sent after each hourly import.

Tip:

It's recommended to enable this for the first few scheduled imports to ensure the imports are running correctly. 

Import Settings

  1. Allow reactivation of users on updateChecking the box for this setting will result in the user state changing from Suspended to Active in 黑料海角91入口 when a user鈥檚 status changes from either Leave or Inactive to Onboarding or Active in Personio.  
  2. Apply Advanced Filters on import (optional). See for available filters
    • You will enter the query params as you would if you were sending the API request via a command line. Only enter what you would include after the ?.
    • Examples of values you could enter:

- updated_since=2024-02-02T00:00:00
- attributes[]=department&attributes[]=email&[email protected]

Note:

You must return the email attribute if you specify the attributes[] for the import. Otherwise, nothing will be imported.

To start a manual import

  1. Expand the Import Users section and click Start Manual Import.
  2. Select one of the following options: 

Note:

If the option selected includes user updates, the following will occur:

  • Any and all changes made to the mapped user attributes in the source application will be made in 黑料海角91入口.
  • Users whose statuses change to one of the defined inactive status will be automatically suspended in 黑料海角91入口.
  • If Allow reactivation of users on update is checked, suspended users in 黑料海角91入口, whose status change from the defined inactive statuses to ones that are not defined as inactive, will have their user state changed back to Active in 黑料海角91入口.
  1. Click Continue.
  2. If you selected the View and select specific new users to import (updates not supported).
    • Select the users you want to import.

Note:

Free accounts can import unlimited users, but will be prompted to upgrade to a paid subscription after 30 days. Similarly, accounts managed by an MSP, that have a license limit, are only allowed to import users up to their license limit and will be prompted to contact their provider once that limit is reached.

  1. The count of users to be imported will show at the bottom left hand of the list. If this is correct, click Import
  2. Review the information in the results modal.
  3. Click one of the tiles to navigate to the Users page, User Groups page, or Device Groups page or close the modal.鈥

Note:

If you close this modal, you will return to the Identity Management configuration panel.

  1. You will receive a User Import Complete email with a summary of the import results and a link for downloading a copy of the import results.
  2. You can now connect users to all their 黑料海角91入口 resources. Learn more in the  and  articles.

Note:

Imported users must be members of a   for 黑料海角91入口 to manage their identity in and access to the application.

To import with the 黑料海角91入口 API

Note:

The import flow using this new API endpoint will only create new users who have an active status in Personio. By default, Leave and Inactive are considered inactive statuses and Onboarding and Active are considered active statuses. See available documentation for this . 

  1. Get the application ID for your integration. There are 2 ways:
    1. Retrieve the application ID from the 黑料海角91入口 Admin Portal:
      1. Log in to .
      2. Go to USER AUTHENTICATION > SSO.
      3. Open the Personio application by clicking on it.
      4. Note the ID from the URL which is just before 鈥/details鈥: https://console.jumpcloud.com/#/sso/{222220da1f777fbe7502cde}/details
    2. Retrieve the application ID by making a GET /applications request:

curl command example:   

curl --request GET \
--url 'https://console.jumpcloud.com/api/applications?fields=id&filter=displayLabel:$eq:Personio' \
  --header 'x-api-key: REPLACE_KEY_VALUE' \
  --header 'x-org-id: REPLACE_ORG_ID_VALUE'

  1. To do a manual import, make a POST /applications/{application_id}/import/jobs request using the application ID from the preceding steps.

curl command example for importing new users and user updates with reactivation of users allowed:

curl --request POST \
--url 'https://console.jumpcloud.com/api/v2/applications/{application_id}/import/jobs' \
 --header 'accept: application/json' \
  --header 'Content-Type: application/json'\
  --header 'x-api-key: REPLACE_KEY_VALUE' \
  --header 'x-org-id: REPLACE_ORG_ID_VALUE'\
--data '{ 
      "allowUserReactivation": true, 
      "operations": [ 
    "users.create", 
         "users.update" 
    ]
  }'

curl command example for importing only user updates:

curl --request POST \
--url 'https://console.jumpcloud.com/api/v2/applications/{application_id}/import/jobs'
 --header 'accept: application/json' \
  --header 'Content-Type: application/json'\
  --header 'x-api-key: REPLACE_KEY_VALUE' \
  --header 'x-org-id: REPLACE_ORG_ID_VALUE'\
--data '{
      "allowUserReactivation": true,
      "operations": [
         "users.update"
      ]
  }'

3. To run scheduled hourly imports:

curl command that allows reactivation, sends an advanced import filter, and sends the user import complete email after the hourly sync occurs:

curl --request POST \
  --url https://console.jumpcloud.com/api/v2/applications/{applicationObjectId}/import/schedules \
  --header 'content-type: application/json' \
  --data '{"allowUserReactivation":true,"operations":{"userCreate":true,"userUpdate":true},"query":"string","sendEmail":true}'

Removing the Integration

Important:

These are steps for removing the integration in 黑料海角91入口. Consult your SP's documentation for any additional steps needed to remove the integration in the SP. Failure to remove the integration successfully for both the SP and 黑料海角91入口 may result in users losing access to the application.

To deactivate the IdM Integration

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you鈥檇 like to deactivate and click to open its details panel. 
  4. Under the company name and logo on the left hand panel, click the Deactivate IdM connection link.
  5. Click confirm
  6. If successful, you will receive a confirmation message.

To deactivate the SSO Integration or Bookmark

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you鈥檇 like to deactivate and click to open its details panel. 
  4. Select the听SSO or Bookmark听tab.
  5. Scroll to the bottom of the configuration.
  6. Click Deactivate SSO or Deactivate Bookmark
  7. Click save
  8. If successful, you will receive a confirmation message.

To delete the application

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you鈥檇 like to delete.
  4. Check the box next to the application to select it.
  5. Click Delete.
  6. Enter the number of the applications you are deleting
  7. Click Delete Application.
  8. If successful, you will see an application deletion confirmation notification.
Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case