These topics outline tasks you might need to complete to maintain or update your SSO configuration.
Modify Worker Accounts to use SSO Authentication in Batch Mode
To update multiple Worker accounts to use SSO authentication, you can upload an SSO Identifier file with the required information for SSO authentication:
The Worker’s unique identifier (UID) from your Identify Provider (IDP)
The Penelope KBookitemID value from Penelope
The First Name and Last Name values from Penelope
To assist with creating the SSO identifier file, you can download two files from Penelope that specifies which fields are required:
User Authentication Status (useresinfo.csv) file can assist you in gathering the KBookitemID, First Name, and Last Name values.
The Sample SSO Identifier (sample.csv) file is what you will use to upload relevant Authentication values to Penelope to allow Workers to use their SSO credentials. The data you will input into this file comes from the User Authentication Status file in Penelope along with the UID from your IDP.
When uploading the completed SSO Identifier file to Penelope, Penelope uses these unique identifiers to ensure the correct Worker profile is updated with the UID from your Identity Provider. We do not recommend relying only on the firstname and lastname columns as your organization may have more than one Worker with the same first and last name. If you upload an SSO identifier file with duplicate first and last names, Penelope will ignore the duplicate instances.
Prerequisite: Each Worker must already have a Penelope account. If you include any worker information in the upload file for Workers who do not already have a Penelope account, Penelope will not automatically create a Worker account through the upload.
1. On the Authentication tab, locate the Syncronize UID > Sample SSO identifier file (csv) field and click the adjacent Download option and open the file in your preferred spreadsheet program.
2. On the Maintenance tab, locate the User Authentication Information > Download User Authentication Status field and click the adjacent Download option and open the file in your preferred spreadsheet program.
3. For each Worker, copy the following values from the usersInfo.csv (User Authentication Status) file to the sample.csv (Sample SSO identifier) file:
First name
Last name
KBookitemID
4. In your Identity Provider, locate the unique identifier (UID) for each Worker and copy the value into the sample.csv (Sample SSO identifier) file.
5. Save the file.
6. In Penelope, navigate to User Setup > Security > Authentication > Synchronize UID.
7. Next to Upload SSO identifier file (csv), click Choose File. Locate the sample.csv file and upload.
After you finish: To verify that each worker account has been updated with SSO authentication information, you can search for a Worker Profile and verify the Login Credentials.
Modify Individual Worker Accounts to use SSO Authentication
Complete this step only if you wish to manually modify specific Worker accounts with SSO Authentication information.
Navigate to the Worker Profile for the Worker you want to enable SSO for.
In the Login Credentials section, click Change.
In the Login using section, select Single Sign On (SSO).
In the New SSO Identifier field, paste the unique ID (sometimes called UID, SID, Object ID, etc.) for the Worker as provided by your IDP.
Click Save.
Repeat for all remaining Workers.
Modify the Application ID for Penelope
Navigate to User Setup > Security > Authentication tab and click Edit.
In the OAuth 2.0 (OpenID Connect) Configurations section, in the Application ID field, type the application ID for Penelope defined by your IDP.
Click Save.
Modify the Application Secret for Penelope
Navigate to User Setup > Security > Authentication tab and click Edit.
In the OAuth 2.0 (OpenID Connect) Configurations section, in the Application secret field, type the application secret for Penelope defined by your IDP.
Click Save.
Modify the Security Group for Penelope
Navigate to User Setup > Security > Authentication tab and click Edit.
In the OAuth 2.0 (OpenID Connect) Configurations section, in the Security group (scope) field, type the security group for Penelope defined by your IDP.
Click Save.
Modify the Label or Description for Penelope Credentials
Navigate to User Setup > Security > Authentication tab and click Edit.
In the OAuth 2.0 (OpenID Connect) Configurations section, in the Label for Penelope credentials and Login description for Penelope fields, type an updated label and/or description.
Click Save.
Modify the Label or Description for SSO Credentials
Navigate to User Setup > Security > Authentication tab and click Edit.
In the OAuth 2.0 (OpenID Connect) Configurations section, in the Label for SSO credentials and Login description for SSO fields, type the desired label for SSO authentication.
Click Save.
Disable SSO Authentication
If you disable SSO Authentication in Penelope, all Worker accounts will automatically revert to using their original Penelope User names and Passwords. Any Workers who are logged into Penelope at the time that SSO Authentication is disabled will automatically be logged out. We recommend implementing the User Managed Password Reset feature to allow staff to reset their own Penelope passwords after SSO Authentication is disabled.
Navigate to User Setup > Security > Authentication tab and click Edit.
From the Authentication type setup drop-down, choose Use Penelope account only.
Modify other Penelope authentication settings as needed.
Click Save.