Note: While using SSO with Azure (Microsoft 0365), the user will need to re-authenticate every single time to login.
Built-in Penelope authentication is enabled by default. Complete the steps in this guide to enable O365 Single Sign On.
Caution
We highly recommend enabling both SSO and Penelope Authentication even if you plan to only use SSO Authentication. Enabling both options allows you to successfully test and reconfigure SSO Authentication settings as needed. If you enable SSO Authentication only, you risk locking user accounts, including System Administrator accounts, if they haven’t been properly configured in your IDP prior to completing the full SSO configuration in Penelope. As such, every worker and System Administrator account in Penelope that will use SSO authentication must be set up with a valid account in your IDP.
O365 Single Sign On Setup with Penelope
In this section
Important Notes
To do this you will need an Admin level account and an Impersonation Account at minimum
Penelope Setup – Enable SSO Auth
With a System Admin account:
Navigate to Security > Authentication.
Click edit.
Configure the settings as follows:
Authentication Type: Use both Penelope and SSO. Note: This is VERY important until you have fully configured all Penelope accounts to successfully use SSO.
SSO Provider: Microsoft Office 365 (Azure Active Directory).
Application ID & Application Secret: Use random values. We will update these later after we have finished the O365 side of the configuration.
Save the changes.
Record the Penelope Login Endpoint and the Penelope Test Endpoint values. You will need these in subsequent steps.
SSO Admin – Setup– a
1. Logged in as the Admin Account, navigate to the Azure Active Directory Dashboard.
2. Navigate to the App Registrations.
3. Click New Registration and fill in the applicable information (title and RedirectURL). Note: This should be the main Penelope URL
4. Click on Authentication. Enter the Penelope Login Endpoint and Penelope Test Endpoint URLS (and primary URL) and save. Note: these are the values you recorded when enabling SSO Auth in Penelope
5. Click on Certificates & secrets.
6. Click New Client Secret.
7. Save the key value displayed upon save. Note: this is VERY important as it can not be displayed after. You will need it to finish configuring Penelope to work with SSO.
8. Navigate to the Overview page.
9. Verify that the Redirect URLs indicates 3 web.
10. Record the Application (client) ID value. You will need it to finish configuring Penelope to work with SSO
11. Navigate to the Users Page.
12. Click on Download users. This will provide a CSV file which contains information about the user accounts that you will need in order to complete the Penelope side configuration.
Penelope Setup – Complete SSO config
Prerequisite: Must be done with a Account
Navigate to Security> Authentication.
Click edit.
Update the following fields with the values recorded in previous steps above:
Application ID = Application (client) ID recorded from O365
Application Secret = Client Secret Key value recorded from O365
Save the changes.
Click on Test in the Single Sign On (SSO) Connection Test box.
Log into 0365 with a valid email address and password for an active account.
7. You will encounter a permissions requested page.
8. Check the Consent on behalf of your organization box and then the Accept button. Note: This grants Penelope access to use the O365 account to log in. Each user logging in may need to do this on their first log into Penelope when using their O365 credentials.
9. Verify that you see the Penelope SSO Connection Success page.
Penelope Setup – Worker Setup
10. Click Download for the Sample SSO Identifier File. This spreadsheet (sample.csv) will provide the template for you to update all workers in Penelope with their SSO Identifier information.
11. Navigate to the Maintenance tab.
12. In the User Authentication Information Section, click Download for the Download User Authentication Status. This spreadsheet will provide a list of all workers in Penelope along with their kbookitemid, first name and last name.
13. Copy and paste these values into the Sample SSO Identifier File downloaded in the previous step.
14. Copy and paste the objectid values from the file of users downloaded from O365 (in steps above) into the uid column.
15. Save the changes made to the sample.csv. You will use this in the next step.
16. Navigate back to the Authentication Tab.
17. Click Choose File for the Upload SSO Identifier file (csv).
18. Select the updated sample.csv that contains the Object Ids, kbookitemid, first name and last name fields and Save.
19. Verify that you see the Synchronization Completed! box and click OK. All workers should now be configured to use SSO when logging into Penelope.
You have now completed all of the steps and users will be able to log into Penelope with their O365 credentials.
20. Navigate to a Worker’s Profile.
21. Verify that their Login credentials box is displaying the SSO Provider and SSO Identifier fields.
You have now completed all of the steps and users will be able to log into Penelope