Single Sign On (SSO) is an authentication process that allow your organization to manage login credentials for multiple applications in a singular location using an Identity Provider (IDP). The SSO feature in Penelope allows you to use your existing OAuth 2.0-compatible IDP to manage the username and password that workers use to log in to Penelope.

Penelope login page with SSO credentials enabled

The SSO feature in Penelope uses the OAuth 2.0 protocol, which allows Penelope to connect to an external server to authenticate a user. To implement SSO for your organization, your organization’s IDP must use OAuth 2.0. Examples of IDPs that use OAuth 2.0 and are supported for use with Penelope include Azure (Microsoft Office 365 and Windows 2016) and Google for Business.

Important Information

  • Penelope is not compatible with ADFS 1.0, 1.1, 2.0 or 2.1 as these versions do not support OAUTH 2.0.

  • Penelope is not compatible with ADFS 3.0 (2012) or ADFS 4.0 (2016).

  • Although OAUTH 2.0 is supported in ADFS 3.0, it is a non-compliant implementation.

  • LDAP and SAML are not compatible with OAuth 2.0.

  • When configuring Penelope to use SSO please ensure you are using the most current version of Penelope.

The SSO feature in Penelope does not include automatic synchronization of accounts; this means you must create each Worker account in both Penelope and in your IDP. Further, there is no synchronization of deactivated accounts, so you must deactivate accounts in both Penelope and in your IDP. If a Worker is active in SSO but not in Penelope, they will be unable to login to Penelope despite successfully entering SSO login credentials. Although the Worker would not be able to log in to Penelope in this scenario, we recommend deactivating former staff members in Penelope as well to avoid having the names of inactive workers appear in future reporting and Service File assignment lists.

Although you can configure Penelope to include the use of both SSO and built-in Penelope authentication, each Worker account can use a single authentication method. If you have a group of Workers that need access to Penelope but are not configured in your IDP, their accounts should use the default and built-in Penelope authentication process.

The SSO authentication process manages the User Name and Password that the Worker uses to log in to the database. Note that password security is managed through your IDP and does not use Penelope’s built-in password algorithms or other security enhancements like 2-Step Login or Security Questions. When you enable SSO authentication, you choose to override the security algorithms used by built-in Penelope authentication. Your organization needs to ensure that the IDP password requirements meet the appropriate standards for a clinical setting.

When using SSO Penelope user must still comply with Penelope’s built-in security functionality. This configuration includes managing which aspects of the Penelope database a user has access to; for example, Service Files, the Intake Wizard, Groups, etc.

Did this answer your question?