When enabling logging in with Microsoft or Google credentials, administrators of the Penneo account can limit access to the KYC product to users who have a Microsoft or Google company account. Therefore, this update helps you make sure that employees immediately lose access to sensitive information upon leaving the organisation, enhancing overall security and regulatory compliance.
This article gives an overview of:
How to configure your Microsoft Entra or Google Workspace account
In Penneo KYC
Only the administrator of the company account can enable SSO as an allowed login method in the KYC company settings, by clicking on the tab Login with SSO.
There are 2 ways in which you can connect the login:
-
By entering your Microsoft Entra tenant ID or;
-
By entering your company’s Google Workspace domain
Please note that it is not possible to connect both through a Microsoft Entra tenant ID and through a Google Workspace domain at the same time.
In the Microsoft Entra App
The administrator of the Microsoft Entra App must:
-
Install the Penneo Enterprise application in Microsoft Entra
-
Give consent on behalf of the company
-
Give relevant users access to the App
Give consent on behalf of the company
To give consent on behalf of the company, the administrator of the Microsoft Entra App must log into Penneo KYC. During this process, a window asking for permission is shown. You give consent on behalf of your organisation by checking the box next to Consent on behalf of your organisation and then click Accept.
The Penneo app should now be shown in your Microsoft Entra app.
Give relevant users access to the App
Now that you have added the Penneo application to your Microsoft Entra app, you can give your users access to it.
Read more on this article from Microsoft describing how to give access to users, and see more information here.
Enable Microsoft and Google credentials for users
On a company level
You can enable login with SSO on a company level by activating the option Enable SSO by default for all users.
On a user level
For existing users
If you wish to enable or disable SSO as a login method for specific existing users, you can open the Users tab in the company settings, select the user you want to enable this feature for and select the Enable SSO for this user button.
For new users
An administrator needs to create a user within Penneo KYC and choose a login name and password for the user.
Important note: Users cannot log into Penneo KYC through their company Microsoft or Google account until a Penneo KYC user has been created.
After the user has been created, it’s important to select the user and Enable SSO for this user as described above, if the function is not enabled on company level.
How to log in with Microsoft and Google user credentials?
First time logging in
The first time logging in after SSO is enabled for a user (as company default, or specifically for the user), the user needs to link their Microsoft or Google account to their KYC account.
In this way, we can establish which KYC account the Microsoft or Google user needs access to.
Important note: each Microsoft or Google account can only be used for login to one Penneo KYC account.
The user linking can be done in two ways.
Login with KYC credentials
-
Enter your KYC credentials
-
Select which Microsoft or Google account you would like to link to your KYC account
-
Re-confirm your KYC password
Login with Microsoft or Google account
-
Select Microsoft or Google as a login method
-
Select which Microsoft or Google account you would like to link to your KYC account
-
Enter your KYC credentials
Logging in after linking KYC with Microsoft or Google credentials
-
Select Microsoft or Google as login method
-
Choose your Microsoft or Google account
-
Enter your Penneo KYC password
Administrator settings
How to deactivate a user
If a user no longer needs access to Penneo KYC, and SSO is enabled for the user, you can remove the user from the company’s Microsoft or Google account and they will no longer be able to log into Penneo KYC.
Irrespective of the user’s Microsoft or Google account status, the administrator can Deactivate or Delete the user within Penneo KYC.
How to unlink a user
Once a user has linked their Microsoft or Google account to their KYC account, an administrator can:
- Go to the user settings for that user
- Unlink the account
The next time the user logs in, they will be asked to use their KYC credentials to link another Microsoft or Google account.
Error codes
Single Sign On is not enabled
This error code shows when the user selects Microsoft or Google and enters valid KYC credentials, but SSO is not enabled for that KYC user.
Solutions
-
As a user, you can log in with classic credentials and don’t choose the Microsoft/Google login.
-
As an administrator, you can add the Microsoft Entra Tenant ID or Google Workspace domain to your company settings and enable SSO by default or for the user.
Single Sign On not available for your account
This error code shows when The user selects Microsoft or Google and enters valid KYC credentials, but SSO is not enabled for that KYC user.
Solutions
-
As a user, you can log in with classic credentials and don’t choose the Microsoft/Google login.
-
As an administrator, you can add the Microsoft Entra Tenant ID or Google Workspace domain to your company settings and enable SSO by default or for the user.
Invalid credentials
This error code shows when the user selects Microsoft or Google, uses a Microsoft or Google account which hasn’t been linked and then enters invalid KYC credentials.
Solutions
-
Please try to log in again and enter valid KYC credentials.
-
Ensure the credentials belong to an active user account.
This Microsoft or Google account is already in use
This error shows when a user tries to link a Microsoft or Google account, which has already been linked to another KYC account.
Solutions
-
As a user, you can select a different Microsoft or Google account.
-
As an administrator, you can unlink the Microsoft or Google account from the user to which it’s currently linked.
Wrong Google account selected
This error code shows when the user tries to Link a Microsoft or Google account to a KYC account (following one of the both ways of linking an account), but the Microsoft/Google account doesn’t match the Tenant or Domain configured by the administrator.
Solutions
-
As a user, try using a different Microsoft or Google account.
-
As an administrator, edit the Microsoft Entra Tenant ID or Google Workspace domain in the company settings.
Google login has failed
This error shows when there is something wrong at Microsoft or Google’s end or if the user doesn’t select a Microsoft/Google account but cancels the Microsoft or Google flow.
Solutions
- Try logging in again.
Unknown error
This error code shows when something is wrong on Penneo’s side.
Solutions
-
Try logging in again.
-
Share the trace ID with Penneo Support.