> ## Documentation Index
> Fetch the complete documentation index at: https://docs.introw.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up internal SSO for your team

> Connect your identity provider, map SAML attributes to user fields, set a default role, and switch your team to single sign-on.

Internal SSO lets your team sign in to Introw through your own identity provider, so access is granted and revoked alongside the rest of your stack. This guide takes you all the way from registering Introw as a service provider in your identity provider, through mapping the SAML attributes that populate each user, to switching your team over to single sign-on. Reach for it when onboarding and offboarding should run through your identity workflow instead of being a separate task in Introw.

## What you'll achieve

Your team signs in to Introw through your identity provider. New people who authenticate through SSO arrive with their name and email populated from your directory and land on a default role you choose, and once SSO is required your team can only sign in through the provider.

## Before you start

<Steps>
  <Step title="Confirm SSO is on your plan">
    Single sign-on is a paid add-on and must be enabled for your organisation. If the Internal SSO page shows an upgrade prompt instead of the configuration, it is not yet on your plan.
  </Step>

  <Step title="Check your permission">
    You need the Single sign-on permission on your role to open and edit the Internal SSO page.
  </Step>

  <Step title="Get identity provider access">
    You need admin access to create and manage a SAML application in your identity provider (for example Okta, Microsoft Entra ID, or Google Workspace).
  </Step>

  <Step title="Create the default role first">
    Decide which role new SSO users should land on and make sure it exists, since you will select it during attribute mapping. See [Create an internal role](/features/access/team-management/guides/create-an-internal-role).
  </Step>
</Steps>

## Watch it

<Tabs>
  <Tab title="Video">
    <video controls playsInline preload="none" poster="https://assets.introw.io/docs/features/access/sso/guides/set-up-internal-sso/steps/01.png?v=1783346769" className="w-full rounded-xl" src="https://assets.introw.io/docs/features/access/sso/guides/set-up-internal-sso/video.webm?v=1783346769#t=2.5" />
  </Tab>

  <Tab title="Click through">
    <iframe className="w-full rounded-xl" style={{ width: "100%", aspectRatio: "16 / 11", border: 0, backgroundColor: "#FAFAFA" }} src="https://assets.introw.io/docs/features/access/sso/guides/set-up-internal-sso/walkthrough.html?v=1783346769" />
  </Tab>
</Tabs>

## Steps

### Connect your identity provider

<Steps>
  <Step title="Open Internal SSO">
    Go to [Internal SSO](https://app.introw.io/settings/developers/sso). The page is split into the service provider details you give your identity provider on the left, and the attribute mapping on the right.

    <Frame>
      <img src="https://assets.introw.io/docs/features/access/sso/guides/set-up-internal-sso/steps/01.png?v=1783346769" alt="Open Internal SSO" />
    </Frame>
  </Step>

  <Step title="Register Introw in your identity provider">
    Create a new SAML application in your identity provider and copy in the three values shown under **Service Provider Configuration**. Each has a copy button next to it.

    * **Assertion Consumer Service (ACS) URL** - where your provider sends the SAML response after a user authenticates. Paste it into your provider's ACS / Single sign-on URL / Reply URL field.
    * **Entity ID** - the identifier your provider uses to recognise Introw as the service provider. Paste it into the Audience / Entity ID field.
    * **Metadata URL** - Introw's service provider metadata, if your provider prefers to import the service provider configuration from a URL rather than entering the two fields above by hand.

    <Frame>
      <img src="https://assets.introw.io/docs/features/access/sso/guides/set-up-internal-sso/steps/02.png?v=1783346769" alt="Register Introw in your identity provider" />
    </Frame>
  </Step>

  <Step title="Save your provider's metadata URL">
    Back in Introw, under **Identity Provider Configuration**, paste your identity provider's **Metadata URL** and select **Save**.

    Introw fetches that URL and validates it is real SAML identity provider metadata, so the address must be reachable and return the provider's metadata document. If the link cannot be fetched or is not valid metadata, Introw shows an error and nothing is saved - fix the URL in your provider and save again.

    <Frame>
      <img src="https://assets.introw.io/docs/features/access/sso/guides/set-up-internal-sso/steps/03.png?v=1783346769" alt="Save your provider's metadata URL" />
    </Frame>
  </Step>
</Steps>

### Map attributes and a default role

<Steps>
  <Step title="Map the SAML attributes to user fields">
    On the right under **Attribute Mapping**, enter the name of the SAML attribute (claim) your provider sends for each field, so people arrive with the correct identity instead of a blank or mismatched account. Use the exact claim names from your provider.

    * **User ID** - the stable, unique identifier for the user from your provider. This is what ties a sign-in to the right Introw user, so map it to a value that never changes (not an email that might be renamed).
    * **Email address** - the claim holding the user's email; it is how the account is matched and addressed.
    * **First name** - the claim holding the given name, used for display.
    * **Last name** - the claim holding the family name, used for display.

    <Frame>
      <img src="https://assets.introw.io/docs/features/access/sso/guides/set-up-internal-sso/steps/04.png?v=1783346769" alt="Map the SAML attributes to user fields" />
    </Frame>
  </Step>

  <Step title="Set the default role">
    Still under **Attribute Mapping**, choose a **Default role**. This is the role a new user receives the first time they sign in through SSO, so it should grant the least access that still lets someone get started (for example a partner manager role rather than admin). Select **Save** to store the mapping and the default role.

    <Frame>
      <img src="https://assets.introw.io/docs/features/access/sso/guides/set-up-internal-sso/steps/05.png?v=1783346769" alt="Set the default role" />
    </Frame>
  </Step>
</Steps>

### Switch your team to SSO

<Steps>
  <Step title="Test before you enable">
    Enabling internal SSO requires every team member to sign in through your identity provider, so confirm the connection is right first: the provider's metadata must be saved and valid, the application must be assigned to the people who need Introw, and the attribute claims must match what your provider actually sends. There is no email or social fallback once SSO is required, so a wrong mapping or an unassigned user locks people out.
  </Step>

  <Step title="Enable SSO">
    Once the metadata is saved, the **Enable SSO** checkbox appears under the identity provider metadata. Select it, then confirm in the dialog. The dialog states that this requires your team members to use SSO to sign in to Introw. To go back to letting people use any authentication method, clear the same checkbox and confirm.
  </Step>
</Steps>

## Verify it worked

A team member signs in to Introw through your identity provider and lands in the workspace. A brand-new user who authenticates through SSO appears with the name and email from your directory and holds the default role you selected. After enabling, password and social sign-in are no longer offered to your team.

## Related

<CardGroup cols={2}>
  <Card title="Set up portal SSO" icon="book-open" href="./set-up-portal-sso">
    Do the same for partners signing in to the portal.
  </Card>

  <Card title="Create an internal role" icon="book-open" href="/features/access/team-management/guides/create-an-internal-role">
    Build the default role SSO users land on.
  </Card>

  <Card title="Implementation reference" icon="screwdriver-wrench" href="../technical">
    Full configuration options.
  </Card>
</CardGroup>
