What you’ll achieve
Partners sign in to your portal through the configured identity provider. Because portal SSO is the portal’s sign-in method once enabled, every partner uses single sign-on instead of email or social login.Before you start
Confirm SSO is on your plan
Single sign-on is a paid add-on and must be enabled for your organisation. If the Portal SSO page shows an upgrade prompt instead of the configuration, it is not yet on your plan.
Check your permission
You need the Single sign-on permission on your role to open and edit the Portal SSO page.
Coordinate with the partner's IdP admin
Portal SSO uses the partner’s identity provider, so you need someone on their side with admin access to create the SAML application and provide the metadata URL.
Watch it
- Video
- Click through
Steps
Open Portal SSO
Go to Portal SSO. The Enable Portal SSO switch sits in the header, and the service provider and identity provider configuration are below it.

Register your portal in the partner's identity provider
Have the partner create a SAML application in their identity provider using the three values under Service Provider Configuration, each with a copy button.
- Assertion Consumer Service (ACS) URL - where the partner’s provider posts the SAML response. Unlike internal SSO, this URL points at your portal’s address, so it reflects your custom domain if one is set.
- Entity ID - the identifier the partner’s provider uses to recognise your portal as the service provider.
- Metadata URL - your portal’s service provider metadata, if their provider prefers to import the configuration from a URL.

Save the partner's metadata URL
Under Identity Provider Configuration, paste the partner’s identity provider Metadata URL and select Save. Introw fetches and validates the document is real SAML identity provider metadata, so the URL must be reachable; if it cannot be fetched or is not valid metadata, Introw shows an error and saves nothing.

Test before you enable
Turning on portal SSO immediately makes the partner’s identity provider the portal’s only sign-in method: email and social login are switched off for partners. There is no fallback once it is enabled, so confirm the metadata is saved and valid and that the partner’s users are assigned to the application before you flip the switch.

Verify it worked
A partner opens your portal and is sent to the configured identity provider to sign in, then lands in the portal. The portal sign-in screen no longer offers email or social login for partners while portal SSO is enabled.Related
Set up internal SSO
Do the same for your own team.
Implementation reference
Full configuration options.
