How it works
Introw supports SAML single sign-on in two places. Internal SSO controls how your own team signs in to Introw, and portal SSO controls how partners sign in to the portal. Both follow the same core pattern: you give your identity provider Introw’s service provider details, paste your provider’s metadata URL into Introw, and enable it. Internal SSO adds attribute mapping (and a default role) so team members arrive with the right identity; portal SSO has only the enable toggle and metadata, with no attribute-mapping screen. Once enabled, sign-in goes through your identity provider. Enabling portal SSO makes your identity provider the portal’s sign-in method, so partners use it instead of email or social login. Internal SSO’s service provider URLs are built on Introw’s domain, while portal SSO’s are built on your portal address (your custom domain if you have one, otherwise your subdomain).Prerequisites
- Single sign-on permission on your role.
- An identity provider that supports SAML, with admin access to configure it.
- SSO is a paid add-on; it must be enabled on your plan.
Settings & configuration
SSO is configured under Settings, Developers, on two pages: Internal SSO and Portal SSO.Service provider configuration
Each SSO page shows the details to give your identity provider: the Assertion Consumer Service (ACS) URL, the Entity ID, and Introw’s Metadata URL. Copy these into your identity provider when you create the application.Identity provider configuration
Paste your identity provider’s Metadata URL into Introw and save it. Once the metadata is saved, the Enable SSO control becomes available so you can turn it on after testing.Attribute mapping (internal SSO only)
On the Internal SSO page, map the identity attributes your provider sends to Introw’s user fields: User ID, Email address, First name, and Last name. You also set a Default role that new users get when they sign in through SSO. Portal SSO has no attribute-mapping screen.Portal SSO and portal access
Portal SSO uses the same SAML pattern against your portal’s address, so its service provider URLs reflect your custom domain or subdomain. The page has an enable toggle and the identity provider metadata, but no attribute mapping. Enabling portal SSO sets the portal to sign in with your SSO, which replaces the other portal sign-in methods (email and social) for partners.Setup walkthrough
Open the SSO page
Go to Internal SSO or Portal SSO.
Configure your identity provider
Give your provider the ACS URL, Entity ID, and metadata URL shown on the page.
Map attributes (internal SSO only)
On internal SSO, map User ID, email, first name, and last name, and set a default role. Portal SSO has no attribute mapping.
How-to guides
Set up internal SSO for your team
Connect your identity provider, map SAML attributes to user fields, set a default role, and switch your team to single sign-on.
Set up portal SSO for partners
Let partners sign in to your portal through their own identity provider with SAML, using your portal’s service provider URLs and the SSO-only login switch.
Limits & gotchas
Troubleshooting
- The Enable SSO control is unavailable - save your identity provider’s metadata URL first.
- Users sign in but have the wrong details - check the attribute mapping for User ID, email, and name.
- Partners cannot log in to the portal - confirm portal SSO is configured correctly and your provider is reachable.