> ## Documentation Index
> Fetch the complete documentation index at: https://docs.introw.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Single Sign-On

> Configure SAML single sign-on for your internal team and your partner portal in Introw - service provider details, identity provider metadata, and attribute mapping.

**Open in Introw:** [Internal SSO](https://app.introw.io/settings/developers/sso)

## How it works

Introw supports SAML single sign-on in two places. Internal SSO controls how your own team signs in to
Introw, and portal SSO controls how partners sign in to the portal. Both follow the same core pattern:
you give your identity provider Introw's service provider details, paste your provider's metadata URL
into Introw, and enable it. Internal SSO adds attribute mapping (and a default role) so team members
arrive with the right identity; portal SSO has only the enable toggle and metadata, with no
attribute-mapping screen.

Once enabled, sign-in goes through your identity provider. Enabling portal SSO makes your identity
provider the portal's sign-in method, so partners use it instead of email or social login. Internal
SSO's service provider URLs are built on Introw's domain, while portal SSO's are built on your portal
address (your custom domain if you have one, otherwise your subdomain).

## Prerequisites

* Single sign-on permission on your role.
* An identity provider that supports SAML, with admin access to configure it.
* SSO is a paid add-on; it must be enabled on your plan.

## Settings & configuration

SSO is configured under Settings, Developers, on two pages: [Internal SSO](https://app.introw.io/settings/developers/sso)
and [Portal SSO](https://app.introw.io/settings/developers/portal-sso).

### Service provider configuration

Each SSO page shows the details to give your identity provider: the **Assertion Consumer Service (ACS)
URL**, the **Entity ID**, and Introw's **Metadata URL**. Copy these into your identity provider when
you create the application.

### Identity provider configuration

Paste your identity provider's **Metadata URL** into Introw and save it. Once the metadata is saved, the
**Enable SSO** control becomes available so you can turn it on after testing.

### Attribute mapping (internal SSO only)

On the Internal SSO page, map the identity attributes your provider sends to Introw's user fields:
**User ID**, **Email address**, **First name**, and **Last name**. You also set a **Default role** that
new users get when they sign in through SSO. Portal SSO has no attribute-mapping screen.

### Portal SSO and portal access

Portal SSO uses the same SAML pattern against your portal's address, so its service provider URLs reflect
your custom domain or subdomain. The page has an enable toggle and the identity provider metadata, but no
attribute mapping. Enabling portal SSO sets the portal to sign in with your SSO, which replaces the other
portal sign-in methods (email and social) for partners.

## Setup walkthrough

<Steps>
  <Step title="Open the SSO page">
    Go to [Internal SSO](https://app.introw.io/settings/developers/sso) or [Portal SSO](https://app.introw.io/settings/developers/portal-sso).
  </Step>

  <Step title="Configure your identity provider">
    Give your provider the ACS URL, Entity ID, and metadata URL shown on the page.
  </Step>

  <Step title="Save your provider's metadata">
    Paste your identity provider's metadata URL into Introw and save it.
  </Step>

  <Step title="Map attributes (internal SSO only)">
    On internal SSO, map User ID, email, first name, and last name, and set a default role. Portal SSO has no attribute mapping.
  </Step>

  <Step title="Enable SSO">
    Turn on SSO once you have confirmed the configuration. Enabling portal SSO switches partners to SSO-only sign-in, so there is no email or social fallback afterwards.
  </Step>
</Steps>

## How-to guides

<CardGroup cols={2}>
  <Card title="Set up internal SSO for your team" icon="book-open" href="/features/access/sso/guides/set-up-internal-sso">
    Connect your identity provider, map SAML attributes to user fields, set a default role, and switch your team to single sign-on.
  </Card>

  <Card title="Set up portal SSO for partners" icon="book-open" href="/features/access/sso/guides/set-up-portal-sso">
    Let partners sign in to your portal through their own identity provider with SAML, using your portal's service provider URLs and the SSO-only login switch.
  </Card>
</CardGroup>

## Limits & gotchas

<Warning>
  SSO is a paid add-on and must be enabled on your plan. Enabling portal SSO makes your identity provider the portal's sign-in method, replacing email and social login for partners, so confirm your partners can authenticate with it first. Save and test your metadata before enabling SSO to avoid locking users out.
</Warning>

## Troubleshooting

* **The Enable SSO control is unavailable** - save your identity provider's metadata URL first.
* **Users sign in but have the wrong details** - check the attribute mapping for User ID, email, and name.
* **Partners cannot log in to the portal** - confirm portal SSO is configured correctly and your provider is reachable.
