Introw's Internal SSO allows your team to securely access the platform through your company's identity provider, seamlessly integrating with your existing Single Sign-On (SSO) system like Okta, OneLogin, Microsoft Entra (AD), and more. This ensures a streamlined login experience while maintaining security and compliance across your organisation.

Introw supports two authentication protocols, so you can connect with whichever your identity provider uses:

In addition, Introw supports SCIM 2.0 for automated user provisioning and deprovisioning. See the SCIM section below.

Navigate to your Introw settings > Developers.

In the Internal SSO settings you can find all the necessary information to configure either a SAML 2.0 or an OpenID Connect (OIDC) connection with your identity provider.

The service provider is already prepared by Introw. Utilize the metadata URL to prepare your SAML connection in your identity provider. Once your identity provider is prepared, fill in the Metadata URL and Introw will finalise the connection.

To connect via OIDC, register Introw as an application (client) in your identity provider, then provide the connection details in the Internal SSO settings. You will typically exchange the following:

Once these values are filled in, Introw will finalise the connection.

You can configure the mapping of the personal identification properties (email, first name, last name, and user ID) that Introw will use. Introw expects the claim values provided by your identity provider for these attributes. This means you specify the claim names from your identity provider (for example: email, given_name, family_name, oid), and Introw will automatically read the corresponding claim values for each user during authentication. This mapping applies to both SAML 2.0 and OIDC connections.

Beyond just-in-time provisioning at login, Introw supports SCIM 2.0 so your identity provider can automatically keep team members in sync. With SCIM enabled, Introw will:

To set this up, open your Introw settings > Developers and locate the SCIM configuration. Introw provides a SCIM Base URL and a bearer token. Enter these into the provisioning settings of your identity provider (for example Okta, Microsoft Entra, or OneLogin) to establish the connection. You can then map SCIM attributes and assign users or groups to control who is provisioned into Introw.

To log in via Single Sign-On (SSO), team members should begin by accessing the standard Introw login page at https://app.introw.io/login and entering their email address. Upon clicking "Log in with email," Introw's authentication system will automatically determine if the user should be redirected to the organisation's SSO provider for authentication. This works the same way whether your connection uses SAML 2.0 or OIDC.

When the user is authenticated through the Single-Sign-On service they are redirected back to Introw.

If the user was not yet invited to the team in Introw they are provisioned with the expected default role that was configured previously. When SCIM is enabled, users can also be provisioned in advance directly from your identity provider.