Enabling single sign-on via SAML 2.0

Supported Plans

  • Basic
  • Pro
  • Premium
  • Enterprise

Single sign-on (SSO) is an easy way to give everyone in your organization access to Robin via a SAML provider. Robin supports IDP-initiated or SP-initiated flow via custom configuration with native provider support for Okta and OneLogin.

SAML authentication is available for organizations on Enterprise plans.

Available guides:

Add your identity provider to Robin

As an administrator, go to Settings > Integrations and scroll down to the Authentication methods to find an option for SAML SSO.

Authentication options for Robin

Click "Add" to bring up configuration options.

Configuring your identity provider

You'll need to fill out a few fields on your IDP to connect successfully with Robin. If you aren't sure which configuration to use, or hit trouble with a specific provider's connector app, go with Custom.

If you need more configurable options, (most IDPs won't need these) check out the Advanced Options link.

App icon

For IDP-initiated flows, you may need to upload an app image. You can download our official icon below:

Required metadata attributes

Robin requires the following metadata attributes for SAML authentication. You should map these attributes to the related user fields in your IDP. Keep in mind they are case-sensitive. If you cannot change your attribute names, try assigning these to FriendlyName instead.


<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
  UNIQUE ID (e.g. Email address)

Handling Invalid NameID

Getting InvalidNameIDPolicy errors in your IDP logs? Some IDP providers (e.g. SAML 1.1) may require your NameID format to be an email address (e.g. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) instead.

In some cases, we've seen PingOne require urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted to complete SP-initiated logins with encryption enabled.


<saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">testuser@youremail.com</saml:AttributeValue>


<saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">Jane</saml:AttributeValue>


<saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">Smith</saml:AttributeValue>

Custom provider

Need XML to copy and paste? Download SP Metadata

You can use the fields below or the metadata file above to get started. (Don't forget to map your IDP's metadata attributes if they go by different names)

  • Entity URI: https://robinpowered.com
  • SSO URL: https://dashboard.robinpowered.com/sso/saml/custom
  • Relay State: https://dashboard.robinpowered.com/auth/saml
  • If your identity provider (i.e. ADFS) does not support encrypted assertions uncheck "Encrypt Assertion" or login requests will fail.
  • Robin's Public Key (x509 cert):
    -----END CERTIFICATE-----

Download the x509 cert instead Download Certificate


We have an official connector app available through Okta's app marketplace. If you hit any trouble with the standard connector app, you can also connect Okta as a custom integration using the instructions above.

Download the x509 cert Download Okta Certificate


Our official connector app is available by searching "Robin" in the directory. Once added, copy your Issuer and SAML links over into Settings > Integrations > SAML fields in Robin

Google Apps

Google SAML has its own guide. Find a full walkthrough this way.

Signing in with SAML

Members in your organization can now sign in by selecting the "Single Sign On" button on the login page. You can also link directly to your SAML login via https://dashboard.robinpowered.com/login/saml/yourcompany (replace with your organization's username) to immediately initiate SP-authentication.

Single sign on button for Robin

They will need to know your organization's username (i.e. "robin", "acme-inc") in order to begin authentication with your SAML provider.

Sample workflow

Here's the whole process using Okta as an example SAML provider:

Logging into Robin with Okta single sign on

Did this article help?