Requirements
- Advanced Authentication + User Management
Single sign-on (SSO) is an easy way to give everyone in your organization access to Robin via a SAML provider. Robin supports IDP-initiated or SP-initiated flow via custom configuration with native provider support for Okta and OneLogin.
SAML authentication is available for organizations with Advanced Authentication & User Management. SSO via Google and Office 365 is available for all other accounts.
Available guides:
Add your identity provider to Robin
As an administrator, go to Manage > Integrations and scroll down to the Authentication methods to find an option for SAML SSO.
Click Add to bring up the configuration options.
Configuring your identity provider
You'll need to fill out a few fields on your IDP to connect successfully with Robin. If you aren't sure which configuration to use, or hit trouble with a specific provider's connector app, go with Custom.
If you need more configurable options, (most IDPs won't need these) check out the Advanced Options link.
App icon
For IDP-initiated flows, you may need to upload an app image. You can download our official icon below:
Required metadata attributes
Need XML to copy and paste? Download SP Metadata
Robin requires the following metadata attributes for SAML authentication. You should map these attributes to the related user fields in your IDP. Keep in mind they are case-sensitive. If you cannot change your attribute names, try assigning these to FriendlyName instead.
NameID
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">
UNIQUE ID (e.g. Email address)
</saml:NameID>
Handling Invalid NameID
Getting InvalidNameIDPolicy
errors in your IDP logs? Some IDP providers (e.g. SAML 1.1) may require your NameID format to be an email address (e.g. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
) instead. You can also use the default urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
to let your IDP select the default automatically.
In some cases, we've seen PingOne require urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted
to complete SP-initiated logins with encryption enabled. If you're still hitting errors, try disabling encryption to confirm you're formatting everything properly.
<saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">testuser@youremail.com</saml:AttributeValue>
</saml:Attribute>
FirstName
<saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">Jane</saml:AttributeValue>
</saml:Attribute>
LastName
<saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">Smith</saml:AttributeValue>
</saml:Attribute>
Custom provider
Need XML to copy and paste? Download SP Metadata
You can use the fields below or the metadata file above to get started. (Don't forget to map your IDP's metadata attributes if they go by different names)
- Entity URI: https://robinpowered.com
- SSO (ACS) URL: https://dashboard.robinpowered.com/sso/saml/custom
- Relay State (Optional): https://dashboard.robinpowered.com/auth/saml
- If your identity provider (i.e. ADFS) does not support encrypted assertions uncheck "Encrypt Assertion" or login requests will fail.
- Robin's Public Key (x509 cert):
-----BEGIN CERTIFICATE----- MIIDKDCCApGgAwIBAgIJAOjy5m8F4NuHMA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNV BAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQHEwZCb3N0b24x GTAXBgNVBAoTEFJvYmluIFBvd2VyZWQgSW4xGTAXBgNVBAMTEHJvYmlucG93ZXJl ZC5jb20wHhcNMTUxMTMwMTczNDM3WhcNMjUxMTI5MTczNDM3WjBsMQswCQYDVQQG EwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEPMA0GA1UEBxMGQm9zdG9uMRkw FwYDVQQKExBSb2JpbiBQb3dlcmVkIEluMRkwFwYDVQQDExByb2JpbnBvd2VyZWQu Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6KoX5UNSKrOej38PFs1+q MHG6Ka441p97e+PaljS4OgwrhipLFSFszW9bOwP5UT99Pi9Yi2AGAcsdtpx1cELV DpuV2vpy+s237kRYNcznXlVelwZ1H8aebLwNFA7k9vEyVj73Vg3EkLqxX5Y4SIqP /5U38lMzK0UQjkDrrEjGFQIDAQABo4HRMIHOMB0GA1UdDgQWBBTiz2CaxxlqMMF6 i10ekK3Fo6b6QjCBngYDVR0jBIGWMIGTgBTiz2CaxxlqMMF6i10ekK3Fo6b6QqFw pG4wbDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxDzANBgNV BAcTBkJvc3RvbjEZMBcGA1UEChMQUm9iaW4gUG93ZXJlZCBJbjEZMBcGA1UEAxMQ cm9iaW5wb3dlcmVkLmNvbYIJAOjy5m8F4NuHMAwGA1UdEwQFMAMBAf8wDQYJKoZI hvcNAQELBQADgYEAIc8VgUr5gAvdc6W0G92R5Vu/b24mwJvCKWZpLMm/MoWmU1yY R+8Jvf3+ChvNTfH08gJdu/AC+H8SqGvVfJoQX6EpiuFIASJERkeyTCWtZuJueHXh DA9TgnuYxSToh+K9iTGlc+Bu6Imy+//eTtpLJbHxApfxabGTFl549QkYpJQ= -----END CERTIFICATE-----
Download the x509 cert instead Download Certificate
Azure
Follow the above steps and then under Advanced options:
- Uncheck Encrypt Assertion
- Make sure to check "Windows" under Auth Context. You may leave "Password Protected Transport" enabled as well.
Okta
Okta has its own guide. Find a full walkthrough this way.
G Suite
Google SAML has its own guide. Find a full walkthrough this way.
Centrify
Follow the main guide above, but you'll need to use this script for mapping the custom attributes:
setIssuer(Issuer); setSubjectName(UserIdentifier); setAudience('https://robinpowered.com'); setRecipient(ServiceUrl); setHttpDestination(ServiceUrl); setSignatureType('Response'); setNameFormat('emailAddress'); var FirstName = LoginUser.Get('GivenName'); var LastName = LoginUser.Get('sn'); var Email = LoginUser.Get('mail'); // Map IDP attributes to Robin setAttribute('FirstName',FirstName); setAttribute('LastName',LastName); setAttribute('Email',Email); // Optional for testing within Centrify trace("FirstName is" + " " + FirstName); trace("LastName is" + ' ' + LastName); trace("Email is" + " " + Email);
Signing in with SAML
Members in your organization can sign in by selecting the "Single Sign On" button on the login page. You can also link directly to your SAML login via https://dashboard.robinpowered.com/login/saml/yourcompany (replace with your organization's username) to immediately initiate SP-authentication. They will need to know your organization's username (i.e. "robin", "acme-inc") in order to begin authentication with your SAML provider.
Troubleshooting
Having trouble getting your SAML configuration set up? Reach out to support and we can lend a hand. You may also find this Chrome extension handy for identifying issues with the requests between Robin and your IDP.