Enabling single sign-on via SAML 2.0

Supported Plans

  • Basic
  • Pro
  • Premium
  • Enterprise

Single sign-on (SSO) is an easy way to give everyone in your organization access to Robin via a SAML provider. Robin supports IDP-initiated or SP-initiated flow via custom configuration with native provider support for Okta and OneLogin.

SAML authentication is available for organizations on Enterprise plans.

Available guides:

Add your identity provider to Robin

As an administrator, go to Settings > Integrations and scroll down to the Authentication methods to find an option for SAML SSO.

Authentication options for Robin

Click "Add" to bring up configuration options.

Configuring your identity provider

You'll need to fill out a few fields on your IDP to connect successfully with Robin. If you aren't sure which configuration to use, or hit trouble with a specific provider's connector app, go with Custom.

If you need more configurable options, (most IDPs won't need these) check out the Advanced Options link.  

App icon

For IDP-initiated flows, you may need to upload an app image. You can download our official icon below:

Required metadata attributes

Robin requires the following metadata attributes for SAML authentication. You should map these attributes to the related user fields in your IDP. Keep in mind they are case-sensitive. If you cannot change your attribute names, try assigning these to FriendlyName instead.

NameID

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
  UNIQUE ID (e.g. Email address)
</saml:NameID>

Getting InvalidNameIDPolicy errors in your IDP logs? Some IDP providers (e.g. SAML 1.1) may require your NameID format to be an email address (e.g. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) instead.

Email

<saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">testuser@youremail.com</saml:AttributeValue>
</saml:Attribute>

FirstName

<saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">Jane</saml:AttributeValue>
</saml:Attribute>

LastName

<saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">Smith</saml:AttributeValue>
</saml:Attribute>

Custom provider

Need XML to copy and paste? Download SP Metadata

You can use the fields below or the metadata file above to get started. (Don't forget to map your IDP's metadata attributes if they go by different names)

  • Entity URI: https://robinpowered.com
  • SSO URL: https://dashboard.robinpowered.com/sso/saml/custom
  • Relay State: https://dashboard.robinpowered.com/auth/saml
  • If your identity provider (i.e. ADFS) does not support encrypted assertions uncheck "Encrypt Assertion" or login requests will fail.
  • Robin's Public Key (x509 cert):
    -----BEGIN CERTIFICATE----- MIIDKDCCApGgAwIBAgIJAOjy5m8F4NuHMA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNV BAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQHEwZCb3N0b24x GTAXBgNVBAoTEFJvYmluIFBvd2VyZWQgSW4xGTAXBgNVBAMTEHJvYmlucG93ZXJl ZC5jb20wHhcNMTUxMTMwMTczNDM3WhcNMjUxMTI5MTczNDM3WjBsMQswCQYDVQQG EwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEPMA0GA1UEBxMGQm9zdG9uMRkw FwYDVQQKExBSb2JpbiBQb3dlcmVkIEluMRkwFwYDVQQDExByb2JpbnBvd2VyZWQu Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6KoX5UNSKrOej38PFs1+q MHG6Ka441p97e+PaljS4OgwrhipLFSFszW9bOwP5UT99Pi9Yi2AGAcsdtpx1cELV DpuV2vpy+s237kRYNcznXlVelwZ1H8aebLwNFA7k9vEyVj73Vg3EkLqxX5Y4SIqP /5U38lMzK0UQjkDrrEjGFQIDAQABo4HRMIHOMB0GA1UdDgQWBBTiz2CaxxlqMMF6 i10ekK3Fo6b6QjCBngYDVR0jBIGWMIGTgBTiz2CaxxlqMMF6i10ekK3Fo6b6QqFw pG4wbDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxDzANBgNV BAcTBkJvc3RvbjEZMBcGA1UEChMQUm9iaW4gUG93ZXJlZCBJbjEZMBcGA1UEAxMQ cm9iaW5wb3dlcmVkLmNvbYIJAOjy5m8F4NuHMAwGA1UdEwQFMAMBAf8wDQYJKoZI hvcNAQELBQADgYEAIc8VgUr5gAvdc6W0G92R5Vu/b24mwJvCKWZpLMm/MoWmU1yY R+8Jvf3+ChvNTfH08gJdu/AC+H8SqGvVfJoQX6EpiuFIASJERkeyTCWtZuJueHXh DA9TgnuYxSToh+K9iTGlc+Bu6Imy+//eTtpLJbHxApfxabGTFl549QkYpJQ=
    -----END CERTIFICATE-----

Download the x509 cert instead Download Certificate

Okta

We have an official connector app available through Okta's app marketplace. If you hit any trouble with the standard connector app, you can also connect Okta as a custom integration using the instructions above.

Download the x509 cert Download Okta Certificate

OneLogin

Our official connector app is available by searching "Robin" in the directory. Once added, copy your Issuer and SAML links over into Settings > Integrations > SAML fields in Robin

Google Apps

Google SAML has its own guide. Find a full walkthrough this way.

Signing in with SAML

Members in your organization can now sign in by selecting the "Single Sign On" button on the login page. You can also link directly to your SAML login via https://dashboard.robinpowered.com/login/saml/yourcompany (replace with your organization's username) to immediately initiate SP-authentication.

Single sign on button for Robin

They will need to know your organization's username (i.e. "robin", "acme-inc") in order to begin authentication with your SAML provider.

Sample workflow

Here's the whole process using Okta as an example SAML provider:

Logging into Robin with Okta single sign on

Did this article help?