Have you already configured SSO using the
preview.twilio.com endpoint? Learn how to update your existing configuration with the Flex SSO Migration Guide. Additionally, Twilio does not yet support SP-Initiated SSO flows with Google SSO. Only IdP-Initiated SSO flows are supported at this time.
Before we connect Google to your instance of Flex, we have to build a few things in the Google Admin Console to make things run a little bit more smoothly.
To log in a Flex user, you must pass a minimum of three attributes to Flex in the SAML. Google provides
full_name attributes. We will need to build these ourselves.
- Navigate to the User Schema page in your Google Admin Console.
- Click on ADD CUSTOM ATTRIBUTE
- Category = Flex Details
- Create the two attributes below
|Name||Info Type||Visibility||No. of Values|
|Roles||Text||Visible to Admin||Multi-value|
|Full Name||Text||Visible to Admin||Single Value|
Optionally, you can add more attributes to accommodate the attributes needed by WFO.
Navigate to the Google Admin Console and click on Apps
Click SAML apps.
Then click the "Add a service/App to your domain" link, or click the + icon at the bottom right.
Click on SETUP MY OWN CUSTOM APP
Download the certificate in the Option 1 section, and make a note of the
SSO URL and
Entity ID – you'll need these later.
- Set your Application Name – This might be "Twilio Flex", or a name of your choosing
- You may optionally add a description and logo
Here's a logo you can use!
Next, we need to set up the Service Provider Details. Twilio Flex is the Service Provider in this instance.
Make sure to replace the Account SID (ACxxxx) with your real Account SID.
Make sure to replace the Account SID (ACxxxx) with your real Account SID!
This Login Link is available on the Twilio Console SSO configuration page.
Basic Information & Primary Email
|Name ID Format|
Now we need to add attributes that will be passed from the SAML to Flex. Create at least the three required attributes (case sensitive) to pass to Flex and map them to the appropriate fields.
Navigate back to the Google Admin Console and click on Users.
Select a user and click into their User information section.
Scroll to the attribute name you gave your Flex roles (in this example it's 'Flex Roles') and click the edit icon to add your roles. The current options are 'agent', 'admin', and 'supervisor'.
Now that you've configured your app, you must
Grab the URLs you noted in the Google IdP Information section and configure SSO on the Flex Console Single Sign-on settings page. Be sure that the Twilio SSO URL field matches the value you provided in Google for ACS URL. To learn more about migrating from the preview.twilio.com URL to iam.twilio.com see our migration guide.
|Friendly Name||Anything you want|
|x.509 Certificate||Open the .pem file you downloaded above in your favorite text editor and copy/paste the entire contents of the file including all dashes.|
|Identity Provider Issuer||Google's Entity ID (see above)|
|Single Sign-On URL||Google's SSO URL (see above)|
|Default Redirect URL||
This Login Link is available at the top of the active SSO configuration page.
Immediately after you’ve configured your IDP to use the
iam.twilio.com URL you should update the Twilio SSO URL for your account by selecting the
USES IAM.TWILIO.COM radio button.
Our Configuring SSO page has additional details on how to initiate login from your Identity Provider, how to login to a self-hosted domain, and details on attributes that can be defined for each identity.
Navigate to the Google SSO IdP URL (see above) in incognito mode, login, and you should be redirected to Flex.