Navigate to https://developer.okta.com/ and create a free developer account.
Navigate to Applications > Application in the Okta Admin Console. Staying within your Okta account, create an Application.
In the "Create SAML Integration" page, enter the following general settings:
General and Advanced Settings | Values |
---|---|
Single sign on URL | Enhanced SSO configuration: Copy this value from the Set up your identity provider page, which provides the specific value for your account. Your value will look similar to this: https://login.flex.us1.twilio.com/login/callback?connection=JQxxxx Legacy SSO configuration: Replace ACxxxx with your real Twilio Account SID. https://iam.twilio.com/v1/Accounts/ACxxxx/saml2 |
Audience URI (SP Entity ID) | Enhanced SSO configuration: Copy this value from the Set up your identity provider page, which provides the specific value for your account. Your value will look similar to this: urn:flex:JQxxxx Legacy SSO configuration: Replace ACxxxx with your real Twilio Account SID. https://iam.twilio.com/v1/Accounts/ACxxxx/saml2/metadata |
Default RelayState | Leave blank. |
Name ID format | Leave "Unspecified" selected, unless you are working with a specific format. |
Application username | This can be an email, Okta username, or something else that is unique. |
Response | Click Show Advanced Settings and ensure that this is set to "Signed". |
Assertion Signature | Click Show Advanced Settings and ensure that this is set to "Signed". |
Signature Algorithm, Digest Algorithm | Leave the default selections. |
Assertion Encryption | Twilio does not currently support encryption so please set that as "Unencrypted". |
Assertion Inline Hook, Authentication context class, Honor Force Authentication, SAML Issuer ID | Leave the default selections. |
Claims are key-value pairs that the Identity Provider asserts to be true to the application. Flex uses these to determine the critical information about each Flex User.
All the information supplied from the Identity Provider to Twilio is stored inside Twilio TaskRouter Worker Attributes. Consider local regulations for storing data and only provide data relevant for Flex usage. Learn more about Twilio's Privacy policy.
In the Attribute Statements section, add the following required claims. The values in the following table are for example purposes only. Replace with the appropriate values specific to your Okta implementation. Make sure the Okta user attribute you are using for the Flex roles is populated.
Name | Name format | Value |
---|---|---|
full_name | Basic | String.join(" ", user.firstName, user.lastName) OR ${user.firstName} ${user.lastName} |
roles | Basic | user.userType |
Basic | user.email |
You can optionally add the following attribute:
Name | Name format | Value |
---|---|---|
image_url | URI Reference | user.profileUrl |
For a list of mandatory attributes and example values, see Configuring SSO and IdP in Flex.
With the provided setup, Okta will pass the following attributes to Flex:
Scroll down to the bottom of the page to preview the SAML assertion generated based on your settings. It's a good way to validate your SAML settings. In this example, we've replaced the ACL URL and entity ID values with https://ACS_URL
and https://entity_ID
.
1<?xml version="1.0" encoding="UTF-8"?>2<saml2:Assertion ID="id5838987467318981535749982" IssueInstant="2021-08-26T15:19:53.544Z" Version="2.0"3xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">4<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/Issuer</saml2:Issuer>5<saml2:Subject>6<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">userName</saml2:NameID>7<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">8<saml2:SubjectConfirmationData NotOnOrAfter="2021-08-26T15:24:53.549Z" Recipient="https://ACS_URL"/>9</saml2:SubjectConfirmation>10</saml2:Subject>11<saml2:Conditions NotBefore="2021-08-26T15:14:53.549Z" NotOnOrAfter="2021-08-26T15:24:53.549Z">12<saml2:AudienceRestriction>13<saml2:Audience>https://entity_ID</saml2:Audience>14</saml2:AudienceRestriction>15</saml2:Conditions>16<saml2:AuthnStatement AuthnInstant="2021-08-26T15:19:53.544Z">17<saml2:AuthnContext>18<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>19</saml2:AuthnContext>20</saml2:AuthnStatement>21<saml2:AttributeStatement>22<saml2:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">23<saml2:AttributeValue24xmlns:xs="http://www.w3.org/2001/XMLSchema"25xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.userType26</saml2:AttributeValue>27</saml2:Attribute>28<saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">29<saml2:AttributeValue30xmlns:xs="http://www.w3.org/2001/XMLSchema"31xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.email32</saml2:AttributeValue>33</saml2:Attribute>34<saml2:Attribute Name="image_url" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">35<saml2:AttributeValue36xmlns:xs="http://www.w3.org/2001/XMLSchema"37xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.profileUrl38</saml2:AttributeValue>39</saml2:Attribute>40<saml2:Attribute Name="full_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">41<saml2:AttributeValue42xmlns:xs="http://www.w3.org/2001/XMLSchema"43xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/>44</saml2:Attribute>45</saml2:AttributeStatement>46</saml2:Assertion>
In the next screen, select "I'm an Okta customer adding an internal app".
If you didn't finish your setup the first time, you can navigate to Applications > Applications in the Okta Admin Console and select your active application.
Select the Sign On tab. Click "View Setup Instructions". You will need this information to configure Flex to use your Okta application.
Next, configure SSO on the Flex Console Single Sign-on settings page. You will need the following fields from the Okta Setup Instructions page:
Twilio SSO Field | Okta Setup Instructions Field |
---|---|
X.509 Certificate | X.509 Certificate |
Identity Provider Issuer | Identity Provider Issuer |
Single Sign-on URL | Identity Provider Single Sign-On URL |
You can add an Okta user individually by navigating to Directory > People and clicking Add person, or you can import a group from a CSV by selecting "Import users from CSV" on the More actions dropdown. Make sure that you assign a Flex role to your Okta application users, leveraging the user attribute defined for the "roles" SAML claim.
Available Flex roles are agent
, admin
, and supervisor
. You may add multiple roles for a user by separating their various roles with commas.
Want to learn more? See the documentation on Identity Attributes for further information about naming Attributes and other possible Worker attributes. To assign WFO roles for Flex Insights, see Flex Insights User Roles.
One way to assign a role would be to:
After you've defined the roles for a user, Flex updates the Worker attributes with each successful SSO authentication.
To assign your newly created Okta application to a user, navigate to Applications > Applications and click Assign Users to app.
Select the application and the users you want to add then click Next. You may enter user-specific attributes. If you are defining a custom username, ensure it is unique. When you are ready, click Confirm Assignments.
Our Configuring SSO page has additional details on how to initiate login from your Identity Provider, how to login to a self-hosted domain, and attributes that can be defined for each identity.
Navigate to the Flex Console Single Sign-on settings page. You can click "Login with SSO", or copy the login link and paste it into your browser address bar, which will redirect you to the identity provider (IdP) login page.
Use the credential of the test user you created in the previous steps. Depending on the user settings, you may be requested to set your password. Once the authentication is completed, you will be redirected to the Flex UI. What you can see depends on the Flex role(s) set in the IdP user profile.
You can validate the worker full name display in the Flex UI, or navigate to the Worker page in the TaskRouter Dashboard to review other attributes such as email and assigned role(s).
If the user is not assigned the Flex application in Okta, you will see the following error message:
"Sorry, you can't access Twilio Flex because you are not assigned this app in Okta."