Configure Okta IdP with Flex

Register a developer account at Okta

Navigate to and create a free developer account.

Create an application on Okta

Navigate to Applications > Application in the Okta Admin Console. Staying within your Okta account, create an Application.

  1. Click Applications > Applications > Create App Integration.
  2. A pop-up modal should display with integration options. Pick SAML 2.0.
  3. Give the Application a name. For example, Twilio Flex. Upload a logo if you have one.

Configure your Application

In the "Create SAML Integration" page, enter the following general settings:

General SAML Settings

General and Advanced Settings Values
Single sign on URL

Enhanced SSO configuration:
Copy this value from the Set up your identity provider page, which provides the specific value for your account. Your value will look similar to this:

Legacy SSO configuration:
Replace ACxxxx with your real Twilio Account SID.

Audience URI (SP Entity ID)

Enhanced SSO configuration:
Copy this value from the Set up your identity provider page, which provides the specific value for your account. Your value will look similar to this:

Legacy SSO configuration:
Replace ACxxxx with your real Twilio Account SID.

Default RelayState Leave blank.
Name ID format Leave "Unspecified" selected, unless you are working with a specific format.
Application username This can be an email, Okta username, or something else that is unique.
Response Click Show Advanced Settings and ensure that this is set to "Signed".
Assertion Signature Click Show Advanced Settings and ensure that this is set to "Signed".
Signature Algorithm, Digest Algorithm Leave the default selections.
Assertion Encryption Twilio does not currently support encryption so please set that as "Unencrypted".
Assertion Inline Hook, Authentication context class, Honor Force Authentication, SAML Issuer ID Leave the default selections.


Configure claims

Claims are key-value pairs that the Identity Provider asserts to be true to the application. Flex uses these to determine the critical information about each Flex User.

All the information supplied from the Identity Provider to Twilio is stored inside Twilio TaskRouter Worker Attributes. Consider local regulations for storing data and only provide data relevant for Flex usage. Learn more about Twilio's Privacy policy.

In the Attribute Statements section, add the following required claims. The values in the following table are for example purposes only. Replace with the appropriate values specific to your Okta implementation. Make sure the Okta user attribute you are using for the Flex roles is populated.

Name Name format Value
full_name Basic String.join(" ", user.firstName, user.lastName) OR ${user.firstName} ${user.lastName}
roles Basic user.userType
email Basic

You can optionally add the following attribute:

Name Name format Value
image_url URI Reference user.profileUrl

For a list of mandatory attributes and example values, see Configuring SSO and IdP in Flex.

With the provided setup, Okta will pass the following attributes to Flex:

  • full_name
  • image_url (for use in the agent avatar)
  • roles
  • email

Scroll down to the bottom of the page to preview the SAML assertion generated based on your settings. It's a good way to validate your SAML settings. In this example, we've replaced the ACL URL and entity ID values with https://ACS_URL and https://entity_ID.

<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="id5838987467318981535749982" IssueInstant="2021-08-26T15:19:53.544Z" Version="2.0"
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"></saml2:Issuer>
        <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">userName</saml2:NameID>
        <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData NotOnOrAfter="2021-08-26T15:24:53.549Z" Recipient="https://ACS_URL"/>
    <saml2:Conditions NotBefore="2021-08-26T15:14:53.549Z" NotOnOrAfter="2021-08-26T15:24:53.549Z">
    <saml2:AuthnStatement AuthnInstant="2021-08-26T15:19:53.544Z">
        <saml2:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                xmlns:xsi="" xsi:type="xs:string">user.userType
        <saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                xmlns:xsi="" xsi:type="xs:string">
        <saml2:Attribute Name="image_url" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                xmlns:xsi="" xsi:type="xs:string">user.profileUrl
        <saml2:Attribute Name="full_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                xmlns:xsi="" xsi:type="xs:string"/>

In the next screen, select "I'm an Okta customer adding an internal app".

Save Application information and copy Application details

If you didn't finish your setup the first time, you can navigate to Applications > Applications in the Okta Admin Console and select your active application.

Select the Sign On tab. Click "View Setup Instructions". You will need this information to configure Flex to use your Okta application.

Configure Flex with your new SAML credentials

Next, configure SSO on the Flex Console Single Sign-on settings page. You will need the following fields from the Okta Setup Instructions page:

Twilio SSO Field Okta Setup Instructions Field
X.509 Certificate X.509 Certificate
Identity Provider Issuer Identity Provider Issuer
Single Sign-on URL Identity Provider Single Sign-On URL


Create your application users

You can add an Okta user individually by navigating to Directory > People and clicking Add person, or you can import a group from a CSV by selecting "Import users from CSV" on the More actions dropdown. Make sure that you assign a Flex role to your Okta application users, leveraging the user attribute defined for the "roles" SAML claim.

Available Flex roles are agent, admin, and supervisor. You may add multiple roles for a user by separating their various roles with commas.

Want to learn more? See the documentation on Identity Attributes for further information about naming Attributes and other possible Worker attributes. To assign WFO roles for Flex Insights, see Flex Insights User Roles.

One way to assign a role would be to:

  1. Navigate to Directory > People, select the user, and click on the Profile tab.
  2. Edit the attribute defined for the "roles" SAML claim with the Flex roles you want to assign to the user.

After you've defined the role(s) for a user, Flex will update the Worker attributes with each successful SSO authentication.

Ensure Users in Directory are assigned to the application

To assign your newly created Okta application to a user, navigate to Applications > Applications and click Assign Users to app.


Select the application and the users you want to add then click Next. You may enter user-specific attributes. If you are defining a custom username, ensure it is unique. When you are ready, click Confirm Assignments.

Additional Configuration

Our Configuring SSO page has additional details on how to initiate login from your Identity Provider, how to login to a self-hosted domain, and attributes that can be defined for each identity.

Test your SSO

Navigate to the Flex Console Single Sign-on settings page. You can click "Login with SSO", or copy the login link and paste it into your browser address bar, which will redirect you to the identity provider (IdP) login page.

Use the credential of the test user you created in the previous steps. Depending on the user settings, you may be requested to set your password. Once the authentication is completed, you will be redirected to the Flex UI. What you can see depends on the Flex role(s) set in the IdP user profile.

You can validate the worker full name display in the Flex UI, or navigate to the Worker page in the TaskRouter Dashboard to review other attributes such as email and assigned role(s).


Flex application unassigned

If the user is not assigned the Flex application in Okta, you will see the following error message:

"Sorry, you can't access Twilio Flex because you are not assigned this app in Okta."

Rate this page:

Need some help?

We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd by visiting Twilio's Stack Overflow Collective or browsing the Twilio tag on Stack Overflow.

Thank you for your feedback!

Please select the reason(s) for your feedback. The additional information you provide helps us improve our documentation:

Sending your feedback...
🎉 Thank you for your feedback!
Something went wrong. Please try again.

Thanks for your feedback!