Configure Okta IdP with Flex
We recommend running Flex UI 0.7.0 or greater in order to follow this guide.
Have you already configured SSO using the preview.twilio.com endpoint? Learn how to update your existing configuration with the Flex SSO Migration Guide.
Register a developer account at Okta
Navigate to https://developer.okta.com/ and create a free developer account.
Create an application on Okta
Navigate to Applications > Application in the Okta Admin Console. Staying within your Okta account, create an Application.
- Click Applications > Applications > Create App Integration.
- A pop-up modal should display with integration options. Pick SAML 2.0.
- Give the Application a name. For example, Twilio Flex. Upload a logo if you have one.
Configure your Application
In the "Create SAML Integration" page, enter the following general settings:
General SAML Settings
| General and Advanced Settings | Values |
| Single sign on URL |
Replace |
| Audience URI (SP Entity ID) |
Replace |
| Default RelayState | Leave blank. |
| Name ID format | Leave "Unspecified" selected, unless you are working with a specific format. |
| Application username | This can be an email, Okta username, or something else that is unique. |
| Response | Click Show Advanced Settings and ensure that this is set to "Signed". |
| Assertion Signature | Click Show Advanced Settings and ensure that this is set to "Signed". |
| Signature Algorithm, Digest Algorithm | Leave the default selections. |
| Assertion Encryption | Twilio does not currently support encryption so please set that as "Unencrypted". |
| Assertion Inline Hook, Authentication context class, Honor Force Authentication, SAML Issuer ID | Leave the default selections. |
Configure claims
Claims are key-value pairs that the Identity Provider asserts to be true to the application. Flex uses these to determine the critical information about each Flex User.
All the information supplied from the Identity Provider to Twilio is stored inside Twilio TaskRouter Worker Attributes. Consider local regulations for storing data and only provide data relevant for Flex usage. Learn more about Twilio's Privacy policy.
In the Attribute Statements section, add the following required claims. The values in the following table are for example purposes only. Replace with the appropriate values specific to your Okta implementation. Make sure the Okta user attribute you are using for the Flex roles is populated.
| Name | Name format | Value |
| full_name | Basic | String.join(" ", user.firstName, user.lastName) OR ${user.firstName} ${user.lastName} |
| roles | Basic | user.userType |
| Basic | user.email |
You can optionally add the following attribute:
| Name | Name format | Value |
| image_url | URI Reference | user.profileUrl |
For a list of mandatory attributes and example values, see Configuring SSO and IdP in Flex.
With the provided setup, Okta will pass the following attributes to Flex:
- full_name
- image_url (for use in the agent avatar)
- roles
Scroll down to the bottom of the page to preview the SAML assertion generated based on your settings. It's a good way to validate your SAML settings.
<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="id5838987467318981535749982" IssueInstant="2021-08-26T15:19:53.544Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/Issuer</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">userName</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2021-08-26T15:24:53.549Z" Recipient="https://iam.twilio.com/v1/Accounts/AC578d078d214f5178981f0a8be328918f/saml2"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-08-26T15:14:53.549Z" NotOnOrAfter="2021-08-26T15:24:53.549Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://iam.twilio.com/v1/Accounts/AC578d078d214f5178981f0a8be328918f/saml2/metadata</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-08-26T15:19:53.544Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.userType
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.email
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="image_url" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.profileUrl
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="full_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>In the next screen, select "I'm an Okta customer adding an internal app".
Save Application information and copy Application details
If you didn't finish your setup the first time, you can navigate to Applications > Applications in the Okta Admin Console and select your active application.
Select the Sign On tab. Click "View Setup Instructions". You will need this information to configure Flex to use your Okta application.
Configure Flex with your new SAML credentials
Next, configure SSO on the Flex Console Single Sign-on settings page. You will need the following fields from the Okta Setup Instructions page:
| Twilio SSO Field | Okta Setup Instructions Field |
| X.509 Certificate | X.509 Certificate |
| Identity Provider Issuer | Identity Provider Issuer |
| Single Sign-on URL | Identity Provider Single Sign-On URL |
Create your application users
You can add an Okta user individually by navigating to Directory > People and clicking Add person, or you can import a group from a CSV by selecting "Import users from CSV" on the More actions dropdown. Make sure that you assign a Flex role to your Okta application users, leveraging the user attribute defined for the "roles" SAML claim.
Available Flex roles are agent, admin, and supervisor. You may add multiple roles for a user by separating their various roles with commas.
Want to learn more? See the documentation on Identity Attributes for further information about naming Attributes and other possible Worker attributes. To assign WFO roles for Flex Insights, see Flex Insights User Roles.
One way to assign a role would be to:
- Navigate to Directory > People, select the user, and click on the Profile tab.
- Edit the attribute defined for the "roles" SAML claim with the Flex roles you want to assign to the user.
After you've defined the role(s) for a user, Flex will update the Worker attributes with each successful SSO authentication.
Ensure Users in Directory are assigned to the Application
To assign your newly created Okta application to a user, navigate to Applications > Applications and click Assign Users to app.
Select the application and the users you want to add then click Next. You may enter user-specific attributes. If you are defining a custom username, ensure it is unique. When you are ready, click Confirm Assignments.
Additional Configuration
Our Configuring SSO page has additional details on how to initiate login from your Identity Provider, how to login to a self-hosted domain, and attributes that can be defined for each identity.
Test your SSO
Navigate to the Flex Console Single Sign-on settings page. You can click "Login with SSO", or copy the login link and paste it into your browser address bar, which will redirect you to the Okta login page.
Use the credential of the test user you created in the previous steps. Depending on the user settings, you may be requested to set your password. Once the authentication is completed, you will be redirected to the Flex UI. What you can see depends on the Flex role(s) set in the Okta user profile.
You can validate the worker full name display in the Flex UI, or navigate to the Worker page in the TaskRouter Dashboard to review other attributes such as email and assigned role(s).
Troubleshooting
Flex application unassigned
If the user is not assigned the Flex application in Okta, you will see the following error message:
"Sorry, you can't access Twilio Flex because you are not assigned this app in Okta."
Need some help?
We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd by visiting Twilio's Stack Overflow Collective or browsing the Twilio tag on Stack Overflow.
