Configure Salesforce SSO with Flex
This document walks through the setup process for Salesforce SSO in Twilio Flex. You'll need access to your Salesforce instance and permissions to configure it, as well as access to the Twilio Console.
Info
After you set up your Single-Sign On configuration, the Flex Console Single sign-on (SSO) page will provide your Login Link.
You'll start by creating a certificate. You'll need to share this with Twilio later.
- Navigate to Settings > Security > Certificate and Key Management
- Press Create Self-Signed Certificate button
- Give the certificate a label and Unique Name, e.g., SalesforceSSO
- Key Size default of 2048
- Exportable Private Key should be ticked
- Press Save.
- Press Download Certificate (you'll need the certificate later)

Make sure that the Identity Provider is enabled in Salesforce.
- On the Setup page, on the left sidebar, navigate to Settings > Identity > Identity Provider.
- Click Enable Identity Provider.
- Select the certificate you created in Create a self-signed certificate in Salesforce.
- Click Save.
Let's point Salesforce to the Flex side of the integration.
- On the Setup page, navigate to Platform Tools > Apps > App Manager.
- Click New Connected App.
- Set Connected App Name to "Twilio Flex".
- Set API Name to "Twilio_Flex".
- Enter a suitable email address for Contact Email.
-
In the Web App Settings section, set the Start URL to
https\://flex.twilio.com/agent-desktop
. -
Confirm that the Enable SAML checkbox is selected.
-
Set Entity Id to the appropriate value for your SSO configuration type:
- Enhanced SSO configuration:
Copy this value from the Set up your identity provider page, which provides the specific value for your account.urn:flex:JQxxxx
- Legacy SSO configuration:
Remember to replaceACxxx
with your Twilio Account SID.https://iam.twilio.com/v1/Accounts/ACxxxx/saml2/metadata
- Enhanced SSO configuration:
-
Set ACS URL to the appropriate value for your SSO configuration type:
- Enhanced SSO configuration:
Copy the ACS URL value from the Set up your identity provider page, which provides the specific value for your account. Your value will look similar to this:https://login.flex.us1.twilio.com/login/callback?connection=JQxxxx
- Legacy SSO configuration:
Remember to replaceACxxx
with your Twilio Account SID.https://iam.twilio.com/v1/Accounts/ACxxxx/saml2
- Enhanced SSO configuration:
-
Set Subject Type to Username.
-
Set Name ID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
. -
Set Issuer to
https\://yourdomain.my.salesforce.com/
-
Set IdP Certificate to the certificate you created in Create a self-signed certificate in Salesforce.
-
Check that the Verify Request Signatures option is unticked.
-
Check that the Encrypt SAML Response option is unticked.
-
Click Save.
-
Navigate to App > App Manager.
-
Search for the App you created in Create a Twilio Flex Connected App in Salesforce.
-
Click on the caret symbol and select View.
-
Click on New under the Custom Attributes section.
-
Add the two custom attributes:
Key Value full_name $User.FirstName + " " + $User.LastName roles "agent" (must be in quotes)
Info
This will grant all users agent permissions in Flex. If you need to add supervisor
or admin
permissions, edit the "roles" custom attributes in the App Manager and include the roles in a comma separated value format. e.g: "agent, supervisor, admin" will grant the users the agent
, supervisor
, and admin
role in Flex.
You can create a Salesforce user that will then be able to be used to login to Twilio Flex using SSO.
-
On the Setup page, navigate to Administration > Users > Users.
-
Click New User.
-
Fill in the required values:
- First Name
- Last Name
- Alias
- Email (You'll need this to receive a verification email)
- Username (You'll use this to login later)
- Nickname
-
Select Salesforce for User License.
-
For Profile, select Standard User. This is to ensure that user can access Twilio Flex.
-
Scroll down and check Generate new password and notify user immediately.
-
Click Save.
-
Check your email for instructions on how to verify your account.
- On the Setup page, navigate to Administration > Users > Profiles.
- Edit the Standard User profile.
- Under Connected App Access, check the box for Twilio Flex app.
- Click Save.
Warning
Salesforce users that are assigned to specific Profiles must have profile access to your Twilio Flex app. In Create a Salesforce User, we created a user and assigned the Standard User profile. Profiles that do not have access will not be able to complete SSO with Flex.
Almost done! Now, you need to configure the Twilio side of the integration.
- Open the Flex Console Single sign-on (SSO) page.
- Set Friendly Name to something related, e.g:
SalesforceSSO
. - Copy the contents of the certificate you downloaded earlier in Step 8 from Create a self-signed certificate in Salesforce.
- Paste the certificate contents for the X.509 Certificate field.
- Set Identity Provider Issuer to
https://<your-salesforce-subdomain>.salesforce.com/
. - Set SSO URL to
https://<your-salesforce-subdomain>.salesforce.com/idp/endpoint/HttpRedirect
. - Set Default Redirect URL to
https://<your-salesforce-subdomain>.salesforce.com/idp/endpoint/HttpRedirect
. - Click Save.
To test your Salesforce integration with Twilio Flex, enter the auto-generated login link in your address bar. You can find it in the Flex Single Sign-On settings.
You will be redirected to Salesforce and will be required to login with your Salesforce credentials. Once you successfully authenticate using your Salesforce user, you should be redirected to Twilio Flex and have completed Single Sign-On with Salesforce!