Menu

Expand
Rate this page:

Legacy Twilio Console SSO

This page describes the process for configuring Twilio Console SSO using the old way, which requires you to work with our Onboarding Support team by providing your Identity Provider details offline (via support ticket) and also requires you to create support ticket for enabling/disable SSO for any of your users.
We recomment to use the new Self-Service SSO product which makes it easier for you to configure and manage SSO for your organization.

Please note that Single Sign-on fpr Console is available to customers with Twilio Enterprise Edition or Twilio Administration Edition. For more information, please talk to sales.

Integration steps

Customers have to work with Twilio Support in order to set up and configure SSO. The integration steps are:

SSO configuration

In order to configure SSO, you will need to provide the following details. Your IdP may provide this as a combined XML file:

  • An Entity ID, Connection ID, or External Key.
  • The SSO Service URL. This is the IdP URL where login requests will be directed (with GET or POST requests). Please ensure this URL is publicly accessible.
  • A Redirect URL (optional) — where to send users after they logout from Twilio (with a POST request).
  • A Public x509 Certificate.

Twilio will provide its Entity ID and Security Token Consumer URL so that you may properly configure your IdP.

Assertions and shared identity

In order to login a user, Twilio needs to match the user email address we have in our system with the email address found in the SAML packet.

By default, Twilio will match the email address found in the SAML Subject/NameID field. However, Twilio requires that the NameID format used is:

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Alternatively, you may provide the email via an Assertion element in the SAML response. In this case, you must provide Twilio with the name of the SAML Assertion attribute that contains the email address: for example, "email", or "urn:oid:0.9.2342.19200300.100.1.3". Twilio will then look for that attribute and use it to match it with the user’s email address we have on file.

Security and signing

SAML responses must be signed, but we do not need the assertions to be signed. If you need additional security capabilities, please let us know.

Testing and validation

In order to deploy the SSO integration, your staff and Twilio Support must validate that Twilio successfully integrates with your IdP, and that your users are able to log into Twilio.

The integration testing involves the following steps:

  1. Provide Twilio with the requested information, so that Twilio can configure its systems to recognize your IdP.
  2. Configure your IdP with the information provided by Twilio.
  3. Nominate one or more users that you’d like to enable SSO login for (via the user’s login email addresses).
  4. Twilio will then enable SSO for these users, and you should ensure that your IdP is appropriately configured to allow users to log into Twilio.
    • For example, this may require you to configure a Twilio application in your IdP and assign the specified users to it.
  5. Customer and Twilio will then concurrently validate that the users are able to log in via the SSO.

Migrating users

The next step is to identify the full set of users that you want to enable for SSO. This can be done in one of several ways:

  1. Specify an email domain that Twilio Support can use to search our internal user database. We will identify all users which are using the email domain to log in.
  2. You may specify a specific list of users via user SIDs.
  3. You may specify a list of accounts and Twilio Support will pull all users associated with those accounts.

Based on the preferred method, Twilio will provide a list of users for whom it will enable SSO. You must review the list and ensure that these users exist within your IdP.

If an employee is using an alias that does not exist within your IdP, we may not be able to enable SSO for that user’s account.

Once you have reviewed the final list of users, we can enable SSO for those users in the Console. You must ensure that your IdP is also appropriately configured to allow access to the Twilio application.

Before Twilio enforces SSO, we recommend that you inform these employees that they will be logging into Twilio via their IdP. Once you give us the go ahead, we will start enforcing SSO for the specified users.

Rate this page:

Need some help?

We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd by visiting Twilio's Stack Overflow Collective or browsing the Twilio tag on Stack Overflow.

        
        
        

        Thank you for your feedback!

        Please select the reason(s) for your feedback. The additional information you provide helps us improve our documentation:

        Sending your feedback...
        🎉 Thank you for your feedback!
        Something went wrong. Please try again.

        Thanks for your feedback!

        Refer us and get $10 in 3 simple steps!

        Step 1

        Get link

        Get a free personal referral link here

        Step 2

        Give $10

        Your user signs up and upgrade using link

        Step 3

        Get $10

        1,250 free SMSes
        OR 1,000 free voice mins
        OR 12,000 chats
        OR more