Migrating from Legacy SSO for Twilio Console to new Self-Service SSO
Twilio Editions feature
Single Sign-On is available to all Twilio Editions customers. Learn more about Editions.
We have launched a new SSO experience for Twilio Console which
- provides a UI for you to manage your SSO connection with the Twilio Console
- automates SSO enforcement for your users
- and provides functionality to enable/disable SSO at the individual user level
For more details on the features of the new SSO, visit here.
- You will not need to create a support ticket for every new user that you need to enable SSO. That will be done automatically by the domain-level SSO enforcement feature.
- You can set up and manage your SSO profile in a self-service manner so that you can perform routine tasks such as updating IdP signing certificates or auditing users' SSO status.
If you are an existing customer using the legacy SSO for Twilio Console, you can follow the below steps to get access to the self-service SSO product:
- Create a Twilio Organization and have access to the Twilio Admin as an Organization Administrator or Owner
- Added and Verified the domains to which the users email addresses belong to
- Imported your existing users (for whom SSO needs to be enabled) as managed users in your Organization
If you aren't using SSO for Twilio Console currently but are interested, please follow the pre-requisites specified here.
This guide covers the migration steps from the legacy sso for Twilio Console to the new Self-Service SSO.
Follow the SSO Configuration guides as per the Identity Provider system you are using to create an SSO profile and then test the SSO connection to make sure that it is working correctly.
- We strongly recommend you create a new SAML App/Integration in your IdP rather than overwriting the existing one.
- Do not enforce SSO for your domain at this step.
You can enforce SSO for only for the managed users in your Organization. Make sure that all the users who you want to enable SSO for are managed users in your Organization by doing the following:
- Use the Import Users feature to find all the existing users from your domain(s) and import them to your Organization as managed users.
- Once you have completed the import, you can visit the Independent Users tab to verify that no users from your domain(s) are remaining as independent users.
Before your users can login using the the self-service SSO connection, you must remove the legacy SSO connection from your users authentication method for Twilio Console. In order to do this:
- Reach out to Twilio Support or your Account Executive to get this done.
- Share your Organization SID, list of the users, and the legacy SSO connection details (the
IdentityProviderSID
, which is of the formatUIXXXX
and can be found in the ACS URL of the legacy SSO metadata).
- Share your Organization SID, list of the users, and the legacy SSO connection details (the
Once you get the confirmation that legacy SSO has been removed from your users, you can now go to the Twilio Admin and enforce SSO for your domain.
- Visit the Single sign-on page and select the SSO Profile you've created.
- If you have already tested the SSO Connection, you can skip and move to the enforcement step or else proceed with the test SSO Connection step first.
- After the test SSO connection is successful, you can go to the domain enforcement step and select the domain(s) and enforce SSO for that.
- After the enforcement step is completed, you will receive an email notification from Twilio. You can also go to the Users page and confirm the SSO status for your managed users.
Once you have enforced SSO on your domain, all the managed users from that domain will be routed to log in via the new SSO connection.
In your Identity Provider system, you need to assign the new SAML App/Integration that you created in Step 1 to your users so that they can use it to log in to the Twilio Console.
Once you have confirmation that your users are able to log in successfully, then you can proceed to remove the new older SAML App/Integration (that was configured for the legacy SSO) from existing users/groups.