This guide will help you configure the Twilio SendGrid SAML-based Okta integration. For additional information, such as how to edit and manage users, see the complete Twilio SendGrid SSO documentation.
Twilio SendGrid Single Sign-On (SSO) uses the widely supported Security Assertion Markup Language (SAML 2.0) to integrate your Twilio SendGrid user authentication with identity and access management platforms.
Single Sign-On (SSO) is available for Twilio SendGrid Email API Pro, Premier, and Marketing Campaigns Advanced plans only. See the Twilio SendGrid pricing page for a full list of Twilio SendGrid features available by plan.
Throughout this guide, you will see the following terms used to describe Okta, Twilio SendGrid, and their relationship to one another.
The Twilio SendGrid SAML-based Okta integration supports the following SSO features:
This documentation will guide you through SSO setup using the official Twilio SendGrid SAML integration available in the Okta App Catalog.
To add, delete, or modify an SSO integration, log in to the top level of your Twilio SendGrid account using your administrator credentials.
Navigate to Settings > SSO Settings in the left menu. The SendGrid App will display a page with an Add Configuration button.
You need only one piece of information from this page for Twilio SendGrid's Okta integration: the SendGrid Integration ID. You can copy it from the end of either the Single Sign-On URL or Audience URL.
Twilio SendGrid SSO Metadata Field | Description |
---|---|
Name | A friendly name for your SAML SSO configuration. |
Single Sign-On URL | The Twilio SendGrid URL where the IdP should POST its SAML assertion. The Single Sign-On URL and the Audience URL are the same when using Twilio SendGrid. |
Audience URL (SP Entity ID) | A string identifier that defines the intended audience for the SAML assertion. The Audience URL and the Single Sign-On URL are the same when using Twilio SendGrid. |
SP Public Key | A public key used to verify that requests are coming from Twilio SendGrid. |
Default RelayState | Identifies a specific SP resource that an IdP will direct the user to following successful authentication. |
Name ID format | The format used by an IdP when identifying a user in the SAML assertion. |
Application username | The default username used for the Service Provider's application. This is Email when using Twilio SendGrid. |
Once an SSO Integration is added to your Twilio SendGrid account, you can configure the Twilio SendGrid Okta integration in your Okta Developer Console.
The URL for your Okta Developer Console will follow the pattern:
<your subdomain>.okta.com/admin/dashboard
Click Browse App Catalog.
Search for "SendGrid", and you will see the official Twilio SendGrid Okta SAML App.
Select SendGrid to load its detail page. From the detail page, select Add.
Once the official Twilio SendGrid integration is added to your Okta Developer Console, you will configure it to establish the SAML relationship between Okta and Twilio SendGrid.
You can leave the form fields in the General Settings tab as they are when the tab loads. They are listed here for reference.
Browser plugin auto-submit: Leave this box checked.
You will be able to select SAML 2.0 or Secure Web Authentication as your sign on method. Select SAML 2.0.
If you have already integrated Twilio SendGrid with Okta manually (i.e., not using the official integration), you can enable JIT provisioning with your current integration. See the "Manually configuring JIT provisioning" section for instructions.
In the SAML 2.0 tab, you will see a message stating that "SAML 2.0 is not configured until you complete the setup instructions." Click View Setup Instructions.
SendGrid integration ID: This ID is specific to your SSO integration in Twilio SendGrid. You can retrieve it in the Twilio SendGrid App from the end of your Twilio SendGrid Single Sign-on URL, Audience URL, or by viewing your integration from the Twilio SendGrid SSO Settings page. Be sure that you do not copy and paste any extra spaces when adding the ID.
Password reveal: Leave this box unchecked.
After clicking View Setup Instructions in the previous step, a new page opened with instructions and information required by the Twilio SendGrid App to complete SAML setup. You can return to the setup instructions page in Okta by navigating to your Twilio SendGrid integration and selecting the Sign On tab.
You should copy the following values from the page.
X.509 Certificate
From the page displaying your SendGrid SSO configuration, click Next if you have not done so already.
You will now add the values you retrieved from Okta as specified below.
Embed Link: The Okta Embedded Link. This is Okta's SAML POST
endpoint, and it receives requests that initiate an SSO login flow.
Copy the Okta X.509 Certificate and paste it into the X509 Certificate field in the Twilio SendGrid App. Then, click Add Certificate.
Your SSO configuration and integration with the Okta IdP is now complete.
Once you complete your Okta configuration in the Twilio SendGrid App, you will be able to manage users. Twilio SendGrid calls these users Teammates.
If you enable just-in-time (JIT) provisioning for your SSO configuration, you need only to assign users to the Twilio SendGrid App in Okta. Assigned users will be created as SSO Teammates when they log in to Twilio SendGrid for the first time.
JIT provisioning will assign Teammates to the Twilio SendGrid parent account. It is not possible to assign JIT provisioned Teammates to Subusers.
JIT provisioning is only possible from an IdP-initiated sign-on flow. When assigning users to your Twilio SendGrid App, you may want to instruct them to log in from your IdP the first time.
To enable JIT provisioning for your SSO configuration, you must edit the SAML configuration from the SSO settings page in the Twilio SendGrid App.
Each configuration will have an action menu to the far right. Select this menu to display a dropdown where you can choose Edit or Disable.
Twilio SendGrid SSO Metadata Field | Description |
---|---|
Status | A toggle where you can enable or disable the SSO configuration. |
Just-in-Time Provisioning | A toggle to enable or disable just-in-time (JIT) provisioning. When JIT is enabled, you can auto provision users with read-only permissions. |
Click the Just-in-Time Provisioning toggle so that Enabled is shown in blue. Then, click Save at the bottom of the page.
The Twilio SendGrid SAML integration supports FirstName and LastName entity attributes. You can modify the values assigned to them as an administrator in the Twilio SendGrid App.
JIT provisioned Teammates will be given a Restricted Access account with permissions that correspond to Read-Only access. An administrator can modify a Teammate's permissions in the Twilio SendGrid App. See the Teammates documentation for more about Teammate scopes.
The following JIT instructions are provided as a reference for customers who have already integrated Twilio SendGrid with Okta manually (i.e., not using the official integration).
If you already have Twilio SendGrid configured with Okta using a manually created configuration, you can add JIT provisioning by editing your existing configuration in your Okta Developer Console.
The URL for your Okta Developer Console will follow the pattern:
<your subdomain>.okta.com/admin/dashboard.
Click Edit in the SAML Settings section to load your integration's configuration settings.
The General Settings tab will load. You do not need to make any changes. Select Next.
The Configure SAML tab will load where you can make changes as shown below to the Attribute Statements (optional) section.
Value: user.lastName
You can now select Finish on the Feedback tab to complete your JIT configuration update.
You can add Twilio SendGrid SSO Teammates manually, delete Teammates, and modify Teammates' permissions in the Twilio SendGrid App. See the user management section of the Twilio SendGrid SSO docs for instructions.
If you are having trouble configuring Twilio SendGrid SSO, please submit a support ticket, and the Twilio SendGrid Support Team will be in touch.