In the Microsoft Azure Portal, search for Azure Active Directory then select Enterprise Applications from the left nav. Select + New Application > Create your own application and give your application a name.
After selecting the non-gallery option for your application's purpose, click Create.
Select Single sign-on from the left nav and pick SAML as the sign-on method.
Pick your SAML section, click Edit and enter the following settings:
SAML Section | Field | Values |
---|---|---|
Basic SAML Configuration | Reply URL (Assertion Consumer Service URL) | Enhanced SSO configuration: Copy this value from the Set up your identity provider page, which provides the specific value for your account. Your value will look similar to this: https://login.flex.us1.twilio.com/login/callback?connection=JQxxxx Legacy SSO configuration: Replace ACxxxx with your real Twilio Account SID. https://iam.twilio.com/v1/Accounts/ACxxxx/saml2 |
Basic SAML Configuration | Identifier (Entity ID) | Enhanced SSO configuration: Copy this value from the Set up your identity provider page, which provides the specific value for your account. Your value will look similar to this: urn:flex:JQxxxx Legacy SSO configuration: Replace ACxxxx with your real Twilio Account SID. After adding your unique entity ID, remove Microsoft's default entry. https://iam.twilio.com/v1/Accounts/ACxxxx/saml2/metadata |
Attributes & Claims | Twilio Flex required claims | See Configure claims section. |
SAML Signing Certificate | Signing Option | Select "Sign SAML response and assertion". |
SAML Signing Certificate | Signing Algorithm | Leave "SHA-256" selected. |
SAML Signing Certificate | Notification Email Addresses | Enter email address(es) for receiving Azure AD notifications. |
Claims are key-value pairs that the Identity Provider asserts are true to the application. Flex uses these to determine the critical information about each Flex User.
All the information the Identity Provider supplies to Twilio is stored inside Twilio TaskRouter Worker Attributes. Consider local regulations for storing data and only provide data relevant for Flex usage. Learn more about Twilio's Privacy policy.
From your application overview page (Enterprise applications > Twilio Flex in this example), click Single sign-on -> Attributes & Claims.
First, update the required claim to use user.mail
as its value. Remove the default additional claims.
Next, add the following claims using a user attribute as the "Source attribute". Do not set a namespace for any of the claims.
Required Claim | Value |
---|---|
user.mail | |
full_name | user.displayname |
roles | user.assignedroles |
As of the time of writing, your Attributes & Claims settings should look like the following:
Ensure that the Flex SAML roles have a Globally Unique Identifier (GUID). GUIDs are a long string of letters and numbers that Azure will use to identify each of the Flex roles.
Navigate to Azure Active Directory > App Registrations > All applications. Click on your app ("Twilio Flex" in this example) and select App roles from the left nav. Twilio Flex requires the following roles:
To create an app role in Azure:
Click Apply. Your "App roles" page should look like this:
Note for Insights Users
You will need to create separate entries for each Insights role you expect to assign to your agents:
All the information supplied from the Identity Provider to Twilio is stored inside Twilio TaskRouter Worker Attributes. Consider local regulations for storing data and only provide data relevant for Flex usage (further information about Twilio Privacy policy).
Please see the Identity Attributes section of the SSO Configuration docs for further information about naming attributes and other possible Worker attributes.
Next, configure SSO on the Flex Console Single Sign-on settings page. You will need the following fields from the Azure AD Single sign-on page:
Twilio SSO Field | Azure AD Setup Instructions Field |
---|---|
X.509 Certificate | Certificate (Base64) |
Identity Provider Issuer | Azure AD Identifier |
Single Sign-on URL | Login URL |
Navigate back to your app overview page, then select Users and Groups from the left nav.
As you add/edit users, you can assign a single role. Please ensure that you have users assigned to your application.
Note for Insights Users
You will need to add each role you created previously as individual assignments for your agents.
Our Configuring SSO page has additional detail on how to initiate login from your Identity Provider, how to login to a self-hosted domain, and details on attributes that can be defined for each identity.
To test your SSO setup:
If you're looking to pass custom attributes to your Flex users, refer to Pass Custom Azure AD Attributes as Twilio Flex SAML Claims.