Configure Salesforce SSO with Flex
Follow these steps to set up Salesforce single sign-on (SSO) in Twilio Flex. You'll need access to your Salesforce instance and permissions to configure it, as well as access to Twilio Console.
Info
After configuring SSO in Flex, you can find your login link on the Single sign-on (SSO) page in Flex Console.
- Follow Salesforce's documentation to generate a self-signed certificate.
- When creating your certificate, leave the Key Size field set to 2048 and the Exportable Private Key option selected. These are the defaults.
- Once you've downloaded your certificate, keep it available for later. You'll enter the contents of this file when you set up SSO in Flex.
Follow Salesforce's documentation to enable Salesforce as an IdP using the self-signed certificate you created in the previous section.
Follow Salesforce's documentation to create a connected app for Twilio Flex, and then use the steps in the following sections to configure the app.
Under Basic Information, enter the following information:
- Set Connected App Name to Twilio Flex.
- Set API Name to Twilio_Flex.
- In Contact Email, enter an email address.
Under Web App Settings, enter the following information:
- Set the Start URL to
https\://flex.twilio.com/agent-desktop
. - Click Enable SAML. Additional fields appear.
- Set Entity Id to the appropriate value for your SSO configuration type:
- Enhanced SSO configuration:
Copy this value from the Set up your identity provider page, which provides the specific value for your account. For example,urn:flex:JQxxxx
- Legacy SSO configuration:
Remember to replaceACxxx
with your Twilio Account SID. Your value will look similar to this:https://iam.twilio.com/v1/Accounts/ACxxxx/saml2/metadata
- Set ACS URL to the appropriate value for your SSO configuration type:
- Enhanced SSO configuration:
Copy the ACS URL value from the Set up your identity provider page, which provides the specific value for your account. Your value will look similar to this:https://login.flex.us1.twilio.com/login/callback?connection=JQxxxx
- Legacy SSO configuration:
Remember to replaceACxxx
with your Twilio Account SID. Your value will look similar to this:https://iam.twilio.com/v1/Accounts/ACxxxx/saml2
- Enhanced SSO configuration:
- Leave Subject Type as Username. This is the default.
- Leave Name ID Format as
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
. This is the default. - Make sure Issuer is set to
https\://YOUR_DOMAIN.my.salesforce.com/
, where YOUR_DOMAIN is your Salesforce domain. This is the default. - Set IdP Certificate to the certificate you created in Create a self-signed certificate in Salesforce.
- Make sure Verify request signatures isn't selected.
- Make sure Encrypt SAML Response isn't selected.
- Click Save. The Manage Custom Apps page opens.
-
In the Custom Attributes section, click New to create each of the following attributes:
Key Value full_name $User.FirstName + " " + $User.LastName roles "agent" (must be in quotes)
Info
These attributes grant all users agent permissions in Flex. If you need to add supervisor
or admin
permissions, edit the "roles" custom attribute and include the roles as a comma-separated list. For example, "agent, supervisor, admin" grants users the agent
, supervisor
, and admin
roles in Flex.
Follow Salesforce's documentation to add a Salesforce user you can use to log in to Flex using SSO.
Make sure to specify the following setting values:
- In User License, select Salesforce.
- In Profile, select Standard User. This ensures the user can access Flex.
- Under Approver Settings, make sure Generate new password and notify user immediately is selected.
To log in to Flex, Salesforce users must be assigned a profile that has access to the Twilio Flex app. In the previous section, you assigned the user the Standard User profile. Follow these steps to give the Standard User profile access to the Twilio Flex app.
- In Salesforce, from Setup, in the Quick Find box, enter Profiles, and then select Profiles.
- Edit the Standard User profile.
- Under Connected App Access, select the Twilio Flex app.
Warning
If you have Salesforce users with a different user profile who need to log in to Flex, you must assign Flex access to those profiles separately. Users assigned profiles without Flex access can't log in to Flex using SSO.
After completing Salesforce setup, configure your Flex SSO connection to use Salesforce as the IdP.
- In Twilio Console, navigate to Flex > Users and access > Single sign-on (SSO).
- Set the Friendly Name to a recognizable name, like
SalesforceSSO
. - Copy the contents of the certificate you downloaded in Create a self-signed certificate in Salesforce.
- In X.509 Certificate field, paste the certificate contents.
- Set Identity Provider Issuer to
https://<your-salesforce-subdomain>.salesforce.com/
. - Set SSO URL to
https://<your-salesforce-subdomain>.salesforce.com/idp/endpoint/HttpRedirect
. - Set Default Redirect URL to
https://<your-salesforce-subdomain>.salesforce.com/idp/endpoint/HttpRedirect
. - Click Save.
To test your Salesforce integration with Flex:
- On the Single Sign-On (SSO) page, find the auto-generated login link.
- Copy the link and paste it in your address bar.
The browser redirects you to Salesforce. - Log in using your Salesforce credentials.
After your credentials are authenticated, the browser redirects you back to Flex. This redirect indicates your SSO configuration is working.