Configure Salesforce SSO with Flex

This document walks through the setup process for Salesforce SSO in Twilio Flex. You'll need access to your Salesforce instance and permissions to configure it, as well as access to the Twilio Console.

Create a self-signed certificate in Salesforce

You'll start by creating a certificate. You'll need to share this with Twilio later.

1. Navigate to Setup > Security > Certificate and Key Management
2. Press ‘Create Self-Signed Certificate’ button
3. Give the certificate a label and Unique Name, e.g., SalesforceSSO
4. Key Size default of 2048
5. ‘Exportable Private Key’ should be ticked
6. Press ‘Save’
7. Press ‘Download Certificate’ (you’ll need the certificate later)

Enable Salesforce Identity Provider in Salesforce

Make sure that the Identity Provider is enabled in Salesforce.

1. Navigate to Setup > Identity > Identity Provider
2. Press ‘Enable Identity Provider’ button
3. Select the certificate you created in the previous step
4. Press ‘Save’

Create a Twilio Flex Connected App in Salesforce

Let's point Salesforce to the Flex side of the integration.

1. Navigate to Apps > App Manager
2. Press the New Connected App button
3. Set Connected App Name to ‘Twilio Flex’
4. Set API Name to ‘Twilio_Flex’
5. Set Contact Email to a suitable email address

Web App Settings

1. In the Web App Settings section, set the Start URL to https://flex.twilio.com?path=/agent-desktop
2. Enable SAML should be ticked
3. Set Entity Id to https://iam.twilio.com/v1/Accounts/ACxxxx/saml2/metadata. Remember to replace ACxxx with your Twilio Account SID.
4. Set ACS URL to https://iam.twilio.com/v1/Accounts/ACxxxx/saml2. Remember to replace ACxxx with your Twilio Account SID.
5. Set Subject Type to Username
6. Set Name ID Format to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
7. Set Issuer to https://yourdomain.my.salesforce.com
8. Set IdP Certificate to the one you created in the first step (e.g., SalesforceSSO).
9. Check that the Verify Request Signatures option is unticked
10. Check that Encrypt SAML Response is unticked
11. Press Save

Add custom attributes

1. On the following page, add two New Custom Attributes in the Custom Attributes section
1. First custom attribute:
   1. Key: full_name
   2. Value: $User.FirstName + " " + $User.LastName
2. Second custom attribute:
1. Key: roles
2. Value: ‘agent’ (in the quote marks)

Note: this will grant all users agent permissions in Flex. If users need supervisor or admin permissions, then first create a field on the User object and use the Insert Field option on the Custom Attribute.

Assign Profile Access to the Connected App

1. Go to Setup
2. On the setup menu, go to Administration > Users > Profiles or search for "Profiles."
3. Select the profile you want to edit (e.g., "Standard User" )
4. Under Connected App Access, check the box for the Twilio Flex app
5. Click Save

Setup SSO in Twilio Flex

Almost done! Now, you need to configure the Twilio side of the integration.

1. Open the Twilio Flex Single Sign-On admin page.
2. Set Friendly Name to something related, e.g., SalesforceSSO
3. Paste in the certificate you downloaded from Salesforce in step one
4. Set Identity Provider Issuer to https://yourdomain.my.salesforce.com
5. Set Single Sign-On URL to https://yourdomain.my.salesforce.com/idp/endpoint/HttpRedirect
6. Set Default Redirect URL to https://yourdomain.my.salesforce.com/idp/endpoint/HttpRedirect
7. Press Save

Be sure that the Twilio SSO URL field matches the value you provided in Salesforce for ACS URL. To learn more about migrating from the preview.twilio.com URL to iam.twilio.com see our migration guide.

Open Salesforce and access the phone from the utility bar (in case it’s missing, add Open CTI Softphone to the utility bar). You should be able to log into Flex!