FAQ: Self-Service SSO

Table of Contents

What are the prerequisites for Self-Service SSO for Console?

 Please see the prerequisites guide .

Can I activate Self-Service SSO features on my existing SSO integration?

Yes! To enable the self-service SSO feature, please provide the following information to our Support Team:

  • Your Organization ID (Can be found in the main dashboard of the Admin Center)
  • The SSO ID or an example user that currently uses your Legacy SSO and is part of your organization.

If you do not have an Organization, please see our guide: Create your Organization

and verify the domain(s) to which your users belong. 

Once the above information is provided, our Support Team can enable Self-Service SSO for your accounts Organization.

What SAML is currently supported?

We support SAML 2.0 SSO. Your IdP will need to support SAML 2.0 in order to work with Twilio's SSO services. SAML supports two log in methods:

  • SP Initiated - User visits the app login page and logs in from the app.
  • IdP Initiated - User launches app from within IdP home page.

Will Flex and Frontline SSO profiles be also visible in the Admin Center UI?

No. The SSO UI in the Admin Center will only show the Console SSO profiles. 

Is Just In Time (JIT) Provisioning Supported?

No. JIT User provisioning is not supported at this time. You will still need to invite your users as needed to your Account and/or Organization using the Twilio Console. 

Is SCIM Provisioning and De-provisioning supported?

No. SCIM provisioning and de-provisioning  is not supported at this time. 

Can I configure Roles or other attributes via SSO?

No. At this time all users' roles will need to be managed from within the Admin Center in the Twilio Console.

Can the same SSO Profile be used for connecting with other products (Flex or Frontline)?

No, the SSO profiles that you will be creating via Admin Center will be used only for SSO Login to Twilio Console. 

When SSO is enforced, do  users get logged out from their existing sessions?

No. After the enforcement, the user's existing sessions remain valid. But whenever the user logs in to Twilio next, they will have to log in using SSO.

Can users login using their email/password once SSO is enabled?

No. Once SSO is enabled, it is enforced. Users will only be able to  log in only via SSO. 

Can I configure SSO so that all my users get SSO enabled?

Yes. You will need to verify the domain(s) to which your users belong from in  your Organization’s Admin Center. Then during the SSO Profile creation (or edit) process, you can select and enforce SSO  for your domain(s).

Can I disable SSO for select Users only?

Yes. However, instead of enabling on selected users, you will have to enforce (enable) SSO on the entire domain which activates SSO for all users. Then, you can disable SSO for specific users as desired.  

Can I use Self-Service SSO if I don't want to enforce SSO on all the users from my domain?

It is not recommended for you to try and enforce SSO partially. The best configuration is to have all your users added as managed users in your Organization and then enforce SSO for the domain(s). 

If there are some users who need to be excluded from SSO, you will first need to enforce SSO on all users and then manually disable SSO for the specific users. You can disable SSO at an individual user level by going to the Admin Center → Managed Users → User Details Page → Disable SSO and Save. 

Related Topics

Have more questions? Submit a request
Powered by Zendesk