Table of Contents
- What are the prerequisites for Self-Service SSO for Console?
- Can I activate Self-Service SSO features on my existing SSO integration?
- What SAML is currently supported?
- Will Flex and Frontline SSO profiles be also visible in the Twilio Admin / Admin Center UI?
- Does Twilio support Signed SAML?
- Does Twilio support multiple certificates for SSO?
- Is Just In Time (JIT) Provisioning Supported?
- Is SCIM Provisioning and De-provisioning supported?
- Can I configure Roles or other attributes via SSO?
- Can the same SSO Profile be used for connecting with other products (Flex or Frontline)?
- When SSO is enforced, do users get logged out from their existing sessions?
- Can users login using their email/password once SSO is enabled?
- Can I configure SSO so that all my users get SSO enabled?
- Can I disable SSO for select Users only?
- Can I use Self-Service SSO if I don't want to enforce SSO on all the users from my domain?
- Related Topics
What are the prerequisites for Self-Service SSO for Console?
Please see the prerequisites guide.
Can I activate Self-Service SSO features on my existing SSO integration?
Yes! To enable the self-service SSO feature, please provide the following information to our Support Team:
- Your Organization ID (Can be found in the main dashboard of the Twilio Admin / Admin Center)
- The SSO ID or an example user that currently uses your Legacy SSO and is part of your organization.
If you do not have an Organization, please see our guide: Create your Organization
and verify the domain(s) to which your users belong.
Once the above information is provided, our Support Team can enable Self-Service SSO for your accounts Organization.
What SAML is currently supported?
We support SAML 2.0 SSO. Your IdP will need to support SAML 2.0 in order to work with Twilio's SSO services. SAML supports two log in methods:
- SP Initiated - User visits the app login page and logs in from the app.
- IdP Initiated - User launches app from within IdP home page.
Will Flex and Frontline SSO profiles be also visible in the Twilio Admin / Admin Center UI?
No. The SSO UI in the Twilio Admin / Admin Center will only show the Console SSO profiles.
Does Twilio support Signed SAML?
Twilio does not support Signed SAML for SSO at this time.
Does Twilio support multiple certificates for SSO?
Our Self-Service SSO won't support multiple certificate.
Is Just In Time (JIT) Provisioning Supported?
No. JIT User provisioning is not supported at this time. You will still need to invite your users as needed to your Account and/or Organization using the Twilio Console.
Is SCIM Provisioning and De-provisioning supported?
SCIM provisioning and de-provisioning is not supported at this time in GA. We have launched SCIM provisioning and de-provisioning in Private Beta, if you are interested - reach out to your Account Executive.
Can I configure Roles or other attributes via SSO?
No. At this time all users' roles will need to be managed from within the Twilio Admin / Admin Center in the Twilio Console.
Can the same SSO Profile be used for connecting with other products (Flex or Frontline)?
No, the SSO profiles that you will be creating via Twilio Admin / Admin Center will be used only for SSO Login to Twilio Console.
When SSO is enforced, do users get logged out from their existing sessions?
No. After the enforcement, the user's existing sessions remain valid. But whenever the user logs in to Twilio next, they will have to log in using SSO.
Can users login using their email/password once SSO is enabled?
No. Once SSO is enabled, it is enforced. Users will only be able to log in only via SSO.
Can I configure SSO so that all my users get SSO enabled?
Yes! You will need to verify the domain(s) to which your users belong from in your Organization’s Twilio Admin / Admin Center. Then during the SSO Profile creation (or edit) process, you can select and enforce SSO for your domain(s).
Can I disable SSO for select Users only?
Yes. However, instead of enabling on selected users, you will have to enforce (enable) SSO on the entire domain which activates SSO for all users. Then, you can disable SSO for specific users as desired.
Please see more in our documentation here: Enabling and Disabling SSO for Specific Managed Users.
Can I use Self-Service SSO if I don't want to enforce SSO on all the users from my domain?
It is not recommended for you to try and enforce SSO partially. The best configuration is to have all your users added as managed users in your Organization and then enforce SSO for the domain(s).
If there are some users who need to be excluded from SSO, you will first need to enforce SSO on all users and then manually disable SSO for the specific users.
Please see more in our documentation here: Enabling and Disabling SSO for Specific Managed Users.