# Configure AWS SSO with Frontline Twilio Frontline integrates with your existing Identity Provider to authenticate users and enable single sign-on (SSO). Frontline can work with any Identity Provider (IdP) that supports SAML (Security Assertion Markup Language) 2.0, enabling you to use your primary corporate account as the Identity Provider for Frontline. This guide will walk you through the steps to set up AWS SSO so that it can be used as the IdP for Frontline. There is a necessary configuration in the Twilio Console and in the AWS Console, so it is best to have a window open for each console as you're working through the setup. ## Register an AWS Account If you already have an AWS account, skip this step. Otherwise, navigate to the [AWS Console](https://aws.amazon.com/free/) and create an account. ## Create an Application in AWS SSO 1. If this is your first time using AWS SSO in this AWS account, follow the [AWS documentation for enabling AWS SSO](https://docs.aws.amazon.com/singlesignon/latest/userguide/step1.html). 2. In the AWS SSO console, click **Add new Application**, and then **Add custom SAML 2.0 application**, then **Next** at the bottom of the page. 3. In "Configure Application", give the Application a name; for example, `Twilio Frontline`. ![Configure application with display name Twilio Frontline and SAML 2.0 integration description.](https://docs-resources.prod.twilio.com/e5eee334b796c0653aba30c23722e80c4df0c15309bae56cdaf9c1afa8a0798b.png) 4. Note the **AWS SSO sign-in URL**, and the **AWS SSO SAML issuer URL**, we'll use them when configuring Frontline in the Twilio Console. 5. Download the **AWS SSO Certificate**, which we'll upload to Frontline later to sign communication between AWS and Twilio. ![AWS SSO Metadata form with options to manually type metadata values or upload SAML metadata file.](https://docs-resources.prod.twilio.com/dcff3fe4652428d1aecb7d4c14066ceb0d70b5fb8deb4beb60b1362163ac8952.png) 6. Leave the Application Start URL blank. Use the default values for relay state (no value) and session duration (one hour). ![Fields for application start URL, relay state, and session duration with dropdown.](https://docs-resources.prod.twilio.com/d545950239891283a964c8986ef41ba6a761928de728b3fe5b52dea916700e44.png) 7. Choose "Manually type your metadata values" and set the following values, replacing the example Realm SID (`JBxxxx)`, with your own Realm SID, which you can find on the [Frontline Console SSO configuration page](https://www.twilio.com/console/frontline/sso). * Application ACS URL: `https://iam.twilio.com/v2/saml2/authenticate/JBxxxx` * Application SAML audience: `https://iam.twilio.com/v2/saml2/metadata/JBxxxx` ![AWS-SSO-Metadata-form.](https://docs-resources.prod.twilio.com/011e79952bf1bdc190fe7ef6f77bc4e6b47d357b1b6f6c0d1e98d6c1fc716953.png) 8. Click **Submit** to create your Twilio Frontline SAML Application. ## Configure Claims Claims are key-value pairs that the Identity Provider asserts to the application to be true. Frontline uses these to determine the key information it requires about each Frontline User. You can configure claims by clicking the **Actions** dropdown and then **Edit attribute mappings**. ![AWS SSO Twilio Frontline application with edit attribute mappings option.](https://docs-resources.prod.twilio.com/d93acaf320f686d76bc6f6ca7072e1c24699de490bc106c135b1b33d738910cc.png) Add the following attribute mappings to the application, and then **Save changes**. | **Attribute** | **Value** | **Format** | | ------------- | --------------- | ------------- | | Subject | `${user:email}` | emailAddress | | email | `${user:email}` | `unspecified` | | `roles` | agent | unspecified | ![User attribute mapping with email and roles in AWS SSO.](https://docs-resources.prod.twilio.com/0c33c2dc850bcc1431924201662637c858886b11f5d4b6242a650994d8982700.png) Note that "roles" is set statically to "agent". This means that all AWS SSO users will have "agent" privileges. ## Assign Users to the Application You can grant Frontline access to users and/or groups managed in AWS SSO. 1. In [AWS SSO](https://console.aws.amazon.com/singlesignon/identity/home), create a Group, and add the appropriate users to the group. 2. In the Twilio Frontline SSO Application, open the **Assigned users** tab, click **Assign users**, open the **Groups** tab, and then select the newly created group. ![Select Twilio Frontline group for application access.](https://docs-resources.prod.twilio.com/98e40bc83c31e9ab971721691dccfa0529ef3965a5091a52bcd2bfa8a2399642.png) ## Configure Frontline with your new SAML credentials Grab the URLs you noted in the "Create an Application in AWS SSO" section and configure SSO on the [Frontline Console SSO configuration page](https://www.twilio.com/console/frontline/sso). 1. Name the **Workspace ID** with your preferred name 2. Set the following values: * **Identity provider issuer**: AWS SSO issuer URL * **SSO URL**: AWS SSO sign-in URL * **X.509 Certificate**: paste the content of the certificate downloaded from the AWS SSO console. 3. Click **Save** That's it! Your AWS SSO users in the "Twilio Frontline" group should now be able to log in to Twilio Frontline through the mobile application.