# Configure Google SSO with Frontline

Before we connect Google to your instance of Frontline, we need to build a few things in the [Google Admin Console](https://admin.google.com/) to make things run more smoothly.

To log in as a Frontline user, you must pass the **roles** attribute to Frontline in the SAML. We'll need to create this attribute ourselves.

1. Navigate to the[User Schema page](https://admin.google.com/ac/customschema) in your Google Admin Console.
2. Click on **ADD CUSTOM ATTRIBUTE**
3. In **Category** add **Frontline**
4. Create the attribute below
5. Click the **Add** button

| **Name** | **Info Type** | **Visibility**            | **No. of Value** |
| -------- | ------------- | ------------------------- | ---------------- |
| Roles    | Text          | Visible to user and admin | Single value     |

![Form to add custom fields with category 'Frontline' and field name 'Roles'.](https://docs-resources.prod.twilio.com/01708361eea8b3a1441bcda9edd29662d86e93c26a326f2d93cd9b991d692f35.png)

## Create a custom SAML app

Navigate to the [Google Admin Console](https://admin.google.com/), and click on **Apps > Overview** heading in the left sidebar. Then click on **Web and mobile apps**.

![Google Admin dashboard highlighting Web and mobile apps for managing SAML, Android, and iOS apps.](https://docs-resources.prod.twilio.com/4a19f64a41c4f10e8ad542d3f4f2fdee46a5dd4253801891e01fc15e802277aa.png)

Click the **Add App** heading and in the dropdown select **Add custom SAML app**.

![Dropdown menu with option to add custom SAML app highlighted.](https://docs-resources.prod.twilio.com/51a9ef06441652545cd83466c19eab10579a8c5c5594f7142d7c96d0bd920281.png)

### Basic information for your custom app

Set your **App Name,** for example this might be **FrontlineSSO**, or a name of your choosing. You might optionally add an icon, too. Click the **Continue** button.

![Custom SAML app details with app name FrontlineSSO and app icon upload option.](https://docs-resources.prod.twilio.com/7c8f56b54babdad331cb38b159e19f15a1aa9ab9d9d0d4a9fa6d10ec479620cd.png)

### Google idP Information

Make a note of the `SSO URL`, `Entity ID` and `Certificate`, you'll need this information later. Click on the **Continue** button.

![Google IdP setup with options to download metadata or copy SSO URL, entity ID, and certificate.](https://docs-resources.prod.twilio.com/2affaeda0304d390a8135c131feaea9c93a6e741bc5f9123daac347c482f297a.png)

### Service provider details

Next, we need to set up the Service Provider Details. Frontline is the Service Provider in this instance.

Set the **ACS URL** to `https://iam.twilio.com/v2/saml2/authenticate/JBxxx` and replace the example Realm SID (`JBxxx`), with your **own Realm SID,** which you can find on the [Frontline Console SSO configuration page](https://www.twilio.com/console/frontline/sso).

In the same way, set the **Entity ID** to `https://iam.twilio.com/v2/saml2/metadata/JBxxx` and replace the Realm SID (`JBxxx`) with your **own Realm SID**.

| **Setting**     | **Value**                                            |
| --------------- | ---------------------------------------------------- |
| ACS URL         | `https://iam.twilio.com/v2/saml2/authenticate/JBxxx` |
| Entity ID       | `https://iam.twilio.com/v2/saml2/metadata/JBxxx`     |
| Signed Response | Checked!                                             |
| Name ID Format  | EMAIL                                                |
| Name ID         | Basic Information & Primary email                    |

![Service provider details with ACS URL, Entity ID, signed response option, and Name ID format set to email.](https://docs-resources.prod.twilio.com/673ac891e9ca3c0a2cfc95f041acd9ac8ddbc1bff15da4ceb3f0c7c56ebe6aba.png)

Click the **Continue** button.

### Attribute mapping

Now we need to add the attribute that will be passed from the SAML to Frontline. Create the required attribute (case sensitive) to pass to Frontline and map it to the appropriate field.

| **Google directory attributes** | **App attributes** |
| ------------------------------- | ------------------ |
| Frontline > Roles               | roles              |

![Mapping Google directory attribute 'Roles' to app attribute 'roles' with add mapping option.](https://docs-resources.prod.twilio.com/033e22892a3b829e2e325424a65286596a4697d6ed7427fc8e62a53dbb3330d4.png)

Click the **Finish** button.

## Configure Frontline with your SSO settings

Grab the URLs and Certificate you noted in the Google IdP Information section and configure SSO in the [Frontline Console SSO configuration page](https://www.twilio.com/console/frontline/sso).

![Form for configuring Twilio Frontline with SSO, including fields for Workspace ID, Realm SID, and SSO URL.](https://docs-resources.prod.twilio.com/4809fd4f1f411aea99b858f75240aace685901743c4a46a731906a861a447974.png)

Click the **Save** button.

## Add the mapped role to your G Suite Users

Navigate back to the [Google Admin Console](https://admin.google.com/), and click on **Directory > Users**. Select a user and click into their **User Information** section.

Scroll to the attribute name you gave before, in this example it's **Frontline**, and click the edit icon to add **agent** as the role for the user.

![Frontline roles input with 'agent' typed.](https://docs-resources.prod.twilio.com/7cd8eab36b7c077a1bb55f9357c43b1619c367c4db9a135086068404f18c786a.png)

Click on the **Save** button.

## Enable the App for everyone or for a specific group

In the [Google Admin Console](https://admin.google.com/ac/home), go to **Apps > Web** **and mobile apps** > **FrontlineSSO** (or to your application's name) > **User access**. In the Service status section, select the **ON for everyone** option and click the **Save** button.

![Service status set to ON for everyone with save option highlighted.](https://docs-resources.prod.twilio.com/ff95ac2220cd3ff209ae4d0ca0c9ae074ec514af6a0d3fe6ad95908672fb552f.png)

Now, you should be able to log into Frontline using Google as the identity provider! 🎉

## Troubleshooting

### Error: app\_not\_enabled\_for\_user

The error above indicates that the service is not enabled for a user. To solve this problem, you need to enable the Service status to "**ON for everyone"**, as it is described [here](#enable-the-app-for-everyone-or-for-a-specific-group).

### 70252 error code

![Error 70252: SAML response missing 'roles' attribute, status 400.](https://docs-resources.prod.twilio.com/0299c160881a427a06c1a6e7f980386c68b4dc275660483e16aa5a56a0b12bf5.png)

For this error message, the solution is to update the User Information and add the `agent` role to the user, as it is described [here](#add-the-mapped-role-to-your-g-suite-users).