# Configure Salesforce SSO with Frontline

This document walks through the setup process for Salesforce SSO in Twilio Frontline.

You'll need access to your Salesforce instance and permissions to configure it, as well as access to the Twilio Console.

## Register a developer account in Salesforce

If you already have a Salesforce developer account, jump straight to the next step. Otherwise, navigate to [ttps://developer.salesforce.com/signup](https://developer.salesforce.com/signup) and create a free developer account.

## Create a self-signed certificate in Salesforce

You'll start by creating a certificate. You'll need to share this with Twilio later.

1. Navigate to Settings > Security > Certificate and Key Management
2. Press **Create Self-Signed Certificate** button
3. Give the certificate a label and Unique Name, e.g., SalesforceSSO
4. Key Size default of 2048
5. **Exportable Private Key** should be ticked
6. Press **Save.**
7. Press **Download Certificate** (you'll need the certificate later)

![Salesforce SSO certificate and key edit form with self-signed type and 2048 key size.](https://docs-resources.prod.twilio.com/b862c679f311944b790cf40298ce99b630acccc43807675e7ce12ac9efd9c4a2.png)

## Enable Salesforce Identity Provider in Salesforce

Make sure that the Identity Provider is enabled in Salesforce.

1. Navigate to Settings > Identity > Identity Provider
2. Press **Enable Identity Provider** button
3. Select the certificate you created in the previous step
4. Press **Save**

> \[!WARNING]
>
> If you change this certificate, users won't be able to connect to service providers until you reconfigure each service provider to work with the new certificate.

![Salesforce SSO certificate selection with save and cancel buttons.](https://docs-resources.prod.twilio.com/19ad2dcb2b241d218c95cdcb6eb1eed2987425b496f847ff60a173fb9f09cb06.png)

## Create a Twilio Frontline Connected App in Salesforce

Let's point Salesforce to the Frontline side of the integration.

1. Navigate to Platform Tools > Apps > App Manager
2. Press the **New Connected App** button
3. Set **Connected App Name** to 'Twilio Frontline'
4. Set **API Name** to 'Twilio\_Frontline'
5. Set Contact Email to a suitable email address

![Salesforce form for creating a Twilio Frontline connected app with fields for app name, API name, and contact details.](https://docs-resources.prod.twilio.com/370b2292abfeac9bf5c6c6245a8e62b2bda8e7f1f83721fd739d8f6e51cea49a.png)

## Web App Settings

1. In the **Web App Settings** section, **Enable SAML** should be ticked.
2. Set **Entity ID** to `https://iam.twilio.com/v2/saml2/metadata/JBxxx`. Just replace the example Realm SID, `JBxxx`, with your own Realm SID, which you can find on the [Frontline Console SSO configuration page](https://www.twilio.com/console/frontline/sso).
3. Set **ACS URL** to `https://iam.twilio.com/v2/saml2/authenticate/JBxxx` Again, replace the Realm SID (`JBxxx`) with your own Realm SID.
4. Set **Subject Type** to Username.
5. Set **Name ID Format** to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`.
6. Set **Issuer** to `https://yourdomain.my.salesforce.com`
7. Set **IdP Certificate** to the one you created in the first step (e.g., `SalesforceSSO`).
8. Check that the **Verify Request Signatures** option is unticked
9. Check that **Encrypt SAML Response** is unticked
10. Press **Save**

![Web App Settings for Salesforce SSO with options for SAML configuration including Entity Id and ACS URL.](https://docs-resources.prod.twilio.com/0667eb5b16ba7275801311c8f23bdac6f692024c9fcfb758670118817af92a26.png)

## Add custom attributes

In the **Manage Connected Apps** dashboard, click **Twilio Frontline**, go to the **Custom Attributes** section and click the **New** button.

Add a New Custom Attributes:

* Key: roles
* Value: 'agent' (in the quote marks)

![Custom attributes table with key 'roles' and value 'agent'.](https://docs-resources.prod.twilio.com/6448c8def7b1f0f1ede46192897d955f45e974f8509174bcaffc70e099ed825f.png)

## Assign Profile Access to the Connected App

1. In the Setup Home, go to Administration > Users > Profiles
2. Select the profile you want to edit (E.g. "Standard User", "System Administrator", etc...)
3. Under Connected App Access, check the box for the **Twilio Frontline** app
4. Press **Save**

## Setup SSO in Twilio Frontline

Almost done! Now, let's configure the Twilio side of the integration.

1. Open the [Frontline Console SSO configuration page](https://www.twilio.com/console/frontline/sso).
2. Set Identity Provider Issuer to `https://yourdomain.my.salesforce.com`
3. Set SSO URL to `https://yourdomain.my.salesforce.com/idp/endpoint/HttpRedirect`
4. Paste in the certificate you downloaded from Salesforce.
5. Press **Save**

![Form fields for configuring SSO with Salesforce, including Workspace ID and SSO URL.](https://docs-resources.prod.twilio.com/f647808a1138386b1fca7f2de71585a825c4495fe1b61c16527706a04a873621.png)

Now, you should be able to log into Frontline using Salesforce as the identity provider! 🎉

## Troubleshooting

### Authentication failed

If the Frontline application is not assigned to your User Profile in Salesforce, you will see the following error message:

![Error 70004: Incorrect AccountSid or AuthToken, authentication failed with status 401.](https://docs-resources.prod.twilio.com/badb5eb4166816ceb493ce6dec236ccb0640090e9583cc6c49f8632818c1b60a.png)

The solution is to assign your connected application to your User Profile, as described [here](/docs/frontline/sso/salesforce#assign-profile-access-to-the-connected-app).