Twilio SendGrid Single Sign-On is currently in beta. The following documentation and product interface may change as the product is improved.
Known limitations during beta
Twilio SendGrid SSO does not currently support granting an SSO user access to more than one Subuser without granting the SSO user administrator access at the top level of your Twilio SendGrid account.
Single Sign-On is being released in phases for each plan type. The table below provides an estimated release schedule — the provided dates are estimates only and may change. See our pricing page for a list of all Twilio SendGrid plans and features.
|Twilio SendGrid Plan||Estimated Availability|
|Marketing Campaigns Advanced||Now available|
|Email API Pro||May 31st - June 11th|
|Email API Premier and Custom||June 14th - June 25th|
Twilio SendGrid Single Sign-On (SSO) uses the widely supported Security Assertion Markup Language (SAML 2.0) to integrate your Twilio SendGrid user authentication with identity and access management platforms such as Okta, Duo, and Microsoft Azure Active Directory.
SSO and SAML terminology is defined throughout this document. Twilio SendGrid will commonly be referred to as the Service Provider (SP). An identity management provider such as Okta will commonly be referred to as the Identity Provider (IdP). One IdP often uses different terminology from another to label the same required fields in a SAML configuration. This document attempts to clarify and call attention to the alternative terminology used by IdPs whenever possible.
Adding an SSO configuration requires some back-and-forth between the Service Provider (Twilio SendGrid) and the IdP. The Twilio SendGrid App will provide values required by your IdP. Likewise, your IdP will provide values required by Twilio SendGrid. This document will cover the exchange in sections, beginning from the Twilio SendGrid App.
You can find IdP-specific documentation for some of the most popular IdPs in the Additional Resources section.
To add, delete, or modify an SSO integration, log in to the top level of your Twilio SendGrid account using your administrator credentials.
Click Add Configuration. A page will load and display the following configuration values needed by your IdP.
Additional Fields: The following fields may or may not be required by your IdP. If they are required, you can provide the following values.
Once you have added the previous settings where appropriate in your IdP, your IdP will provide the values necessary to complete the setup in the Twilio SendGrid App.
Your SSO configuration should now be complete. You can follow the next steps in this document to edit or delete a configuration. You can also skip to the user management section to begin onboarding SSO users.
You can toggle the state of a configuration by selecting Settings > SSO Settings from the left sidebar navigation of the Twilio SendGrid App.
You can edit or delete a configuration by selecting Settings > SSO Settings from the left sidebar navigation.
Once you have successfully enabled an SSO IdP configuration, you will need to add SSO users to the account. Twilio SendGrid calls these users Teammates. An account administrator can add two types of Teammates to an account: SSO Teammates and Password Teammates. Password Teammates will log in with a username, password, and Twilio SendGrid 2FA. This documentation covers the SSO Teammate setup only. For more information about our Teammates feature, see the dedicated Teammates documentation.
Twilio SendGrid does not currently offer a migration tool that will convert existing Teammates to SSO Teammates. You must manually add existing Password Teammates as SSO Teammates to your account.
Twilio SendGrid requires Two-factor Authentication (2FA) to access its services. This means that any account administrators who access Twilio SendGrid outside of an SSO configuration must enable 2FA. See our 2FA documentation for more information.
Configuring 2FA for SSO Teammates should not be done in the Twilio SendGrid App. You will manage any 2FA requirements for your SSO Teammates in your IdP. For example, the Okta or Duo apps may be configured to send Push or SMS notifications.
Select Add SSO teammate. A menu will load and display the following fields required to create the Teammate.
Existing Teammates can be edited from the Settings > Teammates page of the Twilio SendGrid App.
Existing Teammates can be deleted from the Settings > Teammates page of the Twilio SendGrid App.
User authentication can be initiated in two ways: from the Service Provider or from the IdP. We call these SP-initiated and IdP-initiated authentication flows respectively.
The SP-initiated flow occurs when a user authenticates directly with the Twilio SendGrid App.
When a user enters their email address, Twilio SendGrid performs a check and redirects any email address associated with an SSO account to the SSO login page. Users will then authenticate by entering their IdP credentials.
The IdP-initiated flow occurs when a user authenticates with their IdP. For example, a user may click on the SendGrid app tile from Okta. This flow will authenticate the user and redirect them to the Twilio SendGrid App.
Twilio SendGrid IdP guides
IdP documentation sites
Let us know how we’re doing! Please rate this page:
Please note, we cannot resolve account and login issues reported on GitHub. Contact support for account assistance.
Thanks for helping us improve our docs!