Voiceflow SAML SSO Flow

Voiceflow supports SAML 2.0 authentication through either an SP or IdP initiated flow. SP is Service Provider, i.e. Voiceflow, and IdP is Identity Provider, i.e. Okta or a custom SAML implementation.

SSO configuration page

Screenshot 2024-03-11 at 10.50.16 AM.png

<aside> 💡 Implementation Details

Voiceflow provides (after IdP is set/saved):

Audience URI (SP Entity ID)
Assertion Consumer Service URL / Callback URL - The endpoint where the IdP will redirect with its authentication response + Email Identifier

Voiceflow requires from IdP:

Entity ID URL
IdP SSO Target URL - The URL users of your organization will be directed to on login via an SP initiated flow (optional)
X.509 certificate

*On the IdP side, they will need to send the Email identifier (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) to uniquely identify SSO users

</aside>

Enabling SAML on Voiceflow:

Ensure your workspace/organization are under an enterprise plan, and you are a workspace admin, you will be able to see the SSO/SAML configuration page.

Contact Voiceflow customer success to flag all relevant workspaces as part of an organization, and ensure anyone configuring SAML SSO settings is an admin of the workspace.

Screenshot 2024-03-11 at 10.59.53 AM.png

To access all the SP information, just press “Save Configuration” to generate a authentication provider profile.

Once everything is filled out and saved, an IdP-initiated login flow should be possible for the sysadmin to try.

<aside> ♻️ To retroactively add existing Voiceflow accounts to SAML, contact Voiceflow customer success.

</aside>

For an SP-initiated login flow, contact Voiceflow customer success to flag a specific email domain name. This is done for verification and security purposes.

Whenever a login is detected with the email domain, the user will be prompted to Log In via SSO.

Screen Shot 2022-03-04 at 6.10.32 PM.png

FAQ

Is this an SP or IdP initiated flow? If SP initiated, what is the SP login URL?
- Voiceflow supports SAML 2.0 authentication through either an SP or IdP initiated flow. SP is Service Provider, i.e. Voiceflow, and IdP is Identity Provider, i.e. Okta or a custom SAML implementation.
- The SP flow requires a explicit flag for a domain, need to contact support
What is the application username format (e.g. email address or user ID)?
- Customer email address domain
What additional attributes need to be included in the SAML assertion?
- Entity ID URL
- IdP SSO Target URL - The URL users of your organization will be directed to on login via an SP initiated flow (optional)
- X.509 certificate