SAML v2 & SendGrid

Overview

SendGrid is a transactional email service. Using a SAML v2 identity provider, you can control who has access to your SendGrid account. This document covers the configuration necessary to get SendGrid working with FusionAuth as the identity provider using SAML v2.

Prerequisites

This document assumes you have a running instance of FusionAuth and a working SendGrid application. You will also need an admin account for FusionAuth and be the account owner in SendGrid to configure them correctly.

Configure SendGrid

In your SendGrid dashboard, navigate to Settings -> SSO Settings and click Add Configuration.

Name it FusionAuth and write down both Single Sign-On URL and Audience URL (SP Entity ID) fields as you’ll use them soon. Click Next.

To get the needed values for the below form, you need to configure FusionAuth.

Configure FusionAuth

Before finishing configuring SendGrid, you have to configure the certificate issuer and create an application in FusionAuth.

Log in to your instance, navigate to Tenants and click on your tenant to edit it. Change the Issuer to your FusionAuth instance domain without the protocol (e.g. your.application.com) and click on to save your tenant.

Now, navigate to Applications, and name it SendGrid.

Go to the SAML tab and toggle the Enabled switch. Paste the Audience URL (SP Entity ID) and Single Sign-On URL you copied from SendGrid to Issuer and Authorized redirect URLs fields in your FusionAuth application, respectively.

Mapping fields

Scroll down to Authentication response and change Signature canonicalization method to Exclusive.

Click to save your application. When redirected to the Applications page, view your application details by clicking .

In SAML v2 Integration details, write down both Entity Id and Login URL fields.

Copy the Metadata URL and open it in a new browser tab. This will contain configuration you’ll need shortly.

Copy the contents of the X509Certificate element from the XML file and write it down.

Finish setting up SendGrid

Retrieve the first two values you copied from your FusionAuth application and write the Entity Id to SendGrid’s SAML Issuer ID and the Login URL in Embed Link .

In the Certificates session, click Add Certificate.

In the modal, paste your FusionAuth application’s certificate into X509 Certificate and enclose it between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, as seen in the example below.

-----BEGIN CERTIFICATE-----
<contents of X509Certificate copied from FusionAuth>
-----END CERTIFICATE-----

Here’s a walkthrough of these steps.

Click Add Certificate to save the certificate.

Finally click Enable SSO to finish the configuration.

User Management

Go to Settings -> Teammates, click the Add Teammate dropdown button in the top right corner of the page and select Add SSO teammate.

Fill in the same email address from a FusionAuth user and their first and last names. Click Next. Choose one of the available permissions (e.g. Add with read-only access) and click Save to add the user.

Testing

Browse to the SendGrid login page in another browser or in an incognito tab and click Log in with single sign-on (SSO) instead.

In the dedicated SSO page, you need to fill in the username you created earlier and click Log In with SSO.

You’ll be now redirected to the FusionAuth login screen. After entering the credentials, you arrive back at the SendGrid application already logged in.

References

• SendGrid SSO documentation
• Deleting an SSO integration via API is the only way as the Web interface doesn’t allow you to do it
• The Twilio SendGrid pricing page