Sinch MessageMedia is transitioning to using Sinch ID - a shared authentication service for Sinch products. Sinch ID is based on the Auth0 platform. Sinch ID supports log in with username and password,(with MFA via SMS, Authenticator (TOTP) and security keys) as well as SAML 2.0 based single-sign-on (SSO).

SAML based SSO is suitable for businesses wishing to leverage their existing identity services to provide a simpler login experience for their users. It is available for all Sinch MessageMedia customers on a contract or subscription bundle (excluding the Basics bundle).

This article provides instructions for configuring the SAML SSO connection with Sinch MessageMedia - with examples for the Microsoft Entra identity provider, but SSO will work with any SAML 2.0 compatible IdP.

High level steps

To configure your domain with SAML SSO for login to Sinch MessageMedia, the following steps are required:

1. Get access to the Sinch ID SAML SSO feature

2. Add and validate a domain

3. Configure SSO

   1. Within Sinch ID

   2. Within your IdP (Identity provider platform)

4. Assign users to access Sinch MessageMedia within your IdP

5. Invite users to Sinch MessageMedia and assign roles

6. Test and validate the SSO config

Detailed steps to enable SAML SSO

Access to Sinch ID SAML SSO

For now, please reach out to our support team or your account manager to enable access to this feature.

Add and validate a domain

Before you can configure SSO for a given domain, you need to add the domain and validate ownership. This is done by adding a TXT record to your DNS, that we validate It protects against misuse of your domain, and ensures the security of your SSO setup.

Step-by-step instructions

1. Log in to the Sinch MessageMedia portal (hub.messagemedia.com) with your existing credentials

2. Navigate to Settings > Account > Security

3. Click on the Edit SSO button

   a. Alternatively, go to my.sinch.com and sign-in with your Sinch ID user, if not already

4. Go to SSO Configuration > Domains

5. Choose Connect domain:

   

6. Enter the domain you wish to configure for SAML SSO - in the format mydomain.com and click Submit:

   

7. You will be shown a TXT record that needs to be added to your domain’s DNS configuration:

   

8. Copy the TXT record and add the record to your DNS. Click OK to go back to the domains list. Please refer to your IT team or service provider for assistance with DNS config.

9. Your domain will be added - with status ‘In Review’. Once the DNS record has had time to propagate, you can click Check DNS to check if the record can be seen:

   

   Note: DNS propagation can take minutes, or much longer. Check your DNS TTL settings.

10. Once propagated the domain status will change to Verified and you will see a Manage button.

    

Configure SAML SSO in Sinch ID and your identity platform (IdP)

Microsoft Entra (Azuare AD) guide

 

	Microsoft Entra (Azure AD)	Sinch ID - SAML SSO config
1	Create the Entra App Log in to your Microsoft Entra Admin center Go to the Enterprise applications section Click New Application Click Create your own application Give it a name - e.g. Sinch MessageMedia Choose the integrate a non-gallery app option, and click Create: Choose Set up single sign on Choose SAML as the method
2		Get SAML connection details Within Sinch ID (my.sinch.com), go to your domain, and click Manage Click the Configure Enterprise SSO button Leave username & password auth enabled until you’ve validated SSO is working correctly Get the Connection info Entity ID Callback URL - in Entra referred to as the Reply URL (Assertion Consumer Service URL)
3	Basic SAML Configuration Click Edit and copy the Entity ID from Sinch ID, to the Identifier (Entity ID) in Entra Copy the Callback URL from Sinch ID to the Reply URL (Assertion Consumer Service URL) Leave remaining values empty Save and close the pane
4	Configure sign-in URL Copy the Login URL
5		Paste the Login URL from Entra, in to the Sign in URL field:
6	Exchange the certificate Download the Base64 version of the SAML certificate: Open the file in a text editor and copy
7		Import certificate Paste the Base64 certificate text into the Sinch ID config - under x509 signing certificate:
8		Enable Signed request (POST) Expand the Advanced settings section Enable the Sign request toggle Select HTTP-POST as the protocol binding: Click Save
9		Enable Enterprise SSO Before you can use SSO, you must enable it within the Sinch ID portal Go to your domain, and click Manage Enable the Enterprise SSO and confirm: Note:  It is recommended to leave Username and password access enabled until you have validated that the SSO config is complete and working as expected

---

Assign users to the application in your IdP

Before users can access Sinch MessageMedia using SAML SSO, they must be assigned access to the app within your IdP.

For Microsoft Entra (Azure AD) this can be done by going to Users and groups within the Sinch MessageMedia app, and selecting the users or groups to grant access.

Add at least one user or group for testing initially.

Enable self-service

If you use Microsoft Entra - My Access, you can configure users to request access to Sinch MessageMedia. In the Entra Admin portal, go to the Sinch MessageMedia app, and go to the Self Service section.

Invite users to your Sinch MessageMedia account

Before users can log in and use Sinch MessageMedia , they need to be invited by an Admin user, and assigned a role to the one or more accounts.

To do this:

1. Log in to Sinch MessageMedia with a user that has the administrator role

2. In the left menu, go to Settings > Users and click New User button in the top right

3. Add the email of the user(s), and select the role (for more info on roles see [link to article on user roles]) and the account(s) you wish to assign the user to

4. Click Send invitation

The user will receive an email advising them they have been invited to Sinch MessageMedia . They need to click the link to accept and their user account will be created.

They can then login using SAML SSO - as long as access has been granted by your IdP (previous section).

Test and validate

You are now ready to test your SAML SSO configuration with Sinch MessageMedia.

• In a clean browser session, go to hub.messagemedia.com

• Enter an assigned user’s email and click Continue

• If the user is not logged in to their Microsoft Entra account, they will be prompted to log in and authenticate - based on your IdP settings

• Once logged in to their Entra account, the user will be securely logged in to Sinch MessageMedia

Disable username and password access

To ensure the full security and benefits of SSO, you should disable username and password sign in from within the Sinch ID, Domains management section.

FAQs and troubleshooting

Is IdP initiated sign in supported?

Unfortunately IdP initiated sign-in is not currently supported for Sinch MessageMedia. This is planned in a future release.

Why do I need to invite users from Sinch MessageMedia? / Do you support automated provisioning of users?

For now you need to invite users to from Sinch MessageMedia - to ensure they are assigned the correct role and to the correct account(s).

We are working on the capability for automated provisioning and expect it to be available in a future release.

How can I get access to the SSO config in the event of a problem?

In the event that the SSO config isn’t working, users with a domain owner role in the Sinch ID portal (my.sinch.com) can login with non-SSO credentials to troubleshoot and resolve the issue.

How can users access Sinch MessageMedia in the event of an issue with our IdP or SSO configuration?

From the Sinch ID portal (http://my.sinch.com ) you can disable Enterprise SSO login.

Note however, that only users that previously had a username and password will be able to login to Sinch MessageMedia. Users without a password will need to have their credentials reset by contacting support.