Issue
When trying to configure Google DUO as Idp for SSO login integration with SendGrid, customers are unable to login to SendGrid and get redirected back to the SendGrid login page.
Product
Twilio SendGrid Email API Pro, Premier, and Marketing Campaigns Advanced plans.
Cause
The SendGrid integration does not recognize existing users as part of the SSO Teammate group.
The IdP Metada values on the SendGrid side do not match the values on the DUO side.
Resolution
The resolution process involves making changes on SendGrid's side after fully configuring the integration:
1. Ensure that the SAML Issuer ID found on the SendGrid side match the values that were copied from DUO side. Customer needs to copy/paste this identifier Entity ID from DUO: An identifier — usually a URL — provided by your IdP to identify the Service Provider in the SAML interaction. Your IdP may call this an "Entity ID", "Identity Provider Issuer" or other identifier.
Also ensure that the Embed Link found on the SendGrid side match the values that were copied from DUO side. Customer needs to copy/paste this identifier IDP SSO URL from DUO: The IdP's SAML POST endpoint. This endpoint should receive requests and initiate an SSO login flow. Your IdP may call this the "Identity Provider Single Sign-On URL", "Login URL", or some other authentication URL.
2. Make sure the Entity ID in DUO is the same as the Single Sign-On URL or Audience URL (SP Entity ID) in SendGrid. See the example below:
Additional information
Please check this document to get more details about IdP settings in SendGrid.
This one about Duo Single Sign-On for Generic SAML Service Providers.