Set up Azure AD SSO for Opti ID

To use Opti ID, you must create a Security Assertion Markup Language 2.0 (SAML2) relationship.  In this topic, Optimizely uses Azure AD as its identity provider (IDP), but you can use another IDP and set up should be similar. Contact Optimizely if you have any questions.

Create a direct access app in Azure AD for your Okta tenant

1. Sign into the Azure portal using either a work or school account, or a personal Microsoft account.
2. Select the Azure Active Directory service.
3. Go to Enterprise Applications > All Applications.
4. Select New application.
5. In the Manage section of the left menu, select Single sign-on (SSO) to open the Single sign-on pane for editing.
6. Select SAML (Security Assertion Markup Language) to open the SSO configuration page. After the application is configured, users can sign into it by using their credentials from the Azure AD tenant.
7. To configure SSO in Azure AD, in the Azure portal, select Edit in the Basic SAML Configuration section on the Set up single sign-on pane.
   • Identifier – Enter https://www.okta.com/saml2/service-provider/ .
   • Reply URL (Assertion Consumer Service URL) – Enter https://foo.com/sso/saml2/.
   • Click Save.

     

8. In the SAML Certificates section, select Download for Certificate (Base64) to download the SAML signing certificate and save it to be used later.

   

   

9. Go to https://login.optimizely.com and login using your technical contact email and password you set up.
10. Once logged in, you should be in the Optimizely Admin Center. Click SSO Settings.

    

11. In the Single Sign-on view, enter the Issuer URL (Azure AD identifier) and SSO URL (Login URL) you obtained and then select your certificate from your local file system.

    

12. Click Submit.
13. Copy the two values in the SSO Connection Details section. These values will replace the dummy values provided in step 7.

    

14. After receiving those values from the Opti ID/Setup Identity Provider screen, open the configuration for the application you created and update the following values:
    • Reply Url (Assertion Consumer Service URL) – provided by OptiId as Assertion Consumer Service URL.
    • Identifier (Entity ID) –  provided by OptId as the Audience Restriction URI.

The setup is complete.

Test the setup

Open an Incognito window and go to https://login.optimizely.com. When you enter your email and click Next, it should redirect you to your organization's identity provider. If there are any issues with signing in with your Incognito tab, double-check your settings. If that fails, click Remove Connection in your Optimizely Admin Center's SSO Settings to clear out your settings and try again.

If it does not work correctly, there may be a custom attribute mapping that needs to happen between Azure AD and the Optimizely Okta tenant. Contact support for help.

Resources

• Tutorial: Azure AD SSO integration with Azure AD SAML Toolkit

Troubleshoot

If you experience issues signing in with Opti ID, contact Optimizely support. Also, send the following information to the Opti ID team so that they can help the Optimizely support team further troubleshoot the issue.

Azure AD exposes federation metadata document which contains information about federation service that is used to create trusts, identify token-signing certificates, and many other things tenant-specific endpoint. Send this document or federation metadata document URL to the Opti ID support team.

To download this document use the steps below:

1. Go to the Azure Portal.
2. Select Azure Active Directory > App registrations.
3. Select your SAML application.
4. Go to Overview > Endpoints > Send the Federation metadata document or its URL to Optimizely support.