Configure OIDC SSO with Entra ID

  • Updated

Opti ID lets you configure OpenID Connect (OIDC) SSO with Entra ID as the IdP. With this setup, Entra ID authenticates and authorizes your users.

You can also configure OIDC SSO with Okta, PingFederate, or Duo (documentation coming soon).

You should set up SSO for your organization before inviting new users. After you set up SSO with Opti ID, users must log in to Opti ID using credentials for the SSO provider going forward. This includes the technical contact who originally set up Opti ID for your organization.

Configure the SSO connection

  1. In the Microsoft Entra ID portal, if you have access to multiple tenants, go to Settings and switch to the tenant you want to register as the SSO application for Opti ID.
  2. Search for and select Microsoft Entra ID.
  3. Under Manage, select App registrations > New registration and complete the following fields:
    • Name – Enter a name for the application (for example, Optimizely SSO).
    • Supported account types – Select Accounts in this organizational directory only (PaaSTest only - Single tenant). This specifies who can use the application, sometimes called its sign-in audience.
    • Redirect URI (optional) – Do not enter anything. You will configure a redirect URI in the next section.
  4. Click Register.
  5. The registration automatically generates an Application (client) ID, which uniquely identifies your application within the IdP. Copy and save the Application (client) ID value as you will need it in the next section.
  6. Under Manage, go to Authentication > Add a platform.
  7. Select Web as the application type.
  8. In the Redirect URIs field, enter https://login.optimizely.com/oauth2/v1/authorize/callback and click Configure.
  9. Under Certificates & secrets, go to Client secrets > New client secret to generate a client secret for your app. Enter the following, then click Add:
    • Description – Enter the description (for example, Optimizely SSO).
    • Expires – Select 730 days (24 months).
    Copy the secret after it is generated.
  10. Under Manage, go to Token configuration > Add optional claim, complete the following, then click Add:

    • Token type – Select ID.

    • Claims – Select email, family_name, and given_name.

  11. A verification message displays. Select the Microsoft Graph email, profile permission (required for claims to appear in token) checkbox, and click Add.
  12. Gather the following information from this new application, which you will use to configure SSO in Opti ID:
    • Application (client) ID –  On the Overview page of the application registration.
    • Client secret – Generated in step 9 above.
    • OpenID Connect metadata document URL – On the Overview > Endpoints page of the application registration.
  13. Log in to Opti ID (https://login.optimizely.com) using your technical contact email and password. For more information about properly activating the technical contact user, see Technical contact login.
  14. After you log in, you should be on the home dashboard (home.optimizely.com/dashboard). Click Admin Center.
  15. Go to Settings > SSO > Add SSO Connection, select OIDC as the connection type, and complete the following fields:
    • Connection Name – Enter a name for this SSO connection to display when users log in. This helps distinguish between multiple SSO connections.
    • Provider – Select EntraID.
    • Client ID – Enter the Application (client) ID from step 12.
    • Client Secret – Enter the secret from step 9 (also collected in step 12).
    • Well Known Metadata URL – Enter the OpenID Connect metadata document URL from step 12.
  16. Click Save. If the Authorization URL, Issuer URL, JWKS URL, and Token URL fields do not automatically populate based on the metadata URL, you must manually configure them.
  17. You can now test your SSO connection by logging out of Opti ID and logging back in. The login flow should now direct you to your Entra ID provider.

Configure IdP-initiated login

After you configure your SSO connection, you can enable IdP-initiated login, which lets users who are already logged in with your organization's SSO provider navigate to Opti ID without the need to log in again.

Test the SSO connection

One of the users you assigned in the OIDC application should test the setup. They need to be a user in the Opti ID Admin Center but logged out.

  1. Open an incognito window and go to https://login.optimizely.com.
  2. When you enter your email and click Next, it should redirect you to your organization's IdP.
  3. Double-check your settings if there are any issues with signing in with your incognito window.

If it does not work correctly, see the Opti ID troubleshooting articles. If you cannot resolve the issue, contact Optimizely Support.