Configure SSO with Opti ID using OIDC

  • Updated

To set up single sign-on (SSO) with Opti ID, you must have an identity provider (IdP) application that you want to use for authenticating and authorizing your users. You can use Entra ID or Okta as the IdP.

Optimizely recommends that you set up SSO for your organization before inviting new users. After you set up SSO with Opti ID, all users must log in to Opti ID using credentials for the SSO provider going forward. This includes the technical contact who originally set up Opti ID for your organization.

If you want to use Security Assertion Markup Language (SAML) to set up SSO with Opti ID, see Configure SSO with Opti ID using SAML.

Create a direct access OIDC app in Entra ID for Opti ID

  1. In the Microsoft Entra ID portal, if you have access to multiple tenants, go to Settings and switch to the tenant you want to register as the SSO application for Opti ID.
  2. Search for and select Microsoft Entra ID.
  3. Under Manage, select App registrations > New registration and complete the following fields:
    • Name – Enter a name for the application (for example, Optimizely SSO).
    • Supported account types – Select Accounts in this organizational directory only (PaaSTest only - Single tenant). This specifies who can use the application, sometimes called its sign-in audience.
    • Redirect URI (optional) – Do not enter anything. You will configure a redirect URI in the next section.
  4. Click Register.
  5. The registration automatically generates an Application (client) ID, which uniquely identifies your application within the IdP. Copy and save the Application (client) ID value as you will need it in the next section.
  6. Under Manage, go to Authentication > Add a platform.
  7. Select Web as the application type.
  8. In the Redirect URIs field, enter https://login.optimizely.com/oauth2/v1/authorize/callback and click Configure.
  9. Under Certificates & secrets, go to Client secrets > New client secret to generate a client secret for your app. Enter the following, then click Add:
    • Description – Enter the description (for example, Optimizely SSO).
    • Expires – Select 730 days (24 months).
    Copy the secret after it is generated.
  10. Under Manage, go to Token configuration > Add optional claim, complete the following, then click Add:

    • Token type – Select ID.

    • Claims – Select email, family_name, and given_name.

  11. A verification message displays. Select the Microsoft Graph email, profile permission (required for claims to appear in token) checkbox, and click Add.
  12. Gather the following information from this new application, which you will use to configure SSO in Opti ID:
    • Application (client) ID –  On the Overview page of the application registration.
    • Client secret – Generated in step 10 above.
    • OpenID Connect metadata document URL – On the Overview > Endpoints page of the application registration.
  13. Log in to Opti ID (https://login.optimizely.com) using your technical contact email and password. For more information about properly activating the technical contact user, see Technical contact login.
  14. After you log in, you should be on the home dashboard (home.optimizely.com/dashboard). Click Admin Center.
  15. Go to Settings > SSO, select OIDC as the connection type, and complete the following fields:
    • Provider – Select EntraID.
    • Client ID – Enter the Application (client) ID from step 13 above.
    • Client Secret – Enter the secret from step 10 above (also collected in step 13 above).
    • Well Known Metadata URL – Enter the OpenID Connect metadata document URL from step 13 above.
  16. Click Submit. If the Authorization URL, Issuer URL, JWKS URL, and Token URL fields do not automatically populate based on the metadata URL, you must manually configure them.
  17. You can now test your SSO connection by logging out of Opti ID and logging back in. The login flow should now direct you to your Entra ID provider.

Create a direct access OIDC app in Okta for Opti ID

  1. In the Okta Admin Console, go to Applications > Applications: https://[your-domain].okta.com/admin/apps/active.
  2. Click Create App Integration and complete the following, then click Next:
    • Sign-in method – Select OIDC - OpenID Connect.
    • Application type – Select Web Application.
  3. In the General Settings step, complete the following:
    • App integration name – Enter a name for the application (for example, Optimizely SSO).
    • Logo (Optional) – You can optionally select a logo.
    • Grant type – Select Authorization Code and Refresh Token.
    • Sign-in redirect URIs – Enter https://login.optimizely.com/oauth2/v1/authorize/callback.
  4. In the Assignments step, complete the following, then click Save:
    • Controlled access – Assign a group or leave the default (everyone). If you limit access to specific groups, verify that the groups you select include the users you want to have access.
    • Enable immediate access – Select this checkbox.
  5. Gather the following information from the settings page that displays, which you will use to configure SSO in Opti ID:
    • Client ID – In the Client Credentials section of the General tab of the new application's settings in Okta.
    • Client Secret – In the Client Secrets section of the General tab of the new application's settings in Okta.
    • OpenID Connect metadata document URL
      • https://${yourOktaDomain}/.well-known/openid-configuration – If you are using the default Org Authorization Server.
      • https://${yourOktaDomain}/oauth2/${authorizationServerId}/.well-known/openid-configuration – If you are using a Custom Authorization Server.
  6. Go to https://login.optimizely.com and log in using your technical contact email and password. For more information about properly activating the technical contact user, see Technical contact login.
  7. After you log in, you should be on the home dashboard (home.optimizely.com/dashboard). Click Admin Center.
  8. Go to Settings > SSO, select OIDC as the connection type, and complete the following fields:
    • Provider – Select Okta.
    • Client ID – Enter the Application ID from step 7 above.
    • Client Secret – Enter the secret from step 7 above.
    • Well Known Metadata URL – Enter the OpenID Connect metadata document URL from step 7 above.
  9. Click Submit. If the Authorization URL, Issuer URL, JWKS URL, Token URL, and User Info URL fields do not automatically populate based on the metadata URL, you must manually configure them.
  10. You can now test your SSO connection by logging out of Opti ID and logging back in. The login flow should now direct you to your Okta provider.

Test the setup

Open an incognito window and go to https://login.optimizely.com. When you enter your email and click Next, it should redirect you to your organization's IdP. Double check your settings if there are any issues with signing in with your incognito window.

If it does not work correctly, see the Opti ID troubleshooting articles. If you cannot resolve the issue, contact Optimizely Support.