Set up Okta SSO with Opti ID

  • Updated

To use Opti ID, you must create a Security Assertion Markup Language 2.0 (SAML2) relationship. In this topic, Optimizely uses Okta as its identity provider (IDP), but you can use another IDP and set up should be similar. Contact Optimizely if you have any questions.

  1. Go to your Applications section: https://[your-domain].okta.com/admin/apps/active
  2. Select Create App Application and select SAML 2.0:

  3. In the General Settings step, enter a name. You can optionally select a App logo and App visibility settings are optional to your organization. Click Next.

  4. In the Configure SAML step, set the following properties:
    • Single sign-on URL – Enter a valid URL, like https://www.sample1.com. (You will edit this later.)
    • Audience URI – Enter a valid URI, like https://www.sample2.com.  (You will edit this later.)
    • Default RelayState – optional
    • Name ID format – Select EmailAddress.
    • Application username – Select Email.
    • Update application username on – Create and update
    • Attribute Statements (optional) – Configure claims that are needed to properly identify a user in the OptiId service provider.
      • Delete any existing claims.
      • Add the following claims as shown in the following image. Please ensure the claims are added using the same casing as in the image.

        Okta-sso-1.png

  5. Click Next. The Sign On page of your application displays.
  6. Select View SAML setup instructions. A new window/tab displays.
  7. Copy the Identity Provider Single Sign-On URL and Identity Provider Issuer (perhaps to a text document).

    Okta-sso-2.png

  8. Click Download Certificate and save the certificate.
  9. Close the Setup Instructions tab/window, but keep the Application tab open.
  10. Go to https://login.optimizely.com and login into the Optimizely Admin Center using your technical contact email and password.
  11. Select the SSO Settings tab.

  12. Enter the Issuer URL (from the Identity Provider Issuer that you copied) and SSO URL (from the Identity Provider Single Sign-On URL that you copied from step 7) and then select your certificate from your local filesystem. Click Submit.
    Make sure you enter the correct value in the correct field because otherwise the configuration may be accepted but users will not be able to login successfully.

  13. After clicking Submit, copy the values in Audience URL and Assertion Consumer Service URL (perhaps to a text file).

  14. Go back to your Application settings in your Okta/IDP instance and select the General tab.
  15. Scroll down to SAML settings and click Edit.

  16. Click Next to advance to the Configure SAML step.
  17. Paste the value from Assertion Consumer Service URL into Single Sign On URL.
  18. Paste the value from Audience URL into Audience Restriction.
  19. Click Next, and Next again to save. The setup is complete.
  20. Test the setup.
    1. Open an Incognito window and go to https://login.optimizely.com.
    2. Enter your email and click Next. It should redirect you to your organization's IDP.
      If there are any issues with signing in with your Incognito tab, double-check your settings. If all else fails, click Remove Connection in your Optimizely Admin Center's SSO Settings to clear out your settings and try again. Contact support for any help.