Configure SAML SSO with Entra ID

  • Updated

Opti ID lets you configure Security Assertion Markup Language (SAML) single sign-on (SSO) with Entra ID as the identity provider (IdP). With this setup, Entra ID authenticates and authorizes your users.

You can also configure SAML SSO with Okta, PingOne, Duo, or OneLogin (documentation coming soon).

You should set up SSO for your organization before inviting new users. After you set up SSO with Opti ID, users must log in to Opti ID using credentials for the SSO provider going forward. This includes the technical contact who originally set up Opti ID for your organization.

Configure the SSO connection

  1. In the Entra ID portal, if you have access to multiple tenants, go to Settings and switch to the tenant you want to register as the SSO application for Opti ID.
  2. Search for and select Microsoft Entra ID.
  3. Go to Enterprise Applications > All Applications.
  4. Select New application.
  5. In the Manage section of the left menu, select Single sign-on to open the SSO panel for editing.
  6. Select SAML to open the SSO configuration page. After the application is configured, users can sign into it using their Entra ID tenant credentials.
  7. To configure SSO in Entra ID, click Edit in the Basic SAML Configuration section on the Set up single sign-on panel.
    These are placeholder values until you obtain the final values from Optimizely, and you can edit them later.
    • Identifier – Enter a valid placeholder URL, like https://www.sample1.com, which you will replace later.
    • Reply URL (Assertion Consumer Service URL) – Enter a valid placeholder URI, like https://www.sample2.com, which you will replace later.
    • Click Save.

  8. In the Attributes & Claims section, click Edit and go to Additional claims. Update email, firstName, and lastName (case-sensitive) as shown in the following images.
    1. Delete any existing claims.
    2. Add the following claims (case-sensitive) in the following images.
    • email

    • firstName

    • lastName

    • The image below is an example of how the attributes and claims should look after configuring as specified.
  9. In the SAML Certificates section, click Download for Certificate (Base64) to download and save the SAML signing certificate for later use.

  10. In the Set up Single Sign-On App section, copy the Login URL and Microsoft Entra Identifier and save for later use.
  11. Go to https://login.optimizely.com and log in using your technical contact email and password you set up. For information about properly activating the technical contact user, see Technical contact login.
  12. After you log in, you should be in the home dashboard (home.optimizely.com/dashboard). Click Admin Center.
  13. Go to Settings > SSO > Add SSO Connection, select SAML as the connection type, and complete the following fields:
    • Connection Name – Enter a name for this SSO connection to display when users log in. This helps you distinguish between multiple SSO connections.
    • Issuer URL/Entity ID – Enter the Microsoft Entra Identifier from step 10.
    • SSO URL – Enter the Login URL from step 10.
    • Signature Certificate – Select the certificate that you downloaded in step 9 from your local file system.
      Make sure you enter the correct values in the correct fields because otherwise, the configuration may be accepted, but users will not be able to log in successfully.
  14. Click Save.
  15. Copy the two values in the SSO Connection Details section and save them for later use. These values will replace the Identifier and Reply URL (Assertion Consumer Service URL) placeholder values provided in step 7.

  16. After you configure the SSO connection, use the generated Audience URL and Assertion Consumer Service URL values to update the following values in the SAML application created in your organization (set in step 7 with placeholder values).
    • Identifier (Entity ID) – Paste the value from the Audience URL.
    • Reply Url (Assertion Consumer Service URL) – Paste the value from the Assertion Consumer Service URL.

      The setup is complete.

  17. Assign the SAML application (created in the previous section) to at least two users (or a user group in your IdP to which the user belongs). This ensures that you are not locked out if you experience any issues with your SSO set-up. If you do not complete this step, an error displays when a user tries to sign in from the SSO connection setup in the previous section.

IdP-initiated login

Configuring your SSO connection automatically enables IdP-initiated login, which lets users who are already logged in with your organization's SSO provider navigate to Opti ID without the need to log in again.

Test the SSO connection

One of the users you assigned in the SAML application should test the setup. They need to be a user in the Opti ID Admin Center but logged out.

  1. Open an incognito window and go to https://login.optimizely.com.
  2. When you enter your email and click Next, it should redirect you to your organization's IdP.
  3. Double-check your settings if there are any issues with signing in with your incognito window.

If it does not work correctly, see the Opti ID troubleshooting articles. If you cannot resolve the issue, contact Optimizely Support.