Configure SSO with Opti ID using SAML

  • Updated

To set up single sign-on (SSO) with Opti ID, you must have an identity provider (IdP) application that you want to use for authenticating and authorizing your users. You can use Entra ID or Okta as the IdP.

You should set up SSO for your organization before inviting new users. After you set up SSO with Opti ID, users must log in to Opti ID using credentials for the SSO provider going forward. This includes the technical contact who originally set up Opti ID for your organization.

If you want to use OpenID Connect (OIDC) to set up SSO with Opti ID, see Configure SSO with Opti ID using OIDC.

Create a direct access SAML app in Entra ID for Opti ID

  1. In the Entra ID portal, if you have access to multiple tenants, go to Settings and switch to the tenant you want to register as the SSO application for Opti ID.
  2. Search for and select Microsoft Entra ID.
  3. Go to Enterprise Applications > All Applications.
  4. Select New application.
  5. In the Manage section of the left menu, select Single sign-on to open the SSO panel for editing.
  6. Select SAML (Security Assertion Markup Language) to open the SSO configuration page. After the application is configured, users can sign into it using their Entra ID tenant credentials.
  7. To configure SSO in Entra ID, click Edit in the Basic SAML Configuration section on the Set up single sign-on panel.
    These are temporary settings until the final values are obtained from Optimizely.
    • Identifier – Enter https://www.sample1.com. (You will edit this later.)
    • Reply URL (Assertion Consumer Service URL) – Enter https://sample2.com. (You will edit this later.)
    • Click Save.

  8. In the Attributes & Claims section, click Edit and go to Additional claims. Update email, firstName, and lastName (note casing of the field names) as shown in the following images.
    1. Delete any existing claims.
    2. Add the following claims (note casing) in the following images.
    • email

    • firstName

    • lastName

    • The image below is an example of how the attributes and claims should look after configuring as specified.
  9. In the SAML Certificates section, click Download for Certificate (Base64) to download the SAML signing certificate and save it for later use.

  10. In the Set up Single Sign-On App section, copy the Login URL and Microsoft Entra Identifier and save for later use.
  11. Go to https://login.optimizely.com and log in using your technical contact email and password you set up. For more information about properly activating the technical contact user, see Technical contact login.
  12. After you log in, you should be in the home dashboard (home.optimizely.com/dashboard). Click Admin Center.
  13. Go to Settings > SSO.
  14. Enter the Issuer URL (the Microsoft Entra Identifier from step 10) and SSO URL (the Login URL from step 10), and select the certificate that you downloaded in step 9 from your local file system.
    Make sure you enter the correct value in the correct field because otherwise the configuration may be accepted but users will not be able to log in successfully.

  15. Click Submit.
  16. Copy the two values in the SSO Connection Details section and save for later use. These values will replace the dummy values provided in step 7.

  17. After you configure the SSO connection, use the generated Audience URL and Assertion Consumer Service URL values to update the following values in the SAML application created in your organization (set in step 7 with temporary values).
    • Reply Url (Assertion Consumer Service URL) – Set from the Assertion Consumer Service URL.
    • Identifier (Entity ID) – Set from the Audience Restriction URI.

      The setup is complete.

  18. Assign the SAML application (created in the previous section) to the user (or a user group in your IdP to which the user belongs). If you do not complete this step, an error displays when a user tries to sign in from the SSO connection setup in the previous section.

Create a direct access SAML app in Okta for Opti ID

  1. In the Okta Admin Console, go to Applications > Applications: https://[your-domain].okta.com/admin/apps/active.
  2. Click Create App Integration, select SAML 2.0, and click Next.
  3. In the General Settings step, enter the App name (for example, Optimizely SSO). You can optionally select an App logo and App visibility settings. Click Next.

  4. In the Configure SAML step, set the following properties:
    • Single sign-on URL – Enter a valid URL, like https://www.sample1.com. (You will edit this later.)
    • Audience URI – Enter a valid URI, like https://www.sample2.com.  (You will edit this later.)
    • Default RelayState – Optional.
    • Name ID format – Select EmailAddress.
    • Application username – Select Email.
    • Update application username on – Create and update.
    • Attribute Statements (optional) – Configure claims that are needed to properly identify a user in the Opti ID service provider. Delete any existing claims and add the following claims. Ensure you add the claims using the same casing as shown below:
      Name Name format Value
      firstName URI Reference user.firstName
      lastName URI Reference user.lastName
      email URI Reference user.email
  5. Click Next. The sign-on page of your application displays.
  6. Select View SAML setup instructions. A new window/tab displays.
  7. Copy the Identity Provider Single Sign-On URL and Identity Provider Issuer and save for later use.

  8. Click Download certificate and save the certificate.
  9. Close the Setup Instructions window, but keep the Application tab open.
  10. Log in to Opti ID (https://login.optimizely.com) using your technical contact email and password. For more information about properly activating the technical contact user, see Technical contact login.
  11. After you log in, you should be on the home dashboard (home.optimizely.com/dashboard). Click Admin Center.
  12. Go to Settings > SSO.
  13. Enter the Issuer URL (the Identity Provider Issuer from step 7), SSO URL (the Identity Provider Single Sign-On URL from step 7), and then select your certificate from your local file system.
    Make sure you enter the correct value in the correct field because otherwise the configuration may be accepted but users will not be able to log in successfully.

  14. Click Submit.
  15. Copy the two values in the SSO Connection Details section and save for later use. These values will replace the dummy values provided in step 4.

  16. Go back to your Application settings in your Okta instance and select the General tab.
  17. In the SAML Settings section, click Edit.
  18. Click Next to advance to the Configure SAML step.
  19. Use the generated Audience URL and Assertion Consumer Service URL values (from step 15) to update the following values:
    • Single sign-on URL – Paste the value for Assertion Consumer Service URL (from step 15).
    • Audience URI – Paste the value for Audience URL (from step 15).
  20. Click Next, and Next again to save. The setup is complete.
  21. Assign the SAML application (created in the previous section) to the user (or a user group in your IdP to which the user belongs). If you do not complete this step, an error displays when a user tries to sign in from the SSO connection setup in the previous section.
    To set up roles, see Roles. To set up groups, see Groups.

Test the setup

Open an incognito window and go to https://login.optimizely.com. When you enter your email and click Next, it should redirect you to your organization's IdP. Double check your settings if there are any issues with signing in with your incognito window.

If it does not work correctly, see the Opti ID troubleshooting articles. If you cannot resolve the issue, contact Optimizely Support.