Configure SSO with Opti ID using SAML

  • Updated

To set up single sign-on (SSO) with Opti ID, you must have an identity provider (IdP) application that you want to use for authenticating and authorizing your users. You can use Entra ID or Okta as the IdP.

You should set up SSO for your organization before inviting new users. After you set up SSO with Opti ID, users must log in to Opti ID using credentials for the SSO provider going forward. This includes the technical contact who originally set up Opti ID for your organization.

If you want to use OpenID Connect (OIDC) to set up SSO with Opti ID, see Configure SSO with Opti ID using OIDC.

Create a direct access SAML app in Entra ID for Opti ID

  1. In the Entra ID portal, if you have access to multiple tenants, go to Settings and switch to the tenant you want to register as the SSO application for Opti ID.
  2. Search for and select Microsoft Entra ID.
  3. Go to Enterprise Applications > All Applications.
  4. Select New application.
  5. In the Manage section of the left menu, select Single sign-on to open the SSO panel for editing.
  6. Select SAML (Security Assertion Markup Language) to open the SSO configuration page. After the application is configured, users can sign into it using their Entra ID tenant credentials.
  7. To configure SSO in Entra ID, click Edit in the Basic SAML Configuration section on the Set up single sign-on panel.
    These are placeholder values until you obtain the final values from Optimizely, and you can edit them later.
    • Identifier – Enter a valid placeholder URL, like https://www.sample1.com, which you will replace later.
    • Reply URL (Assertion Consumer Service URL) – Enter a valid placeholder URI, like https://www.sample2.com, which you will replace later.
    • Click Save.

  8. In the Attributes & Claims section, click Edit and go to Additional claims. Update email, firstName, and lastName (case-sensitive) as shown in the following images.
    1. Delete any existing claims.
    2. Add the following claims (case-sensitive) in the following images.
    • email

    • firstName

    • lastName

    • The image below is an example of how the attributes and claims should look after configuring as specified.
  9. In the SAML Certificates section, click Download for Certificate (Base64) to download and save the SAML signing certificate for later use.

  10. In the Set up Single Sign-On App section, copy the Login URL and Microsoft Entra Identifier and save for later use.
  11. Go to https://login.optimizely.com and log in using your technical contact email and password you set up. For information about properly activating the technical contact user, see Technical contact login.
  12. After you log in, you should be in the home dashboard (home.optimizely.com/dashboard). Click Admin Center.
  13. Go to Settings > SSO.
  14. Enter the Issuer URL (the Microsoft Entra Identifier from step 10) and SSO URL (the Login URL from step 10) and select the certificate that you downloaded in step 9 from your local file system.
    Make sure you enter the correct value in the correct field because otherwise, the configuration may be accepted, but users will not be able to log in successfully.

  15. Click Submit.
  16. Copy the two values in the SSO Connection Details section and save them for later use. These values will replace the Identifier and Reply URL (Assertion Consumer Service URL) placeholder values provided in step 7.

  17. After you configure the SSO connection, use the generated Audience URL and Assertion Consumer Service URL values to update the following values in the SAML application created in your organization (set in step 7 with placeholder values).
    • Identifier (Entity ID) – Paste the value from the Audience URL (step 16).
    • Reply Url (Assertion Consumer Service URL) – Paste the value from the Assertion Consumer Service URL (step 16).

      The setup is complete.

  18. Assign the SAML application (created in the previous section) to at least two users (or a user group in your IdP to which the user belongs). This ensures that you are not locked out if you experience any issues with your SSO set-up. If you do not complete this step, an error displays when a user tries to sign in from the SSO connection setup in the previous section.

Create a direct access SAML app in Okta for Opti ID

  1. In the Okta Admin Console, go to Applications > Applications: https://[your-domain].okta.com/admin/apps/active.
  2. Click Create App Integration, select SAML 2.0, and click Next.
  3. In the General Settings step, enter the App name (for example, Optimizely SSO). You can optionally select an App logo and App visibility settings. Click Next.

  4. In the Configure SAML step, set the following properties:
    • Single sign-on URL – Enter a valid placeholder URL, like https://www.sample1.com, which you will replace later.
    • Audience URI – Enter a valid placeholder URI, like https://www.sample2.com, which you will replace later.
    • Default RelayState – Optional.
    • Name ID format – Select EmailAddress.
    • Application username – Select Email.
    • Update application username on – Create and update.
    • Attribute Statements (optional) – Configure claims that are needed to properly identify a user in the Opti ID service provider. Delete any existing claims and add the following claims (case-sensitive). Ensure you add the claims using the same casing as shown below:
      Name Name format Value
      firstName URI Reference user.firstName
      lastName URI Reference user.lastName
      email URI Reference user.email
  5. Click Next. The sign-on page of your application displays.
  6. Select View SAML setup instructions. A new window or tab displays.
  7. Copy the Identity Provider Single Sign-On URL and Identity Provider Issuer and save for later use.

  8. Click Download certificate and save the certificate.
  9. Close the Setup Instructions window but keep the Application tab open.
  10. Log in to Opti ID (https://login.optimizely.com) using your technical contact email and password. For information about properly activating the technical contact user, see Technical contact login.
  11. After you log in, you should be on the home dashboard (home.optimizely.com/dashboard). Click Admin Center.
  12. Go to Settings > SSO.
  13. Enter the Issuer URL (the Identity Provider Issuer from step 7), SSO URL (the Identity Provider Single Sign-On URL from step 7), and then select your certificate from your local file system.
    Make sure you enter the correct value in the correct field because otherwise, the configuration may be accepted, but users will not be able to log in successfully.

  14. Click Submit.
  15. Copy the two values in the SSO Connection Details section and save them for later use. These values will replace the Single sign-on URL and Audience URI placeholder values provided in step 4.

  16. Go back to your Application settings in your Okta instance and select the General tab.
  17. In the SAML Settings section, click Edit.
  18. Click Next to advance to the Configure SAML step.
  19. Use the generated Audience URL and Assertion Consumer Service URL values (from step 15) to update the following values:
    • Single sign-on URL – Paste the value for Assertion Consumer Service URL (from step 15).
    • Audience URI – Paste the value for Audience URL (from step 15).
  20. Click Next, and Next again to save. The setup is complete.
  21. Assign the SAML application (created in the previous section) to the user (or a user group in your IdP to which the user belongs). If you do not complete this step, an error displays when a user tries to sign in from the SSO connection setup in the previous section.
    To set up roles, see Roles. To set up groups, see Groups.

Test the setup

One of the users you assigned in the SAML application should test the setup. They need to be a user in the Admin Center but logged out. Open an incognito window and go to  https://login.optimizely.com. When you enter your email and click Next, it should redirect you to your organization's IdP. Double check your settings if there are any issues with signing in with your incognito window.

If it does not work correctly, see the Opti ID troubleshooting articles. If you cannot resolve the issue, contact Optimizely Support.