Set up Azure AD SSO with Opti ID

To use Opti ID, you must create a Security Assertion Markup Language 2.0 (SAML2) relationship. In this topic, Optimizely uses Azure AD as its identity provider (IDP), but you can use another IDP and set up should be similar. Contact Optimizely if you have any questions.

Create a direct access app in Azure AD for your Okta tenant

1. Sign into the Azure portal using either a work or school account, or a personal Microsoft account.
2. Select the Azure Active Directory service.
3. Go to Enterprise Applications > All Applications.
4. Select New application.
5. In the Manage section of the left menu, select Single sign-on (SSO) to open the Single sign-on pane for editing.
6. Select SAML (Security Assertion Markup Language) to open the SSO configuration page. After the application is configured, users can sign into it by using their credentials from the Azure AD tenant.
7. To configure SSO in Azure AD, in the Azure portal, select Edit in the Basic SAML Configuration section on the Set up single sign-on pane.
   These are temporary settings until the final values are obtained from Optimizely.
   • Identifier – Enter https://www.sample1.com. (You will edit this later.)
   • Reply URL (Assertion Consumer Service URL) – Enter https://sample2.com. (You will edit this later.)
   • Click Save.

     

8. In the Attribute and Claim section, select edit and go to Additional claims. Update email, firstName, lastName and Groups (note casing of the field names) as shown in the following images.
   1. Delete any existing claims.
   2. Add the following claims (note casing) in the following images.
   • email

     

   • firstName

     

   • lastName

     

   • Groups (must be uppercase G)

     

     If you are beta customer using Azure AD and can log in in successfully to Opti ID, you may not need these steps. Contact Optimizely support if you need any more details.
9. In the SAML Certificates section, select Download for Certificate (Base64) to download the SAML signing certificate and save it to be used later.

   

   

10. Go to https://login.optimizely.com and login using your technical contact email and password you set up.
11. Once logged in, you should be in the Optimizely Admin Center. Click SSO Settings.

    

12. In the Single Sign-on view, enter the Issuer URL (the Azure AD identifier from step 9) and SSO URL (Login URL from step 9) you obtained and then select your certificate from your local file system.
    Make sure you enter the correct value in the correct field because otherwise the configuration may be accepted but users will not be able to login successfully.

    

13. Click Submit.
14. Copy the two values in the SSO Connection Details section. These values will replace the dummy values provided in step 7.

    

15. After you successfully configure the SSO connection, use the generated Audience URL and Assertion Consumer Service URL values to update the following values in the SAML application that was created in your organization (set in step 7 with temporary values).
    
    • Reply Url (Assertion Consumer Service URL) – Set from the Assertion Consumer Service URL.
    • Identifier (Entity ID) – Set from the Audience Restriction URI.

      The setup is complete.

16. Assign the SAML application (created in the previous section) to the user (or a user group in your identity provider to which the user belongs). If you do not complete this step, an error displays when a user tries to sign in from the SSO connection setup in the previous section.

    

Test the setup

Open an Incognito window and go to https://login.optimizely.com. When you enter your email and click Next, it should redirect you to your organization's identity provider. If there are any issues with signing in with your Incognito tab, double-check your settings.

If it does not work correctly, there may be a custom attribute mapping that needs to happen between Azure AD and the Optimizely Okta tenant. Contact support for help.

Resources

• Tutorial: Azure AD SSO integration with Azure AD SAML Toolkit

Troubleshoot

If you experience issues signing in with Opti ID, contact Optimizely support. Also, send the following information to the Opti ID team so that they can help the Optimizely support team further troubleshoot the issue.

Azure AD exposes federation metadata document which contains information about federation service that is used to create trusts, identify token-signing certificates, and many other things tenant-specific endpoint. Send this document or federation metadata document URL to the Opti ID support team.

To download this document use the steps below:

1. Go to the Azure Portal.
2. Select Azure Active Directory > App registrations.
3. Select your SAML application.
4. Go to Overview > Endpoints > Send the Federation metadata document or its URL to Optimizely support.