Opti ID uses your organization's Domain Name System (DNS) domains to enable just-in-time (JIT) user onboarding.
In Opti ID, you can configure your organization's DNS domains so that a user can log in if they have an email whose domain matches any of the configured domains for your organization, even if the user was not explicitly provisioned from user management in the Opti ID Admin Center.
Only add domains that your organization owns.
Adding collaborator, social, or any other domains that your organization does not own can incorrectly redirect users who are not actually affiliated with your organization to your Opti ID single sign-on (SSO) login.
Prerequisites
- Must have admin access in Opti ID.
- You cannot use System for Cross-domain Identity Management (SCIM).
- Configure the SAML or OIDC single sign-on (SSO) connection in your identity provider (IdP):
- (Optional) Sync groups from your IdP to Opti ID.
Configure DNS domains
- Log in to your organization's Opti ID home dashboard (https://login.optimizely.com).
- Go to Admin Center > Settings > Domains/Dynamic Provisioning.
- Click Add SSO Domains, select the SSO connection, and enter your organization's DNS domains. If you configure more than one domain for an SSO connection, separate them with commas, and ensure you enter only domains your organization owns.
Do not configure social domains such as hotmail.com, gmail.com, facebook.com, and so on. Also, do not configure domains belonging to external organizations that you may have a relationship with, such as agencies or partnerships. If users in your organization use email addresses with social domains or domains belonging to external organizations, you must explicitly provision them from the user management page in the Admin Center. - Click Save. This configures the DNS domains for your organization, and users with email addresses whose domains match any of the ones configured can log in to Opti ID without first being explicitly provisioned. You will still need to provision users in groups for product access.
Social Domains
The following social domains are blocked. Attempting to add them returns an error.
- facebook.com
- gmail.com
- icloud.com
- me.com
- yahoo.com
- hotmail.com
- linkedin.com
Please sign in to leave a comment.