Add external collaborators to an SSO organization

  • Updated

Opti ID lets you invite an external collaborator who is not part of your organization to collaborate on projects. These external collaborators may or may not be using your organization's email addresses.

This is ideal for partners or other external collaborators who require access to Opti ID but are not part of your organization.

Prerequisites

Options for adding external collaborators

You can add an external collaborator in one of the following ways:

  1. Enable selective local login – Add external collaborators with a local login account while maintaining SSO login for your organization's users. Keep everything under one organization in Opti ID, and keep your SSO system to only users within your organization.
  2. Create a partner organization – Create a partner organization in Opti ID where you can add user accounts for external collaborators. Keep your organization's users and your external collaborators in separate Opti ID organizations; one Opti ID organization for your users and one Opti ID organization for your external collaborators. And keep your SSO system to only users within your organization.
  3. Add directly to your identity provider – Add an external collaborator directly to your identity provider. Keep everything under one organization in Opti ID, and keep all users (both internal and external) on your organization's SSO.

Option 1: Enable selective local login

Opti ID lets you add local login users outside of your SSO system. With this feature, you can ensure users within your organization log in to Opti ID through your organization's SSO, and then you can also give individual, local login access as needed to users outside your SSO organization.

To enable selective local login for your organization:

  1. Go to Settings > Authentication > SSO in the Opti ID Admin Center.
  2. Toggle Enable Selective Local Login to On. This adds a Local Login toggle to user accounts in Opti ID, giving you the option to pick specific user accounts to switch to local login.
  3. (Optional) Toggle Multi-Factor Authentication (MFA) to On. This requires local login users to use MFA when they log in to Opti ID, which Opti ID will prompt them to set up during their next login. See Log in with MFA.

After you enable selective local logins for your organization, you can switch an existing user account to local login.

  1. Go to Users.
  2. Select a user account.
  3. Toggle Local Login to On. (Default is Off). This sends an Opti ID activation email to the user, requiring them to create a password for their local login account.

When you switch an SSO user to selective local login, they can no longer log in through SSO and must instead use local login.

For any new users that do not already have an account in Opti ID, you must first invite them, and then enable local login on their account using these instructions.

Disable selective local login

You can disable selective local login for specific users or for your entire organization. To disable it for a specific user:

  1. Go to Users in the Opti ID Admin Center.
  2. Select a user account.
  3. Toggle Local Login to Off. This switches the user back to SSO. Their local login account will no longer work, and they must sign in to Opti ID with their SSO account. If they do not have an SSO account, they cannot log in to Opti ID until you create one for them.

To disable selective local login for your entire organization:

  1. Go to Settings > Authentication > SSO in the Opti ID Admin Center.
  2. Toggle Enable Selective Local Login to Off. This removes the Local Login toggle from user accounts in Opti ID and switches any local login users to SSO. Their local login account will no longer work, and they must sign in to Opti ID with their SSO account. If they do not have an SSO account, they cannot log in to Opti ID until you create one for them.

If you remove an SSO integration, that converts all users to local login without support for selective local login (since all users are already on local login). If you reconfigure the SSO integration and you want to use selective local logins again, you must re-enable it.

Users retain their selective local login setup when you move them to another organization that also has it enabled.

Option 2: Create a partner organization

If you do not want to add external collaborators to your main Opti ID organization, you can create a separate Opti ID organization specific to external collaborators. To do this, submit a ticket to Optimizely Support, who will create the partner organization and add the requested external collaborators to it.

Users of the partner organization will receive an Opti ID account activation email, and sign in through the partner organization.

Option 3: Add directly to your identity provider

If you would prefer to manage users within a single SSO system and Opti ID organization, you can add external collaborators directly to your identity provider.

External collaborators sign in through the same SSO organization your internal users do.