Add external collaborators to an SSO organization

  • Updated

Opti ID lets you invite an external collaborator who is not part of your organization to collaborate on projects. These external collaborators may or may not use your organization's email addresses.

This is ideal for partners or other external collaborators who require access to Opti ID but are not part of your organization. 

Prerequisites

Ways to add collaborators

You should consult with your partners or external collaborators before deciding on an option that best fits your needs.

  • Enable selective local login – Add external collaborators to your organization with a local login account while maintaining SSO login for your organization's users. Keep everything under one organization in Opti ID, and keep your SSO system to users only within your organization.

    Opti ID SSO login for internal users and selective local login for external users

  • Create a partner organization – Submit a request to Optimizely Support to create a partner organization in Opti ID and the external collaborators you want to add to it. Keep your organization's users and your external collaborators in separate Opti ID organizations; one Opti ID organization for your users and one Opti ID organization for your external collaborators. And keep your SSO system to users only within your organization.

    Opti ID main organization for internal users and partner organization for external users

  • Add directly to your identity provider – Add an external collaborator directly to your identity provider. Keep everything under one organization in Opti ID, and keep all users (both internal and external) on your organization's SSO.

    Opti ID add external users directly to your identity provider

Option 1: Enable selective local login

Opti ID lets you add local login users outside of your SSO system. With this feature, you can ensure users within your organization log in to Opti ID through your organization's SSO, and then you can also give individual, local login access as needed to users outside your SSO organization. 

To enable selective local login for your organization, complete the following:

  1. Go to Settings > Authentication > SSO in the Opti ID Admin Center.

  2. Toggle Enable Selective Local Login to On. This adds a Local Login toggle to user accounts in Opti ID, giving you the option to pick specific user accounts to switch to local login.

  3. (Optional) Toggle Multi-Factor Authentication (MFA) to On. This requires local login users to use MFA when they log in to Opti ID, which Opti ID prompts them to configure during their next login. See Log in with MFA.
  4. Go to Users.

  5. Select an existing user account for which you want to enable local login.

    For any new users that do not already have an account in Opti ID, you must first invite them, and then enable local login on their account.
  6. Toggle Local Login to On. Default is Off. This sends an Opti ID activation email to the user, requiring them to create a password for their local login account.
  7. Repeat steps 4 to 6 for each user you want to enable local login for.

When you switch an SSO user to selective local login, they can no longer log in through SSO and must instead use local login.

Disable selective local login

You can disable selective local login for specific users or for your entire organization. To disable it for a specific user, complete the following:

  1. Go to Users in the Opti ID Admin Center.
  2. Select a user account.
  3. Toggle Local Login to Off. This switches the user back to SSO. They can no longer use their local login account, and they must sign in to Opti ID with their SSO account. If they do not have an SSO account, they cannot log in to Opti ID until you create one for them.

To disable selective local login for your entire organization, complete the following:

  1. Go to Settings > Authentication > SSO in the Opti ID Admin Center.

  2. Toggle Enable Selective Local Login to Off. This removes the Local Login toggle from user accounts in Opti ID and switches any local login users to SSO. They can no longer use their local login account, and they must sign in to Opti ID with their SSO account. If they do not have an SSO account, they cannot log in to Opti ID until you create one for them.

If you remove an SSO integration, all users convert to local login, and the system no longer offers selective local login (because all users are already on local login). If you reconfigure the SSO integration and you want to use selective local logins again, you must re-enable it.

Users retain their selective local login configuration when you move them to another organization that also has it enabled.

Option 2: Create a partner organization

If you do not want to add external collaborators to your main Opti ID organization, Optimizely can create a separate Opti ID organization specific to external collaborators.

Contact Optimizely Support to create the partner organization and add the requested external collaborators to it.

Provide the following information in your request to ensure a smooth process:

  • Official name for the partner organization
  • Technical contact for the partner organization responsible for inviting and managing users within the partner organization.

The technical contact receives an Opti ID account activation email, and signs in through the partner organization.

When inviting a user in this configuration, ensure they receive their first invitation from their intended home organization. For external collaborators, this means the partner organization. For internal collaborators, it means your main Opti ID organization.

Option 3: Add directly to your identity provider

If you prefer to manage users within a single SSO system and Opti ID organization, you can add external collaborators directly to your identity provider.

External collaborators sign in through the same SSO organization your internal users do.