Configure SAML SSO with Okta

  • Updated

Opti ID lets you configure Security Assertion Markup Language (SAML) SSO with Okta as the IdP. With this setup, Okta authenticates and authorizes your users.

You can also configure SAML SSO with Entra ID, PingOne, Duo, or OneLogin (documentation coming soon).

You should set up SSO for your organization before inviting new users. After you set up SSO with Opti ID, users must log in to Opti ID using credentials for the SSO provider going forward. This includes the technical contact who originally set up Opti ID for your organization.

Configure the SSO connection

  1. In the Okta Admin Console, go to Applications > Applications: https://[your-domain].okta.com/admin/apps/active.
  2. Click Create App Integration, select SAML 2.0, and click Next.
  3. In the General Settings step, enter the App name (for example, Optimizely SSO). You can optionally select an App logo and App visibility settings. Click Next.

  4. In the Configure SAML step, set the following properties:
    • Single sign-on URL – Enter a valid placeholder URL, like https://www.sample1.com, which you will replace later.
    • Audience URI – Enter a valid placeholder URI, like https://www.sample2.com, which you will replace later.
    • Default RelayState – Optional.
    • Name ID format – Select EmailAddress.
    • Application username – Select Email.
    • Update application username on – Create and update.
    • Attribute Statements (optional) – Configure claims that are needed to properly identify a user in the Opti ID service provider. Delete any existing claims and add the following claims (case-sensitive). Ensure you add the claims using the same casing as shown below:
      Name Name format Value
      firstName URI Reference user.firstName
      lastName URI Reference user.lastName
      email URI Reference user.email
  5. Click Next. The sign-on page of your application displays.
  6. Select View SAML setup instructions. A new window or tab displays.
  7. Copy the Identity Provider Single Sign-On URL and Identity Provider Issuer and save for later use.

  8. Click Download certificate and save the certificate.
  9. Close the Setup Instructions window but keep the Application tab open.
  10. Log in to Opti ID (https://login.optimizely.com) using your technical contact email and password. For information about properly activating the technical contact user, see Technical contact login.
  11. After you log in, you should be on the home dashboard (home.optimizely.com/dashboard). Click Admin Center.
  12. Go to Settings > SSO > Add SSO Connection, select SAML as the connection type, and complete the following fields:
    • Connection Name – Enter a name for this SSO connection to display when users log in. This helps you distinguish between multiple SSO connections.
    • Issuer URL – Enter the Identity Provider Issuer from step 7.
    • SSO URL – Enter the Identity Provider Single Sign-On URL from step 7.
    • Signature Certificate – Select your certificate from your local file system.
      Make sure you enter the correct values in the correct fields because otherwise, the configuration may be accepted, but users will not be able to log in successfully.
  13. Click Save.
  14. Copy the two values in the SSO Connection Details section and save them for later use. These values will replace the Single sign-on URL and Audience URI placeholder values provided in step 4.

  15. Go back to your Application settings in your Okta instance and select the General tab.
  16. In the SAML Settings section, click Edit.
  17. Click Next to advance to the Configure SAML step.
  18. Use the generated Audience URL and Assertion Consumer Service URL values (from step 14) to update the following values:
    • Single sign-on URL – Paste the value for Assertion Consumer Service URL (from step 14).
    • Audience URI – Paste the value for Audience URL (from step 14).
  19. Click Next, and Next again to save. The setup is complete.
  20. Assign the SAML application (created in the previous section) to the user (or a user group in your IdP to which the user belongs). If you do not complete this step, an error displays when a user tries to sign in from the SSO connection setup in the previous section.
    To set up roles, see Roles. To set up groups, see Groups.

Configure IdP-initiated login

After you configure your SSO connection, you can enable IdP-initiated login, which lets users who are already logged in with your organization's SSO provider navigate to Opti ID without the need to log in again.

Test the SSO connection

One of the users you assigned in the SAML application should test the setup. They need to be a user in the Opti ID Admin Center but logged out.

  1. Open an incognito window and go to https://login.optimizely.com.
  2. When you enter your email and click Next, it should redirect you to your organization's IdP.
  3. Double-check your settings if there are any issues with signing in with your incognito window.

If it does not work correctly, see the Opti ID troubleshooting articles. If you cannot resolve the issue, contact Optimizely Support.