Configure OIDC SSO with Okta

  • Updated

Opti ID lets you configure OpenID Connect (OIDC) SSO with Okta as the IdP. With this setup, Okta authenticates and authorizes your users.

You can also configure OIDC SSO with Entra ID, PingFederate, or Duo (documentation coming soon).

You should set up SSO for your organization before inviting new users. After you set up SSO with Opti ID, users must log in to Opti ID using credentials for the SSO provider going forward. This includes the technical contact who originally set up Opti ID for your organization.

Configure the SSO connection

  1. In the Okta Admin Console, go to Applications > Applications: https://[your-domain].okta.com/admin/apps/active.
  2. Click Create App Integration and complete the following, then click Next:
    • Sign-in method – Select OIDC - OpenID Connect.
    • Application type – Select Web Application.
  3. In the General Settings step, complete the following:
    • App integration name – Enter a name for the application (for example, Optimizely SSO).
    • Logo (Optional) – You can optionally select a logo.
    • Grant type – Select Authorization Code and Refresh Token.
    • Sign-in redirect URIs – Enter https://login.optimizely.com/oauth2/v1/authorize/callback.
  4. In the Assignments step, complete the following, then click Save:
    • Controlled access – Assign a group or leave the default (everyone). If you limit access to specific groups, verify that the groups you select include the users you want to have access.
    • Enable immediate access – Select this checkbox.
  5. Gather the following information from the settings page that displays, which you will use to configure SSO in Opti ID:
    • Client ID – In the Client Credentials section of the General tab of the new application's settings in Okta.
    • Client Secret – In the Client Secrets section of the General tab of the new application's settings in Okta.
    • OpenID Connect metadata document URL
      • https://${yourOktaDomain}/.well-known/openid-configuration – If you are using the default Org Authorization Server.
      • https://${yourOktaDomain}/oauth2/${authorizationServerId}/.well-known/openid-configuration – If you are using a Custom Authorization Server.
  6. Go to https://login.optimizely.com and log in using your technical contact email and password. For more information about properly activating the technical contact user, see Technical contact login.
  7. After you log in, you should be on the home dashboard (home.optimizely.com/dashboard). Click Admin Center.
  8. Go to Settings > SSO > Add SSO Connection, select OIDC as the connection type, and complete the following fields:
    • Connection Name – Enter a name for this SSO connection to display when users log in. This helps distinguish between multiple SSO connections.
    • Provider – Select Okta.
    • Client ID – Enter the Client ID from step 5.
    • Client Secret – Enter the Client Secret from step 5.
    • Well Known Metadata URL – Enter the OpenID Connect metadata document URL from step 5.
  9. Click Save. If the Authorization URL, Issuer URL, JWKS URL, Token URL, and User Info URL fields do not automatically populate based on the metadata URL, you must manually configure them.
  10. You can now test your SSO connection by logging out of Opti ID and logging back in. The login flow should now direct you to your Okta provider.

Configure IdP-initiated login

After you configure your SSO connection, you can enable IdP-initiated login, which lets users who are already logged in with your organization's SSO provider navigate to Opti ID without the need to log in again.

Test the SSO connection

One of the users you assigned in the OIDC application should test the setup. They need to be a user in the Opti ID Admin Center but logged out.

  1. Open an incognito window and go to https://login.optimizely.com.
  2. When you enter your email and click Next, it should redirect you to your organization's IdP.
  3. Double-check your settings if there are any issues with signing in with your incognito window.

If it does not work correctly, see the Opti ID troubleshooting articles. If you cannot resolve the issue, contact Optimizely Support.