Configure OIDC SSO with PingOne

  • Updated

Opti ID lets you configure OpenID Connect (OIDC) single sign-on (SSO) with PingOne as the identity provider (IdP). With this configuration, PingOne authenticates and authorizes your users.

You can also configure OIDC SSO with Okta, Entra ID, OneLogin, or Duo (documentation coming soon).

You should set up SSO for your organization before inviting users. After you configure SSO with Opti ID, users must log in to Opti ID using credentials for the SSO provider, including the technical contact who originally set up Opti ID for your organization.

Configure the SSO connection

  1. If you have access to multiple environments in the PingOne portal, select the environment in which you want to create the SSO application for Opti ID and click Manage Environment.
  2. Go to Applications and click the plus (+) icon to add an application.
  3. Complete the following application settings, then click Save.
    • Application Name – Enter a name for the application, like Optimizely SSO.
    • Description – Enter a description for the application, like Application for Optimizely SSO.
    • Application Type – Select OIDC Web App.
  4. Copy and save the Environment ID, Client ID, and Client Secret that are automatically generated when you save the application.
  5. Go to the Configuration tab, complete the following settings, then click Save.
    • Response Type – Select Code.
    • Grant Type – Select Authorization Code. In the PKCE Enforcement drop-down list, select Optional.
    • Redirect URIs – Enter https://login.optimizely.com/oauth2/v1/authorize/callback.
    • Token Endpoint Authentication Method – Select Client Secret Post.
    • JSON Web Key Set Method –  Select JWKS URL.
  6. Go to the Resources tab and verify the default openid (OpenID Connect) scope displays.
  7. Go to the Attribute Mappings tab and configure the following claims mappings:
    Attributes PingOne Mappings Scopes
    sub Username openid
    email Email Address openid
    firstName Given Name openid
    lastName Family Name openid
  8. Go to the Overview tab and toggle the application on for SSO.
  9. Log in to Opti ID (https://login.optimizely.com) using your technical contact email and password. For information about properly activating the technical contact user, see Technical contact initial login.
  10. After you log in, you should be on the home dashboard (https://home.optimizely.com/dashboard). Go to the Admin Center.
  11. Go to Settings > SSO > Add SSO Connection, select OIDC as the connection type, and complete the following fields:
    • Connection Name – Enter a name for this SSO connection to display when users log in. This helps distinguish between multiple SSO connections.
    • Provider – Select Other.
    • Client ID – Enter the Client ID from step 4.
    • Client Secret – Enter the Client Secret from step 4.
    • Well Known Metadata URL – Enter the following URL, replacing <env id> with your Environment ID from step 4: https://auth.pingone.com/<env id>/as/.well-known/openid-configuration. For example:
      Environment ID: 43rj6725-w6hd-3185-bb0a-64d1er134a22
      Well Known Metadata URL:
      https://auth.pingone.com/43rj6725-w6hd-3185-bb0a-64d1er134a22/as/.well-known/openid-configuration
  12. Click Save. If the Authorization URLIssuer URLJWKS URL, and Token URL fields do not automatically populate based on the metadata URL, you must manually configure them.

Test the SSO connection

One of the users you assigned in the OIDC application should test the setup. They need to be a user in the Opti ID Admin Center but logged out.

  1. Open an incognito window and go to https://login.optimizely.com.
  2. When you enter your email and click Next, it should redirect you to your organization's IdP.
  3. Double-check your settings if there are any issues with signing in with your incognito window.

If it does not work correctly, see the Opti ID troubleshooting articles. If you cannot resolve the issue, contact Optimizely Support.