Opti ID lets you configure Security Assertion Markup Language (SAML) SSO with PingOne as the identity provider (IdP). With this configuration, PingOne authenticates and authorizes your users.
You should set up SSO for your organization before inviting users. After you configure SSO with Opti ID, users must log in to Opti ID using credentials for the SSO provider, including the technical contact who originally set up Opti ID for your organization.
Configure the SSO connection
- If you have access to multiple environments in the PingOne portal, select the environment in which you want to create the SSO application for Opti ID and click Manage Environment.
- Go to Applications and click the plus (+) icon to add an application.
- Complete the following application settings, then click Configure.
- Application Name – Enter a name for the application, like Optimizely SSO.
- Description – Enter a description for the application, like Application for Optimizely SSO.
-
Application Type – Select SAML Application.
- Complete the additional application settings, then click Save.
- Provide Application Metadata – Select Manually Enter.
-
ACS URLs – Enter a valid placeholder URL, like
https://www.sample2.com
. You will replace this later. -
Entity ID – Enter a valid placeholder URL, like
https://www.sample1.com
. You will replace this later.
- Go to the Attribute Mappings tab and click the pencil icon to edit.
- Add the following claims mappings (case sensitive), then click Save.
Attributes PingOne Mappings Required saml_subject Username Yes firstName Given Name Yes lastName Family Name Yes email Email Address Yes - Go to the Configuration tab, click Download Signing Certificate, and select X509 PEM (.crt) to download and save the SAML signing certificate for later use.
- Copy the Issuer ID and Single Signon Service URLs from the Configuration tab and save them for later use.
- Go to the Overview tab and toggle the application on for SSO.
- Log in to Opti ID (https://login.optimizely.com) using your technical contact email and password. For information about properly activating the technical contact user, see Technical contact initial login.
- After you log in, you should be on the home dashboard (https://home.optimizely.com/dashboard). Go to the Admin Center.
- Go to Settings > SSO > Add SSO Connection, select SAML as the connection type, and complete the following fields:
- Connection Name – Enter a name for this SSO connection to display when users log in. This helps you distinguish between multiple SSO connections.
- Issuer URL/Entity ID – Enter the Issuer ID from step 8.
- SSO URL – Enter the Single Signon Service URL from step 8.
- Signature Certificate – Select the certificate that you downloaded in step 7.
- Click Save.
- Copy the Audience URL and Assertion Consumer Service URL from the SSO Connection Details section.
- Use the generated Audience URL and Assertion Consumer Service URL values to update the following placeholder values from step 4 in your PingOne SAML application:
- ACS URLs – Paste the value from the Assertion Consumer Service URL.
- Entity ID – Paste the value from the Audience URL.
Test the SSO connection
One of the users you assigned in the SAML application should test the setup. They need to be a user in the Opti ID Admin Center but logged out.
- Open an incognito window and go to https://login.optimizely.com.
- When you enter your email and click Next, it should redirect you to your organization's IdP.
- Double-check your settings if there are any issues with signing in with your incognito window.
If it does not work correctly, see the Opti ID troubleshooting articles. If you cannot resolve the issue, contact Optimizely Support.
Article is closed for comments.