Overview of configuring your own SSO for Opti ID

  • Updated

Opti ID introduces a single login for all Optimizely products, so users need to only authenticate once to access all integrated Optimizely experiences. Opti ID supports the following Optimizely products: 

  • Analytics
  • Campaign
  • Commerce Connect
  • Configured Commerce
  • Content Management System (PaaS)
  • Content Management System (SaaS)
  • Content Marketing Platform (CMP)
  • Content Recommendations
  • Data Platform (ODP)
  • Digital Experience Platform (DXP)
  • Experimentation (Feature Experimentation and Web Experimentation)
  • (standalone) Optimizely Opal
  • Product Information Management
  • Product Recommendations

To further streamline the process, your organization can configure single sign-on (SSO) for Opti ID. To do this, you must configure an SSO app in your identity provider (IdP) specifically for Opti ID. This configuration is distinct from any previous product-specific IdP configurations you may have used.

After your organization configures its Opti ID SSO app and migrates users to Opti ID, this single Opti ID SSO IdP app manages their access to all Optimizely products, rather than separate ones for each product.

This means users can log in once through the Opti ID SSO IdP app and seamlessly access all linked Optimizely products without needing to sign in again. Key benefits include

  • Streamlined user authentication – A single SSO login experience across all Optimizely products reduces the need for multiple logins and credentials.
  • Simplified user administration – IT teams can leverage SCIM automation and more efficiently manage access with one IdP app after migrating to Opti ID.
  • Enhanced security and centralized control – IT teams can apply corporate multi-factor authentication (MFA) and password policies.
  • Improved governance and visibility for audits – Administrators can monitor user activity and changes to user data within your organization.
Opti ID lets you configure up to five SSO connections for your organization. If you create multiple SSO connections, you can only use SCIM for one of those SSO connections.

Overview of switching to a single Opti ID SSO app in your IdP

When you migrate to Opti ID, you move from multiple Optimizely SSO apps to a single Opti ID SSO app in your IdP. This simplifies SSO app and user management for administrators, while also providing a consistent login experience across all Optimizely products for end users.

If you currently have separate SSO apps configured for your IdP for each Optimizely product, you must

  1. Configure one Opti ID SSO app in your IdP.
  2. Deprecate the individual product-specific SSO app.

Example implementation

Your organization uses the following Optimizely products without Opti ID:

  • Optimizely Web Experimentation
  • Optimizely Content Management System (CMS) SaaS
  • Optimizely Data Platform (ODP)

You have SSO configured through your IdP for each product, meaning you may have three individual apps in your IdP: one for Web Experimentation, one for CMS (SaaS), and one for ODP.

Okta

When you migrate to Opti ID, you cannot use those individual SSO apps anymore because users must authenticate through Opti ID first before rerouting to their desired Optimizely product. To handle this, you must configure a new SSO app in your IdP for Opti ID.

Okta

This way, users in your organization can log in once through the Opti ID SSO app in your IdP, which gives them access to all of your Optimizely products in the Opti ID global navigation bar.

Opti ID global navigation bar

After migrating to Opti ID, deprecate all previous product-specific IdP apps, leaving only the Opti ID SSO app.

Use your organization's SSO with Opti ID

When you create users, Optimizely assigns them a home organization. When the technical contact enables SSO for their organization and subsequently creates users, all users (including the technical contact) must follow the login requirements (such as optional domain-based authentication) for the home organization and can no longer log in with their original activation password credentials (local login).

Opti ID - authentication sequence

Opti ID lets you configure up to five single sign-on (SSO) connections for your organization. When configuring multiple SSO connections, they can each use different authentication protocols and identity providers (IdP):

  • Authentication protocols – Security Assertion Markup Language (SAML) and OpenID Connect (OIDC)
  • Identity providers – You can use any identity provider (IdP) that supports SAML or OIDC protocols.

For only one of your five SSO connections, you can also use System for Cross-domain Identity Management (SCIM) to automate user identity provisioning from your IdP to Opti ID.

Optimizely officially supports SCIM provisioning with Entra ID, Okta, and PingOne. Other IdPs are not officially supported for SCIM provisioning, and Optimizely does not assist with custom configuration or troubleshooting.
  1. Determine if you want to use SCIM – Whether you configure one SSO connection or multiple, first, determine whether you want to use SCIM to manage user identity and permissions within your IdP and automate the information between your IdP and Opti ID.
  2. Configure SSO – Use one of the following instructions to configure SSO in your IdP:
  3. (Optional) Add external collaborators – After you configure SSO for your organization, you can add external collaborators (like partners) who need access to Opti ID without using your organization's SSO.

If you are configuring multiple SSO connections, repeat the steps for each SSO connection you want to configure. Configuring SSO forces all your users to log in using SSO, regardless of whether you configure one or five SSO connections.

Ensure all SSO connections function correctly, so all users within your organization can access Optimizely.

When configuring SSO, you must enter a Connection Name for each SSO connection that displays to users when they log in. This name helps users select the correct SSO connection for their login. All configured SSO connections display on the Opti ID login page for all your organization's users; each user selects the SSO connection that applies to them. 

The following image shows how the login page displays to users if your organization has two SSO connections configured; one named acme.com and the other named gov.acme.com.

Use cases for multiple SSO connections

Here are use cases for configuring multiple SSO connections.

Users are segmented across domains and SSO logins

For example, customer Acme (acme.com) has a sub-company (gov.acme.com) that deals with sensitive government contracts, and those users need to log in with higher security measures. To enable this, you can configure two separate SSO connections; one for the general acme.com users and one for the gov.acme.com users.

You need to make changes to your existing SSO connection

If you updated your organization's SSO configuration or created an SSO connection with an error, you should create a new SSO connection in Opti ID first with the updated information before removing the old connection. This prevents users from converting to local login and receiving activation emails from Opti ID.

Switch from SSO to local login

If you want to switch your organization from SSO to local login

  1. Go to Settings > SSO in the Opti ID Admin Center.
  2. Click Remove Connection.

Removing all your configured SSO connections switches your organization (and all your users) to local login. When that happens, Opti ID sends activation emails to your users so they can activate their local account, which includes configuring a password.