Overview of configuring your own SSO for Opti ID

  • Updated

Opti ID introduces a single login for all Optimizely products, meaning users only need to authenticate once to access all integrated Optimizely products.

To make this even more streamlined, you can configure single sign-on (SSO) for Opti ID. To do this, your organization must configure an SSO app in your identity provider (IdP) specifically for Opti ID. This is distinct from any previous product-specific IdP configurations.

After you configure the Opti ID SSO IdP app and your organization's users migrate to Opti ID, their access to all Optimizely products is managed by the single Opti ID SSO IdP app (as opposed to one for each Optimizely product).

This means your organization's users can log in once through the Opti ID SSO IdP app, and access all linked Optimizely products without having to sign in again. This provides the following benefits:

  • Streamlined user authentication – Users benefit from an SSO experience across all Optimizely products, reducing the complexity of managing multiple credentials.
  • Simplified user administration – IT teams can manage access more efficiently, with fewer IdP apps to maintain after migrating to Opti ID.
Opti ID lets you configure up to five SSO connections for your organization.

Overview of switching to a single Opti ID SSO app in your IdP

When you migrate to Opti ID, if you already have an SSO app configured in your identity provider (IdP) for each Optimizely product, you need to configure an Opti ID SSO app in your IdP and deprecate the individual product apps.

For example, you might have the following Optimizely products:

  • Optimizely Web Experimentation
  • Optimizely Content Management System (CMS) SaaS
  • Optimizely Data Platform (ODP)

And you have SSO configured through your IdP for each product, meaning you have three individual apps in your IdP: one for Web Experimentation, one for CMS SaaS, and one for ODP.

When you migrate to Opti ID, you can not use those individual SSO apps anymore because users must authenticate through Opit ID first before they can reroute to their desired Optimizely product. To handle this, you must configure a new SSO app in your IdP for Opti ID.

This way, users in your organization can log in once through the Opti ID SSO app in your IdP, which then gives them access to all of your Optimizely products in the Opti ID global navigation bar.

After migrating to Opti ID, deprecate all previous product-specific IdP apps, leaving only the Opti ID SSO app.

Configure SSO for Opti ID

Opti ID lets you configure up to five single sign-on (SSO) connections for your organization. When configuring multiple SSO connections, they can each use different authentication protocols and identity providers (IdP):

  • Available authentication protocols – Security Assertion Markup Language (SAML) and OpenID Connect (OIDC)
  • Available identity providers – Entra ID, Okta, PingOne, Duo

For each SSO connection, you can also use System for Cross-domain Identity Management (SCIM) to automate user identity provisioning from your IdP to Opti ID.

  1. Determine if you want to use SCIM – Whether you configure one SSO connection or multiple, the first thing to do is determine whether you want to use SCIM to manage user identity and permissions within your IdP and automate the information between your IdP and Opti ID.
  2. Configure SSO – Use one of the following instructions to configure SSO in your IdP:

If you are configuring multiple SSO connections, repeat the steps for each SSO connection you want to configure.

Configuring SSO forces all your users to log in using SSO, regardless of whether you configure one or five SSO connections.

As described in the SSO configuration articles, you must enter a name for each SSO connection that will display to users when they log in. This name helps users select the correct SSO connection for their login. All of your configured SSO connections display on the Opti ID login page for all of your organization's users; each user must select the SSO connection that applies to them.

Ensure all your SSO connections are configured correctly and are functional so that all users within your organization can access Optimizely.

The image below shows how the login page displays to users if your organization has two SSO connections configured; one named acme.com and the other named gov.acme.com.

Use cases for multiple SSO connections

The following are some use cases for configuring multiple SSO connections.

Users are segmented across domains and SSO logins

For example, customer Acme (acme.com) has a sub-company (gov.acme.com) that deals with sensitive government contracts, and those users need to log in with higher security measures. To enable this, you can set up two separate SSO connections; one to handle the general acme.com users and one to handle the gov.acme.com users.

You need to make changes to your existing SSO connection

If you updated your organization's SSO configuration or created an SSO connection with an error, it is a good idea to create a new SSO connection in Opti ID first with the updated information before removing the old connection. This prevents users from converting to local login and receiving activation emails from Opti ID.

Switch from SSO to local login

If you want to switch your organization from SSO to local login:

  1. Go to Settings > SSO in the Opti ID Admin Center.
  2. Click Remove Connection.

Removing all your configured SSO connections switches your organization (and all your users) to local login. When that happens, Opti ID sends activation emails to your users so that they can activate their local account, which includes setting up a password.