Opti ID lets you configure Security Assertion Markup Language (SAML) single sign-on (SSO) with Duo as the identity provider (IdP). With this configuration, Duo authenticates and authorizes your users.
You should configure SSO for your organization before inviting new users. After you configure SSO with Opti ID, users must log in to Opti ID using credentials for the SSO provider going forward. This includes the technical contact who originally set up Opti ID for your organization.
Configure the SSO connection
-
Log in to the Duo Admin Panel, go to Applications, and click Protect an application.
-
Locate the entry for Generic SAML Service Provider with a protection type of 2FA with SSO hosted by Duo (Single Sign-On) in the listed applications.
-
Click Protect to start configuring Generic SAML Service Provider.
-
In the Metadata section, copy the Entity ID and Single Sign-On URL and save for later use.
-
Click Download certificate and save for later use.
-
In the Service Provider section, set the following properties:
- Metadata Discovery – Leave the selection as None (manual import) to populate the fields by copying information from your service provider and pasting it into the Duo Admin Panel.
-
Entity ID – Enter a valid placeholder URL, like
https://www.sample1.com
, which you will replace later. -
Assertion Consumer Service (ACS) URL – Enter a valid placeholder URL, like
https://www.sample2.com
, which you will replace later. - Single Logout URL – Optional.
- Service Provider Login URL – Optional.
- Default RelayState – Optional.
- Complete the SAML Response section with the following selections:
- NameID Format – Select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
- NameID attribute – Select <Email Address>.
- Signature algorithm – Select SHA 256.
-
Signing options – Select Sign response and Sign assertion.
-
Map attributes – Delete any existing claims and add the following claims (case-sensitive) for IdP Attribute and SAML Response Attribute. Ensure you add the claims using the same casing as shown so that users are properly identified in the Opti ID service provider.
IdP Attribute SAML Response Attribute <First Name> firstName <Last Name> lastName <Email Address> email
- Click Save and keep the Application tab or window open.
- Open a new tab or window to log in to Opti ID (
https://login.optimizely.com
) using your technical contact email and password. For information about properly activating the technical contact user, see Technical contact login. - Click Admin Center on the home dashboard (
home.optimizely.com
). - Go to Settings > SSO > Add SSO Connection, select SAML as the connection type, and complete the following fields:
- Connection Name – Enter a name for this SSO connection to display when users log in. This helps you distinguish between multiple SSO connections.
- Issuer URL – Enter the Entity ID from step 4.
- SSO URL – Enter the Single Sign-On URL from step 4.
- Signature Certificate – Select the downloaded certificate in step 5 from your local file system.
Make sure you enter the correct values in their corresponding fields, otherwise, the configuration may be accepted, but users will not be able to log in. - Click Save.
- Copy the two values in the SSO Connection Details section and save them for later use. These values will replace the Single Sign-On URL and Entity ID placeholder values provided in step 4.
- Return to the Application tab in your Duo Admin Panel.
- In the Service Provider section, use the generated Audience URL and Assertion Consumer Service URL values to update the following values in the SAML application created in your organization (set in step 6):
- Assertion Consumer Service (ACS) URL – Paste the value for the Assertion Consumer Service URL (from step 13).
- Entity ID – Paste the value for the Audience URL (from step 13).
- Click Save. The configuration is complete.
- Assign the SAML application (created in the previous section) to the user (or a user group in your IdP to which the user belongs). If you do not complete this step, an error displays when a user tries to sign in from the SSO connection configured in the previous section.
Test the SSO connection
One of the users you assigned in the SAML application should test the setup. They need to be a user in the Opti ID Admin Center but logged out.
- Open an incognito window and go to https://login.optimizely.com.
- When you enter your email and click Next, it should redirect you to your organization's IdP.
- Double-check your settings if there are any issues with signing in with your incognito window.
If it does not work correctly, see the Opti ID troubleshooting articles. If you cannot resolve the issue, contact Optimizely Support.
Please sign in to leave a comment.