Configure OIDC SSO with Google

  • Updated

Opti ID lets you configure OpenID Connect (OIDC) single sign-on (SSO) with Google as the identity provider (IdP). Google can then authenticate and authorize your users.

You should configure SSO with Opti ID for your organization before inviting users. Users must then log in to Opti ID using credentials for the SSO provider. This includes the technical contact who originally set up Opti ID for your organization.

Before configuring OIDC SSO with Google, you must create and configure a consent screen. The consent screen is a crucial part of the OAuth 2.0 authentication experience, informing users about the data your application requests access to (such as email address and basic account information) and the terms that apply. You control the branding information, including your product name, logo, and homepage URL, within the Google Cloud Console. This step ensures transparency and user trust during the authentication process. For information on how to do this, see OpenID Connect.

Configure the SSO connection

If you configure your SSO app to require Proof Key for Code Exchange (PKCE), you must submit a support ticket after you complete the app configuration so Optimizely can enable it.
You can configure the SSO connection in two browser tabs: one for the selected app and one for Opti ID, so you can copy information from one to the other.
  1. Log in to the Google Cloud (GCP) and select your project.
  2. Select APIs & Services > Credentials. The Credentials panel displays.
  3. Click Create credentials and select OAuth client ID. The Create OAuth client ID panel displays.
  4. Select Web application for Application type. Other fields display.
  5. Configure the following fields.
    • Name – Enter a name for your OAuth 2.0 client. The console uses this name for internal identification, and end users do not see it.
    • (Optional) Authorized JavaScript origins – Provide the URIs for requests from a browser.
    • Authorized redirect URIs – Enter https://login.optimizely.com/oauth2/v1/authorize/callback in the Redirect URIs field.

  6. Click Create. A window displays with the Client ID and Client secret. You can download the information in a JSON file.

    Keep the OAuth client created window open to copy the information from it.
  7. Go to https://login.optimizely.com in another browser window and log in using your technical contact email and password. For information about activating the technical contact user, see Technical contact login. After you log in, you are on the home dashboard (home.optimizely.com/dashboard). 
  8. Click Admin Center.
  9. Go to Settings > SSO > Add SSO Connection, select OIDC as the connection type, and complete the following fields:
    • Connection Name – Enter a name for this SSO connection to display when users log in. This helps distinguish between multiple SSO connections.
    • Provider – Select Other.
    • Client ID – Enter the Client ID from the OAuth client created window in step 6.
    • Client Secret – Enter the Client Secret from the OAuth client created window in step 6.
    • Well Known Metadata URL – Select https://accounts.google.com/.well-known/openid-configuration.
  10. Click Save to create the connection. If the metadata URL does not automatically populate the Authorization URL, Issuer URL, JWKS URL, Token URL, and User info URL fields, you must manually configure them.
  11. Test your SSO connection by logging out of Opti ID and logging back in. The login flow directs you to your Google provider.
In accordance with your company policy, configure your Opti ID SSO application to enforce authentication on each login for added security or maintain user sessions for a specified duration to balance security and user convenience.

Configure IdP-initiated login

After you configure your SSO connection, you can enable IdP-initiated login, which lets users who are already logged in with your organization's SSO provider navigate to Opti ID without the need to log in again.

Test the SSO connection

One of the users you assigned in the OIDC application should test the setup. They need to be a user in the Opti ID Admin Center but logged out.

  1. Open an incognito window and go to https://login.optimizely.com.
  2. When you enter your email and click Next, it should redirect you to your organization's IdP.
  3. Double-check your settings if there are any issues with signing in with your incognito window.

If it does not work correctly, see the Opti ID troubleshooting articles. If you cannot resolve the issue, contact Optimizely Support.