Configure SAML SSO with Google

  • Updated

Opti ID lets you configure Security Assertion Markup Language (SAML) SSO with Google as the identity provider (IdP). Google can then authenticate and authorize your users.

You need a Google account that lets you have a workspace to configure an IdP.

You should configure SSO with Opti ID for your organization before inviting users. Users must then log in to Opti ID using credentials for the SSO provider. This includes the technical contact who originally set up Opti ID for your organization.

Configure the SSO connection

Configure the SSO connection in two browser tabs: one for the selected app and one for Opti ID, so you can copy information from one to the other.

  1. Log in to the Google Workspace Admin Console and select Apps > Web and mobile apps.

  2. Click Add App > Add custom SAML app. The App details window displays.

  3. Enter the App name (for example, Optimizely Opti ID) and an optional description. Click Continue to display further configurations.

  4. Configure the following properties, but do not click Continue until you have also configured Opti ID, which starts in Step 5.

    • Option 1: Download IdP metadata – Click Download Metadata to download the Identity Provider (IdP) metadata, which is typically an XML file containing configuration information for single sign-on (SSO).
    • Option 2: Copy the SSO URL, entity ID, and certificate – Configure SSO manually.
      • SSO URL – The URL used for single sign-on, which directs users to the Identity Provider for authentication.
      • Entity ID – A unique identifier for the service provider (your application) within the SSO system.
      • Certificate – The security certificate used to establish trust between the Identity Provider and the service provider. It includes the certificate name and its expiration date. You can click the download button to download the certificate.
      • SHA-256 fingerprint – A cryptographic hash of the certificate, used to verify its authenticity and integrity.
    Keep the Add Custom SAML app window open in a browser tab. You must copy the information from it before continuing.
  5. Log in to Opti ID (https://login.optimizely.com) in another browser tab using your technical contact email and password. For information about properly activating the technical contact user, see Technical contact login. After you log in, you should be on the home dashboard (home.optimizely.com/dashboard). 
  6. Click Admin Center.

  7. Go to Settings > SSO > Add SSO Connection, select SAML as the connection type, and complete the following fields:

    • Connection Name – Enter a name for this SSO connection to display when users log in. This helps you distinguish between multiple SSO connections.
    • Issuer URL – Enter the Identity Provider Issuer. You can copy the Entity ID from the Add Custom SAML app window in the other browser tab where you configured your app (from step 4).
    • SSO URL – Enter the Identity Provider Single Sign-On URL. You can copy the SSO URL from the Add Custom SAML app window in the other browser tab where you configured your app (from step 4).

    • Signature Certificate – Click Select file to select your certificate that you downloaded from your local file system. (See Step 4.)

      Ensure you enter the correct values in the correct fields. Otherwise, the configuration may be accepted, but users will not log in successfully.

  8. Click Save. The connection is made.

    Keep the Opti ID Settings SSO page open in a browser tab. You must copy the information from it.
  9. Return to the Add Custom SAML app window in the other browser tab and click Continue. The Service provider details window displays more fields.
  10. Enter the following information and click Continue.
    • ACS URL – The Assertion Consumer Service (ACS) URL, which is the endpoint where the identity provider sends the authentication response (SAML assertion) to the service provider. You can copy it from the Opti ID Settings SSO page in the other browser tab.
    • Entity ID – A unique identifier for the service provider within the single sign-on (SSO) system. You can copy it from the Opti ID Settings SSO page in the other browser tab.
    • Start URL (optional) – An optional URL that users are redirected to after successful authentication through SSO. 
    • Signed response – A checkbox to indicate whether the SAML response from the identity provider should be digitally signed for security purposes.
    • Name ID – This section defines the format and content of the user identifier sent by the identity provider.
      • Name ID format – Specifies the format of the Name ID, such as email address, persistent identifier, or transient identifier. In this case, it is set to Email.
      • Name ID – Defines the attribute from the user's profile that is used as the Name ID, such as Basic Information > Primary email.
  11. Click Continue. The Attributes configuration window displays.
  12. Click Add mapping to add a row at a time to map the following fields between Google Directory and the App attributes. App attributes are case-sensitive.
    • Primary email > email
    • First name > firstName

    • Last name > lastName

    • Group membership (optional) – This section lets you send group membership information from Google Groups to the application. 
      • Google groups – A field to search for and select Google groups whose membership information should be sent. 
      • App attribute – The application attribute that receives the group membership information, typically named Groups.
  13. Click Finish. The configuration is complete.
  14. Click View Details in the User Access section to assign the SAML application (created in the previous section) to the user (or a user group in your IdP to which the user belongs). To configure roles, see Roles. To configure groups, see Groups.

    If you do not complete this step, an error displays when a user tries to sign in from the SSO connection.
In accordance with your company policy, configure your Opti ID SSO application to enforce authentication on each login for added security or maintain user sessions for a specified duration to balance security and user convenience.

Configure IdP-initiated login

After you configure your SSO connection, you can enable IdP-initiated login, which lets users who are already logged in with your organization's SSO provider navigate to Opti ID without the need to log in again.

Test the SSO connection

One of the users you assigned in the SAML application should test the setup. They need to be a user in the Opti ID Admin Center but logged out.

  1. Open an incognito window and go to https://login.optimizely.com.
  2. When you enter your email and click Next, it should redirect you to your organization's IdP.
  3. Double-check your settings if there are any issues with signing in with your incognito window.

If it does not work correctly, see the Opti ID troubleshooting articles. If you cannot resolve the issue, contact Optimizely Support.