Single sign-on (SSO)

  • Updated
  • Optimizely Feature Experimentation
  • Optimizely Full Stack (Legacy)
  • Optimizely Web Experimentation
  • Optimizely Performance Edge

Optimizely Experimentation lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This lets your team  log in to Optimizely Experimentation using their existing corporate credentials. SSO is an account-level feature that will apply across all projects and experiments.

Optimizely Experimentation SSO is available for any SSO provider that supports the SAML 2.0 protocol. For example Okta, Google Workspace and Azure AD.

Activate SSO

Contact support to enable SSO and start the setup process. After SSO is enabled, users log in via SSO and can no longer log in with an email and password.

Access SSO settings

In Optimizely Experimentation, go to Account Settings > Security and Privacy

If you do not have Single Sign-on enabled you will see instructions on how to enable SSO:


If SSO is enabled for your account, you will see a checkbox to enable single sign-on:


SSO login

  1. From the sign-in page, click Log in using SSO.


  2. You are redirected to the SSO page, where you enter an Optimizely Experimentation-recognized email address, which is authenticated by your Identity Provider.
  3. If your email is recognized as a user with an SSO who has permissions on any account, you will be challenged for your credentials by your Identity Provider. This step is skipped if you already have a session open. 

Additional SSO identity providers

Accounts can have one or two additional Identity Providers associated with an account. Contact support if you would like to add an SSO identity provider.

Questions and answers

  • What can I do if Optimizely Experimentation’s SSO is not working?

    Contact your Optimizely Experimentation account administrator to file a support ticket and disable SSO on your account settings page.

  • What can I do if my Identity Provider is not working?

    Contact your Optimizely Experimentation account administrator to file a support ticket with Optimizely Experimentation and disable SSO on your account settings page.

  • How long do SSO-based sessions last?

    The SSO session expires after 4 hours of inactivity and has a maximum length of 7 days.

  • Can I sign in using my regular password?

    No. After SSO is enabled, you cannot log in using your password for security reasons.

  • How do I log in to my non-SSO accounts?

    To log into a non-SSO account, sign in with your email and password on, and you are logged into a non-SSO account that you have access to. You can switch to any other non-SSO account you have access to.

  • Will multi-account login work between non-SSO accounts?

    Yes. Switching among non-SSO accounts is allowed.

  • Will multi-account login work between SSO and non-SSO accounts?

    No. If you are a collaborator on multiple accounts, switching out of and into an SSO-enabled account is not allowed for security reasons. To log into a non-SSO account, log out and log in to your non-SSO account by supplying an email and password on

  • Can I add collaborators who do not have SSO credentials to my SSO-enabled account?

    If you add collaborators who do not have SSO credentials, they cannot log in to the account.

  • How can I provision new users on Optimizely Experimentation via my Identity Provider?

    SSO is only used for authentication. New users need to be provisioned in Optimizely Experimentation. See managing collaborators in Optimizely Web Experimentation for instructions on how to add a new user on Optimizely Web Experimentation.

  • Can existing collaborators on my SSO-enabled account access the account if they do not have SSO access through my organization?

    No. Only collaborators with SSO credentials through your organization can access your SSO-enabled account.

  • How do I revoke a user’s access?

    On, you can remove the user as a collaborator. On your end, for example for off-boarding, it depends on how you revoke access for a user in your identity provider.