Single sign-on (SSO)

  • Updated
  • Optimizely Web Experimentation
  • Optimizely Personalization
  • Optimizely Performance Edge
  • Optimizely Feature Experimentation
  • Optimizely Full Stack (Legacy)
If your organization migrated to Opti ID, you must manage users in Opti ID. See the Opti ID user documentation.

Optimizely Experimentation and Optimizely Personalization let you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This lets your team log in to Optimizely Experimentation or Optimizely Personalization using their existing corporate credentials. SSO is an account-level feature that applies across all projects and experiments.

SSO is available for any SSO provider that supports the SAML 2.0 protocol, such as Okta, Google Workspace, and Entra ID (formerly Azure AD).

Activate SSO

Contact support to enable SSO and start the set up process. After SSO is enabled, users log in through SSO and can no longer log in with an email and password.

Access SSO settings

Go to Account Settings > Security and Privacy

If you do not have Single Sign-on enabled, you see instructions on how to enable SSO:


If SSO is enabled for your account, you see a checkbox to enable single sign-on:


SSO login

  1. From the sign-in page, click Log in using SSO.


  2. You are redirected to the SSO page, where you enter an Optimizely-recognized email address, authenticated by your Identity Provider.
  3. If your email is recognized as a user with an SSO who has permissions on any account, your identity provider will challenge you for your credentials. This step is skipped if you already have a session open. 

Additional SSO identity providers

Accounts can have one or two additional identity providers associated with an account. Contact Support if you would like to add an SSO identity provider.

Questions and answers

  • What can I do if Optimizely’s SSO is not working?

    Contact your Optimizely account administrator to file a support ticket and disable SSO on your account settings page.

  • What can I do if my identity provider is not working?

    Contact your Optimizely account administrator to file a support ticket  and disable SSO on your account settings page.

  • How long do SSO-based sessions last?

    The SSO session expires after 4 hours of inactivity and has a maximum length of 7 days.

  • Can I sign in using my regular password?

    No. After SSO is enabled, you cannot log in using your password for security reasons.

  • How do I log in to my non-SSO accounts?

    To log into a non-SSO account, sign in with your email and password on, and you are logged into a non-SSO account that you have access to. You can switch to any other non-SSO account you have access to.

  • Will multi-account login work between non-SSO accounts?

    Yes. Switching among non-SSO accounts is allowed.

  • Will multi-account login work between SSO and non-SSO accounts?

    No. If you are a collaborator on multiple accounts, switching out of and into an SSO-enabled account is not allowed for security reasons. To log into a non-SSO account, log out and log in to your non-SSO account by supplying an email and password on

  • Can I add collaborators who do not have SSO credentials to my SSO-enabled account?

    If you add collaborators who do not have SSO credentials, they cannot log in to the account.

  • How can I provision new users with my identity provider?

    SSO is only used for authentication. New users need to be provisioned in Optimizely Experimentation or Optimizely Personalization. See Manage collaborators for instructions on how to add a user on Optimizely Web Experimentation and Optimizely Personalization.

  • Can existing collaborators on my SSO-enabled account access the account if they do not have SSO access through my organization?

    No. Only collaborators with SSO credentials through your organization can access your SSO-enabled account.

  • How do I revoke a user’s access?

    On, you can remove the user as a collaborator. For example, for off-boarding, it depends on how you revoke access for a user in your identity provider.