Skip to main content

Single sign-on (SSO)

  • Updated

This topic describes how to:

  • Activate single sign-on (SSO)
  • Frequently asked questions on SSO

Optimizely Experimentation lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Optimizely Experimentation using their existing corporate credentials. SSO is an account-level feature that will apply across all projects and experiments.

Optimizely Experimentation SSO is available for any SSO provider that supports the SAML 2.0 protocol. For example Okta, Google Workspace and Azure AD.

Activating SSO

To activate SSO, contact support and lets us know you want to enable SSO and what SSO provider you are interested in implementing. This will start the setup process.

Once SSO is enabled, all users will have to log in via SSO. The ability to log in with an email and password will be disabled.

Accessing SSO settings

In Optimizely Experimentation, navigate to Account Settings > Security and Privacy

If you do not have Single Sign-on enabled you will see instructions on how to enable SSO:

enable_sso.png

If SSO is enabled for your account, you will see a checkbox to enable single sign-on:

sso.png

SSO login

If you already have enabled SSO in Optimizely Experimentation, follow these steps to sign in to your Optimizely Experimentation account: 

  1. From the sign-in page, click Log in using SSO.

    login_sso.png
  2. You will be redirected to the SSO page, where you will enter an Optimizely Experimentation-recognized email address, which is authenticated by your Identity Provider.
  3. If your email is recognized as a user with an SSO who has permissions on any account, you will be challenged for your credentials by your Identity Provider. This step is skipped if you already have a session open. 

Additional SSO identity providers

Accounts can also have up to 2 additional Identity Providers tied to an account. Contact support if you would like to add additional SSO identity providers.

 

FAQ

What can I do if Optimizely Experimentation’s SSO is not working?
Please contact your Optimizely Experimentation account administrator to file a support ticket with Optimizely Experimentation and disable SSO on your account settings page.
 
What can I do if my Identity Provider goes down?
Please contact your Optimizely Experimentation account administrator to file a support ticket with Optimizely Experimentation and disable SSO on your account settings page.
 
How long do SSO-based sessions last?
The SSO session will expire after 4 hours of inactivity and has a maximum length of 7 days.
 
Can I sign in using my regular password?
No. Once SSO is enabled, the ability to log in using your password will be disabled for security reasons.
 
How do I log in to my non-SSO accounts?
To log into a non-SSO account, sign in with your email and password on Optimizely.com, and you will be logged into a non-SSO account that you have access to. You can switch to any other non-SSO account you have access to. Switching between non-SSO accounts is allowed.
 
Will multi-account login work between non-SSO accounts?
Yes. Switching between non-SSO accounts is allowed.
 
Will multi-account login work between SSO and non-SSO accounts?
No. If you are a collaborator on multiple accounts, switching out of and into an SSO-enabled account will not be allowed for security reasons. To log into a non-SSO account, log out and log in to your non-SSO account by supplying an email and password on optimizely.com.
 
Can I add collaborators who don’t have SSO credentials to my SSO-enabled account?
If you add collaborators who don’t have SSO credentials, they will not be able to log in to the account.
 
How can I provision new users on Optimizely Experimentation via my IdP?
SSO is only used for authentication. New users will need to be provisioned in Optimizely Experimentation. See managing collaborators in Optimizely Web Experimentation for instructions on how to add a new user on Optimizely Web Experimentation.
 
Can existing collaborators on my SSO-enabled account access the account if they don’t have SSO access through my organization?
No. Only collaborators with SSO credentials through your organization can access your SSO-enabled account.
 
How do I revoke a user’s access?
On Optimizely.com, you can remove the user as a collaborator. On your end, e.g., for off-boarding, it depends on how you revoke access for a user in your identity provider.