Use single sign-on with SAML

  • Updated
If your organization migrated to Opti ID, you must manage users in Opti ID. See the Opti ID user documentation.

When you configure a Security Assertion Markup Language (SAML)-based single sign-on (SSO) integration, you can use your corporate login credentials to access Optimizely Content Marketing Platform (CMP).


SSO is an integration method that lets enterprise users access multiple applications with a single authorization. An identity provider (IDP) manages the authorization. SAML exchanges the authentication and authorization data with CMP as the service provider. CMP receives a SAML assertion of the user identity, valid for a limited time and digitally signed.

SSO has the following benefits:

  • Reduces login action fatigue for users – Enter your login credentials to access your corporate network.
  • Unified username format – Usernames in CMP match the names in your directory because a central location manages user identity.
  • Compliance with security and governance guidelines – Your IT administrators control authentication. CMP authentication enforces security policies, such as password complexity requirements and mandatory multi-factor authentication.

While using SSO with CMP has many benefits, there are some limitations as well:

  • Users cannot edit their name or email address in CMP.
  • CMP cannot enforce multi-factor authentication; the user's IDP must do so.

Add CMP to your identity management system

Configure the SAML application in your IDP to implement SSO (initiated by the service provider and IDP) for CMP. When you sign into CMP using SSO, CMP redirects the request to the identity management system.

Configure the application with the following values so the IDP can validate that the redirected request comes from CMP.

  • Entity ID or Audience URIoptimizely-cmp-production
  • App Name or Connection Nameoptimizely-cmp
  • Base URL, SSO URL, ACS (consumer) URL, or Recipient
  • RelayState URL

Use the following attributes in the SAML assertion response to configure the application's attribute mapping.

  • given_name – First name in CMP
  • family_name – Last name in CMP
  • email – Identifies the user, case-insensitive

After you configure CMP in the IDP, provide CMP with the following:

  • IDP SSO URL or SAML SSO service URL
  • X.509 certificate

Alternatively, you can provide Metadata XML, which you can retrieve from the identity management system when you complete the first step. After exchanging the metadata, CMP configures the application to redirect your users to the client's IDP for authentication. The details of these steps can vary for systems such as Azure, Okta, PingFederate, and so on.

Share URL access through SSO

You can share URLs within the platform if you log in with SSO. 

  1. Select your avatar > Organization > Misc. tab.
  2. Select the Share URL Access checkbox to activate the auto-login feature for your instance. This feature lets an SSO-logged-in user access shareable URLs on the

You can generate shareable URLs from Plan.

  1. Go to Plan and select Board.
  2. Click Share. The Share view window displays. 
  3. Click Copy Link and select Done. sso-b.png

You can also generate shareable URLs from Requests.

  1. Go to Requests
  2. Under Work Requests, click Share Request URL.
  3. A drop-down list of work request templates displays. Select the template you want and the link copies to your clipboard. A success message displays.

Embed shareable links in an iFrame

You can embed shareable URLs that CMP generates in an iFrame on your Content Management System (CMS), SharePoint, and so on.

To view the embedded preview or forms from within the iFrame:

  • You must log in to CMP on a browser session.
  • You can also set up your SAML settings to allow auto-login to iFrame via SSO, which lets users preview the embedded URL without logging into CMP on the browser session.

SSO questions and answers

Does Optimizely CMP SSO support SAML 2.0?


Can you turn off password authentication and enforce SSO only?

Yes, after you activate SSO for one or more company domains, users with email addresses of those domains must use SSO. Password authentication is inactive for them.

Does Optimizely CMP SSO support automated user provisioning through a web API?

Optimizely CMP SSO supports Just-in-Time (JIT) provisioning. On the first successful authentication, CMP SSO creates user accounts with the default organization role set in the organization settings.

Does Optimizely CMP SSO provide an API or tool to sync users with an internal directory?

Optimizely CMP SSO supports System for Cross-domain Identity Management (SCIM) APIs for syncing users with your directory. Optimizely SCIM APIs currently support only Okta and Entra ID (formerly Azure AD). They do not work with other IDPs.

Does Optimizely CMP SSO support IP-based access restriction?

Optimizely CMP SSO supports IP-based access restriction through Web Application Firewall (WAF). Optimizely can restrict IP addresses, IP ranges, or geographic locations through WAF, but Optimizely must configure it in the backend as there is no built-in functionality within the application.

Does Optimizely CMP SSO support session timeout?

Yes, Optimizely CMP SSO supports session timeout. There is no timeout by default, but Optimizely can set the session timeout to any value per organization from the backend.

Does the vendor provide a test or sandbox environment?


Is there a mobile app?  

No. However, the CMP web application has a mobile responsive design.

Does SSO support OAuth?

Yes. OAuth 2.0 is the supported authorization mechanism for Optimizely CMP's REST APIs.

How long do OAuth access tokens live?

  • Development mode
    • Time to live (TTL) for access token – 30 days
    • TTL for refresh token – 365 days.
  • Production mode
    • TTL for access token – 1 hour
    • TTL for refresh token – 365 days

Do OAuth access tokens expire if the user account is deleted?

If you delete a user account, it automatically revokes access.