Use single sign-on with SAML

  • Updated

When you configure a Security Assertion Markup Language (SAML)-based single sign-on (SSO) integration, you can use your corporate login credentials to access Optimizely Content Marketing Platform (CMP).

What is single sign-on?

Single sign-on (SSO) is an integration method that lets enterprise users access multiple applications with a single authorization. The authorization is managed by an Identity Provider (IDP). SAML exchanges the authentication and authorization data with CMP as the service provider. CMP receives a SAML assertion of the user identity, which is valid for a limited time and digitally signed.

Benefits of single sign-on

SSO had the following benefits:

  • Reduce login action fatigue for users – Enter your login credentials once to access your  corporate network.
  • Unified username format – Because user identity is managed from one central location, usernames in CMP match the names in your directory.
  • Compliance with security and governance guidelines – Your IT administrators get more control over authentication; security policies (such as password complexity requirements, mandatory multi-factor authentication) are enforced for the CMP authentication.

Limitations of single sign-on

  • Users cannot edit their name or email address in CMP. 
  • CMP cannot enforce multi-factor authentication; the responsibility is on the user's identity provider.

Add CMP to your identity management system

To implement SSO (SP-initiated SSO and IP-initiated SSO) for CMP, configure the SAML application in your identity provider. When you try to sign into CMP using SSO, the request is redirected to the identity management system.

Configure the application with the following values so that the identity provider can successfully validate that the redirected request is coming from CMP.

  • Entity ID / Audience URI – welcome-production
  • App Name / Connection Name – welcome
  • Base URL / Single sign on URL / ACS (Consumer) URL / Recipient –
  • RelayState URL –

Use the following attributes in the SAML assertion response, so to configure attribute mapping of the application.

  • given_name (first name in CMP)
  • family_name (last name in CMP)
  • email (identifies the user, case-insensitive)

After you configure CMP in the identity provider, provide CMP with the following:

  • Identity Provider Single Sign-On URL / SAML SSO service URL
  • X.509 Certificate

Alternatively, you can provide Metadata XML retrieved from the identity management system while completing the first step. After the metadata is exchanged, CMP configures the application to redirect your users to the client's identity provider for authentication. The details of these steps can vary for systems such as Azure, Okta, PingFederate, and so on.

Set up auto-login to CMP via SSO

  1. Go to the Organization settings page and select the Misc. tab.
  2. Select Share URL Access to activate the auto-login feature for your instance. When activated, a user that is logged in with single sign-on (SSO) can access shareable URLs on the platform.

You can generate shareable URLs from the following places in CMP:



Embed shareable links in an iFrame

You can embed sharable URLs that are generated from the CMP in an iFrame on your CMS, SharePoint, and so on. 

To view the embedded preview or forms from within the iFrame:

  • You must be logged into CMP on a browser session.
  • You also can set up your SAML settings to allow Auto-login to iFrame via SSO, which lets users preview the embedded URL without being logged into CMP on the browser session.