Use single sign-on with SAML

  • Updated

When you configure a Security Assertion Markup Language (SAML)-based single sign-on (SSO) integration, you can use your corporate login credentials to access Optimizely Content Marketing Platform (CMP).


SSO is an integration method that lets enterprise users access multiple applications with a single authorization. An identity provider (IdP) manages the authorization. SAML exchanges the authentication and authorization data with CMP as the service provider. CMP receives a SAML assertion of the user identity, which is valid for a limited time and digitally signed.

SSO has the following benefits:

  • Reduces login action fatigue for users – Enter your login credentials to access your corporate network.
  • Unified username format – Usernames in CMP match the names in your directory since a central location manages user identity.
  • Compliance with security and governance guidelines – Your IT administrators control authentication. CMP authentication enforces security policies, such as password complexity requirements and mandatory multi-factor authentication.

While using SSO with CMP has many benefits, there are some limitations as well:

  • Users cannot edit their name or email address in CMP.
  • CMP cannot enforce multi-factor authentication; the user's IdP must do so.

Add CMP to your identity management system

To implement SSO (initiated by the service provider and IdP) for CMP, configure the SAML application in your IdP. When you sign into CMP using SSO, the request is redirected to the identity management system.

Configure the application with the following values so that the IdP can validate that the redirected request is coming from CMP.

  • Entity ID or Audience URI – optimizely-cmp-production
  • App Name or Connection Name – optimizely-cmp
  • Base URL, SSO URL, ACS (consumer) URL, or Recipient
  • RelayState URL

Use the following attributes in the SAML assertion response, to configure attribute mapping of the application.

  • given_name – First name in CMP
  • family_name – Last name in CMP
  • email – Identifies the user, case-insensitive

After you configure CMP in the IdP, provide CMP with the following:

  • IDP SSO URL or SAML SSO service URL
  • X.509 certificate

Alternatively, you can provide Metadata XML which you can retrieve from the identity management system when you complete the first step. After the metadata is exchanged, CMP configures the application to redirect your users to the client's IdP for authentication. The details of these steps can vary for systems such as Azure, Okta, PingFederate, and so on.

Share URL access via SSO

You can share URLs within the platform if you log in with SSO. 

  1. Click on your avatar and select Organization. Then, select the Misc. tab.
  2. Select the Share URL Access checkbox to activate the auto-login feature for your instance. This lets a user who is logged in with SSO access shareable URLs on the

You can generate shareable URLs from Plan.

  1. Go to Plan and select Board.
  2. Click Share. The Share view window displays. 
  3. Click Copy Link and select Done. sso-b.png

You can also generate shareable URLs from Requests.

  1. Go to Requests
  2. Under Work Requests, click Share Request URL.
  3. A drop down of the list of work request templates displays. Select the template you want, and the link copies to your clipboard. A success message displays.

Embed shareable links in an iFrame

You can embed shareable URLs that CMP generates in an iFrame on your Content Management System (CMS), SharePoint, and so on.

To view the embedded preview or forms from within the iFrame:

  • You must be logged into CMP on a browser session.
  • You also can set up your SAML settings to allow auto-login to iFrame via SSO, which lets users preview the embedded URL without being logged into CMP on the browser session.

SSO questions and answers

Does Optimizely CMP SSO support SAML 2.0?


Can you disable password authentication and enforce SSO only?

Yes, after SSO is enabled for a company domain or domains, all users with email addresses of those domains must use SSO. Password authentication is disabled for them.

Does Optimizely CMP SSO support automated user provisioning through a web API?

Optimizely CMP SSO supports Just-in-Time (JIT) provisioning. On first successful authentication, user accounts are created with the default organization role set in the organization settings.

Does Optimizely CMP SSO provide an API or tool to sync users with an internal directory?

Optimizely CMP SSO supports System for Cross-domain Identity Management (SCIM) APIs for syncing users with your directory. Optimizely SCIM APIs currently support only Okta and Azure AD. They do not work with other IdPs.

Does Optimizely CMP SSO support IP-based access restriction?

Optimizely CMP SSO supports IP-based access restriction through Web Application Firewall (WAF). Optimizely can restrict IP addresses, IP ranges, or geographic locations though WAF, but Optimizely must configure it in the backend as there is no built-in functionality within the application.

Does Optimizely CMP SSO support session timeout?

Yes, Optimizely CMP SSO supports session timeout. By default, there is no timeout, but Optimizely can set the session timeout to any value, per organization, from the backend.

Does the vendor provide a test or sandbox environment?


Is there a mobile app?  

No. However, the CMP web application has a mobile responsive design.

Does SSO support OAuth?

Yes. OAuth 2.0 is the supported authorization mechanism for Optimizely CMP's REST APIs.

How long do OAuth access tokens live?

  • Development mode
    • Time to live (TTL) for access token – 30 days
    • TTL for refresh token – 365 days.
  • Production mode
    • TTL for access token – 1 hour
    • TTL for refresh token – 365 days

Do OAuth access tokens expire if user account is disabled?

If a user account is deleted, access is automatically revoked.