Setting up Opti Id SSO with and without SCIM
This blog compiled learnings, when setting up Opti Id for large enterprises using SCIM and its pros and cons when setting up Opti Id without SCIM.
What is Opti ID and why does provisioning matter?
Opti ID is Optimizely's unified identity layer — a single login that spans all Optimizely products including CMS, CMP, and beyond. Once authenticated, users access every product and instance they are entitled to from a single dashboard, without logging in again.
But authentication is only part of the story. For large, fluid user populations, the harder challenge is provisioning — how user accounts are created, kept current, and deactivated as people join, change roles, or leave. Opti ID supports two distinct models for this.
|
APPROACH A SSO without SCIM Users authenticate through your identity provider via SAML or OIDC. Access rights, roles, and group assignments are configured and maintained manually within the Opti ID Admin Centre. Works with any standards-compliant IdP. |
APPROACH B SSO with SCIM Authentication is federated via your IdP, and user provisioning is fully automated via the SCIM protocol. Users and groups defined in your IdP are pushed to Opti ID automatically — including creation, updates, and deactivation. Requires Entra ID, Okta, or PingOne. |
▸ APPROACH A
SSO without SCIM — Setup & Considerations
This approach uses your identity provider purely for authentication. All user management — invitations, group assignments, role changes, and deactivations — is carried out manually inside the Opti ID Admin Centre. Any IdP supporting SAML or OIDC is compatible.
Setup Steps
1. Designate a technical owner — One person logs into Opti ID first to establish the organisation and handle initial configuration. This person acts as the first Opti ID administrator and delegates access from there.
2. Configure SSO connections in your IdP — Add Opti ID as a SAML or OIDC application in your identity provider. Up to five SSO connections can be configured — useful for separating geographies, business units, or external users under distinct connections.
3. Register your organisational domains — In Opti ID Admin Centre under Settings > SSO/ Domains, register the SSO / DNS domains your internal users authenticate with. This auto-routes users to the correct SSO connection at login.
4. Handle external and partner users via selective local login — Enable selective local login to give partner individuals a standalone Opti ID account (email + password, MFA optional). Internal users continue authenticating via SSO; external users get a local account managed per-user in the Admin Centre.
5. Create groups and assign roles manually — Build a group structure in the Admin Centre reflecting your organisational needs — by region, product, or access tier. Invite users individually, assign them to groups, and those groups determine which product instances and roles each user can access.
|
+ ADVANTAGES • Works with any SAML or OIDC identity provider — no vendor restriction • Simpler to configure and operate; fewer integrated components • Partners and external users onboarded via local login without changes to your corporate IdP • Lower initial setup risk; easier to troubleshoot |
− DISADVANTAGES • No automated offboarding — access must be manually revoked when users leave • At large scale, individual invitations and role assignments are operationally unsustainable • Compliance and audit readiness require continuous manual effort • High risk of orphaned accounts if offboarding processes are not rigorously followed |
▸ APPROACH B
SSO with SCIM — Setup & Considerations
SCIM (System for Cross-domain Identity Management) extends your SSO setup by automating the full user lifecycle. Your identity provider becomes the single source of truth — users and groups defined are pushed to Opti ID automatically, including deprovisioning when someone leaves. Officially supported with Microsoft Entra ID, Okta, and PingOne.
Setup Steps
1. Designate a technical owner and configure SSO — Same starting point as Approach A. Configure your primary SSO connection first — the SCIM configuration option only becomes available after at least one SSO connection is active.
2. Generate a SCIM token in Opti ID — Navigate to Admin Centre > Settings > Authentication > SCIM. Select the SSO connection you want to associate SCIM with and generate the bearer token. This token authenticates your IdP when it pushes user data to Opti ID.
3. Create a SCIM provisioning app in your IdP — Most enterprise IdPs require a separate application for SCIM provisioning, distinct from the SSO app. Configure it using the Opti ID SCIM endpoint URL and token generated above. Some IdPs (such as Okta) allow combining SSO and SCIM in a single app — check your provider's documentation.
4. Design your group structure and push groups from your IdP — Create groups in your IdP corresponding to the access tiers you need — by region, role, or product. Assign users to these groups. When SCIM syncs, those groups and members are automatically created in Opti ID. Future membership changes propagate within minutes.
5. Map groups to product instances and roles in the Admin Centre — SCIM delivers users and group memberships — it does not configure product instance access or role assignments. In the Admin Centre, map each SCIM-synced group to the appropriate instances and permission levels.
|
+ ADVANTAGES • Full user lifecycle automated — joiners, movers, and leavers handled at IdP level without manual Opti ID steps • Scales to large user populations with no proportional increase in admin overhead • Access revocation is immediate when a user is removed from an IdP group • Single source of truth — your IdP directory drives everything; Opti ID stays in sync • Significantly reduces compliance audit effort — IdP logs are the system of record • Eliminates orphaned account risk through automated deprovisioning |
− DISADVANTAGES • Only officially supported with Entra ID, Okta, and PingOne • SCIM is restricted to one SSO connection — separate IdP tenants per region means only one gets full automation • Product instance assignments and role mappings still require one-time manual setup in the Admin Centre • Initial setup is more complex — requires two separate IdP apps (SSO + SCIM) • Partner users on external domains cannot share the SCIM-enabled connection |
Comments