Skip to Content
DocsFeaturesAuthentication

Authentication

Optimize365 supports multiple authentication options that can be configured per MSP organization under Settings → Authentication.


SAML SSO

SAML Single Sign-On allows your users to log in using their corporate identity provider (IdP) — such as Microsoft Entra ID or Okta — without needing a separate Optimize365 password.

How it works

  1. The MSP admin configures SSO in Settings → Authentication
  2. Users navigate to a unique login URL (app.optimize365.io/domain/<your-slug>)
  3. They are redirected to your corporate IdP to authenticate
  4. On success, they are provisioned into Optimize365 automatically

Setting up SAML

Go to Settings → Authentication → SAML SSO and follow the steps:

Step 1 — Configure your IdP

Provide these values to your IT team:

FieldValue
ACS URL (Single Sign-On URL)https://login.optimize365.io/saml2/idpresponse
Entity ID (Audience URI)urn:amazon:cognito:sp:us-east-1_h3Nj78zjG
Name ID FormatEmailAddress

Your IdP must send the following standard SAML attributes:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Step 2 — Paste your IdP metadata URL

Copy the metadata URL from your IdP and paste it into the IdP Metadata URL field.

Step 3 — Choose access control

  • Auto-join — Any user who authenticates via your IdP is provisioned automatically with a role you choose
  • Invite-only — Only users you have explicitly invited can sign in

Microsoft Entra ID setup

Entra sends the required SAML attributes by default — no custom attribute configuration needed.

  1. Go to entra.microsoft.comIdentityApplicationsEnterprise applicationsNew applicationCreate your own application
  2. Choose SAML as the sign-on method
  3. Set Identifier (Entity ID) and Reply URL (ACS URL) as above
  4. Under Attributes & Claims, set the Unique User Identifier (Name ID) to user.mail with format Email address
  5. Copy the App Federation Metadata URL and paste it into Optimize365
  6. Assign users or groups to the application

Okta setup

  1. In Okta Admin → ApplicationsCreate App IntegrationSAML 2.0
  2. Set Single sign-on URL, Recipient URL, and Destination URL to the ACS URL above
  3. Set Audience URI to the Entity ID above
  4. Set Name ID format to EmailAddress, Application username to Email
  5. Under Attribute Statements, add:
NameValue
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressuser.email
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameuser.firstName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameuser.lastName
  1. Assign users to the app, copy the Identity Provider metadata URL, and paste it into Optimize365

IP Restrictions

Restrict access to your Optimize365 account to specific IP ranges. Go to Settings → Authentication → IP Restrictions and add one or more CIDR ranges (e.g. 203.0.113.0/24).

  • Leave empty to allow access from any IP
  • Applies to all users in your organization

Session Timeout

Configure how long a session remains active before requiring re-authentication. Go to Settings → Authentication → Session Timeout and choose a duration.

  • Default (24h) — Defers to Cognito’s token expiry
  • 1h / 4h / 8h — Forces re-login after the selected period regardless of activity
Last updated on