Authentication
Optimize365 supports multiple authentication options that can be configured per MSP organization under Settings → Authentication.
SAML SSO
SAML Single Sign-On allows your users to log in using their corporate identity provider (IdP) — such as Microsoft Entra ID or Okta — without needing a separate Optimize365 password.
How it works
- The MSP admin configures SSO in Settings → Authentication
- Users navigate to a unique login URL (
app.optimize365.io/domain/<your-slug>) - They are redirected to your corporate IdP to authenticate
- On success, they are provisioned into Optimize365 automatically
Setting up SAML
Go to Settings → Authentication → SAML SSO and follow the steps:
Step 1 — Configure your IdP
Provide these values to your IT team:
| Field | Value |
|---|---|
| ACS URL (Single Sign-On URL) | https://login.optimize365.io/saml2/idpresponse |
| Entity ID (Audience URI) | urn:amazon:cognito:sp:us-east-1_h3Nj78zjG |
| Name ID Format | EmailAddress |
Your IdP must send the following standard SAML attributes:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameStep 2 — Paste your IdP metadata URL
Copy the metadata URL from your IdP and paste it into the IdP Metadata URL field.
Step 3 — Choose access control
- Auto-join — Any user who authenticates via your IdP is provisioned automatically with a role you choose
- Invite-only — Only users you have explicitly invited can sign in
Microsoft Entra ID setup
Entra sends the required SAML attributes by default — no custom attribute configuration needed.
- Go to entra.microsoft.com → Identity → Applications → Enterprise applications → New application → Create your own application
- Choose SAML as the sign-on method
- Set Identifier (Entity ID) and Reply URL (ACS URL) as above
- Under Attributes & Claims, set the Unique User Identifier (Name ID) to
user.mailwith formatEmail address - Copy the App Federation Metadata URL and paste it into Optimize365
- Assign users or groups to the application
Okta setup
- In Okta Admin → Applications → Create App Integration → SAML 2.0
- Set Single sign-on URL, Recipient URL, and Destination URL to the ACS URL above
- Set Audience URI to the Entity ID above
- Set Name ID format to
EmailAddress, Application username toEmail - Under Attribute Statements, add:
| Name | Value |
|---|---|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | user.email |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | user.firstName |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | user.lastName |
- Assign users to the app, copy the Identity Provider metadata URL, and paste it into Optimize365
IP Restrictions
Restrict access to your Optimize365 account to specific IP ranges. Go to Settings → Authentication → IP Restrictions and add one or more CIDR ranges (e.g. 203.0.113.0/24).
- Leave empty to allow access from any IP
- Applies to all users in your organization
Session Timeout
Configure how long a session remains active before requiring re-authentication. Go to Settings → Authentication → Session Timeout and choose a duration.
- Default (24h) — Defers to Cognito’s token expiry
- 1h / 4h / 8h — Forces re-login after the selected period regardless of activity