Opti ID

By Optimizely Education
Published: Mar 6, 2026
Rating 1 star 2 stars 3 stars 4 stars 5 stars

Average rating: 0 No reviews

Outline

At a glance

What changed: CMS 13 shifts editorial identity from local ASP.NET Identity stores to Opti ID
Core role: Opti ID provides centralized SSO across Optimizely products
Developer impact: Startup configuration, role mapping, and login flows all change
PaaS benefit: User access, MFA, and organization-level control move into the Optimizely Admin Center

Introduction

In Optimizely CMS 13 (PaaS), managing user identities has moved from local, database-driven ASP.NET Identity stores to Opti ID. Opti ID is a centralized, OpenID Connect (OIDC)-based identity provider that delivers a unified single sign-on experience across the wider Optimizely product suite.

For developers, this simplifies the code required to secure the CMS while centralizing user and role management inside the Optimizely Admin Center.

1. The Core Role of Opti ID

Opti ID removes the need to maintain separate credentials for CMS, Experimentation, and other Optimizely products. In a PaaS or DXP environment, it serves several important purposes:

Unified Login: A single Optimizely login experience for editors and administrators.
Centralized User Management: Users are invited once at the organization level and then granted access to the relevant applications, including your CMS 13 instance.
MFA and Conditional Access: Enterprise-grade security features such as multi-factor authentication can be enforced without custom implementation inside your .NET code.

2. Technical Implementation in CMS 13

Integrating Opti ID into a CMS 13 solution means updating startup configuration and moving away from older identity patterns.

2.1 Step 1: NuGet Installation

First, ensure the EPiServer.OptimizelyIdentity package is installed. This package includes the OIDC handlers and middleware needed to communicate with the Opti ID authority.

2.2 Step 2: Service Configuration

In ConfigureServices, you replace AddCmsAspNetIdentity with AddOptimizelyIdentity.

public void ConfigureServices(IServiceCollection services)
{
    // Enable Opti ID as the identity provider
    services.AddOptimizelyIdentity(useAsDefault: true);

    // If migrating from CMS 12, ensure legacy identity calls are removed:
    // services.AddCmsAspNetIdentity<ApplicationUser>(); // REMOVE THIS
    
    services.AddCms();
}

By setting useAsDefault: true, the application redirects unauthorized requests to the Opti ID login experience. For many PaaS implementations, this is the preferred way to protect the editorial path and related shell areas.

3. Virtual Roles and Permission Mapping

One of the most important concepts for CMS 13 developers is how Opti ID roles map into CMS permissions. Opti ID uses system roles such as CmsAdmins and CmsEditors, which then align with the CMS platform’s internal virtual role model.

3.1 The Mapping Logic

When a user signs in through Opti ID, the claims in their identity token are evaluated by the CMS.

If a user has the CmsAdmins role in Opti ID, they receive the corresponding administrative rights through the CMS virtual role system.
Virtual Role Conflict: If you still have older role mappings in appsettings.json, especially from CMS 11 or CMS 12 setups, those mappings should be reviewed or removed so that Opti ID remains the source of truth.

{
  "EPiServer": {
    "Cms": {
      "MappedRoles": {
        "Items": {
          "CmsAdmins": {
            "MappedRoles": [ "WebAdmins", "Administrator" ]
          }
        }
      }
    }
  }
}

In CMS 13 with Opti ID, these mappings are often handled dynamically by the OptimizelyIdentity package.

4. SSO and SCIM Integration Patterns

In a PaaS or DXP setup, technical leads typically choose between three main identity integration patterns:

Direct Opti ID Login: Users are managed directly in the Optimizely Admin Center. This is often the simplest pattern for smaller teams.
SSO (Entra ID, Okta, Ping, and similar): Opti ID acts as the bridge between your corporate identity provider and the CMS.
SSO with SCIM: The most advanced pattern, where user identities and roles are synchronized automatically from your corporate directory into Opti ID.

Why this matters

SCIM-backed provisioning is especially valuable for operational hygiene. When someone joins, changes role, or leaves, their access can be updated centrally instead of being manually cleaned up inside each application.

5. Certification Summary: Identity Readiness

To be comfortable with this part of the platform, you should be able to:

Explain the difference between Local Identity and Opti ID.
Configure the AddOptimizelyIdentity extension method with the correct options for your environment.
Understand how a user claim travels from an enterprise identity provider through Opti ID and into a CMS virtual role.
Configure local development settings in appsettings.json to test against the Opti ID authority, including client credentials where required.

Conclusion

Opti ID shifts identity in CMS 13 from something the application manages locally to something the platform manages centrally. For developers, that means less time wrestling with editor identity plumbing and more time working with standardized OIDC-based integration patterns. In plain English: fewer homemade login adventures, more predictable security.