Who can use this feature?
Available on:
All Culture Amp subscriptions
Note: Self-service SSO setup is currently available to new Culture Amp accounts created after April 30, 2026. It is expected to be available for all accounts by June.
If you don't yet have self-service access, see here for instructions on how to integrate with the assistance of our support team.
Single Sign-On (SSO) lets your team securely access Culture Amp using your organization's existing identity provider (IdP), such as Okta or Microsoft Azure AD. Once configured, your employees sign in using the same credentials they use for other work applications, with no separate password required.
This article covers how to set up, configure, and manage SSO for your Culture Amp account.
Before You Start
To set up SSO, you'll need:
Account administrator or Account Configuration (Full Permissions) access in Culture Amp.
Admin access to your organization's identity provider (IdP).
Your IdP's SAML endpoint URL and X.509 signing certificate. You'll need to copy these from your identity provider's settings.
Note: SSO setup typically takes 15–30 minutes to complete.
Setting up SSO
The following steps can be used to set up SSO for the account, without ever needing to contact Culture Amp support.
Step 1: Access Authentication settings
Log in to Culture Amp as an Account administrator or Account Configuration (Full Permissions) user.
Go to Settings > Account > Authentication.
Click +Add SAML Provider.
Note: If you've previously started but not completed an SSO setup, clicking +Add SAML Provider will return you to your existing draft rather than creating a new one. Only one draft configuration can exist at a time.
Step 2: Add Culture Amp to your identity provider
Culture Amp displays two values in the setup wizard. Copy each one exactly into your IdP:
SAML Callback/Assertion Consumer Service (ACS) URL:
Copy this URL exactly and paste it into your IdP.
SAML Audience / Entity ID:
Copy this value exactly and paste it into your IdP.
Tip: Make sure your users are assigned to the Culture Amp application in your IdP. Users not assigned to your IdP won't be able to log in via SSO.
Step 3: Enter your identity provider details
Refer to your identity provider's settings to find the following details. Each value must be copied and pasted manually into Culture Amp:
Note: Culture Amp does not currently support importing configuration from a metadata URL or XML file. All fields must be entered manually by copying from your identity provider.
Enter your SAML endpoint URL: The sign-in URL from your identity provider. Must start with https://
Enter your SAML cert: Your identity provider’s X.509 signing certificate. Copy it exactly as shown in your IdP.
Select your Nameid-format: choose Email Address if your IdP sends the user’s email address (recommended for most setups), or Unspecified if your IdP sends a different identifier, such as employee ID.
Note: Your certificate should be accepted whether or not it includes the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines. Any leading spaces or linebreaks should also be automatically trimmed by the setup wizard.
Step 4: Set a friendly name
In the Identity provider friendly name field, enter a display name for your SSO provider. This is a required field.
Enter a custom name for your SSO provider (e.g., Hooli SSO).
This name appears on the login button as Sign in with [Hooli SSO].
A live preview is shown as you type, so you can see exactly how the button will appear to your users.
Click Next to proceed to the Verify screen.
Step 5: Verify your SSO connection
On the Verify screen, you’ll see a test sign-in link. Follow these steps:
Click the copy button next to the Sign in page link, and paste it into a private or incognito browser window.
Log in using your IdP credentials.
If successful, return to the wizard and tick the checkbox: “I was able to sign in successfully using SSO”.
Click Finish to complete setup and enable SSO.
If the test fails, click Back to return to the configuration screen and review your settings. See Troubleshooting below for help.
Password login temporarily enabled: To make sure you’re not locked out, the native password login is enabled by default while you’re setting up SSO for the first time. If you get stuck, click Can't Sign In on the sign-in page to regain access. Once you’ve confirmed SSO is working, you can start a support conversation and 'ask a person' to disable the other login methods if preferred.
Step 6: Setup complete
After clicking Finish, a confirmation screen appears: SSO is now enabled. Users can now log in to Culture Amp using SSO. Click Return to settings to go back to your Authentication settings.
Managing your SAML/SSO
Editing your configuration
Go to Settings > Account > Authentication.
Click Edit configuration.
Update the required fields.
Click Next.
Test the connection to confirm it's still working correctly.
Important: Changes to an active SSO configuration take effect immediately. Incorrect settings could prevent users from logging in. We recommend testing any changes outside of peak hours.
Updating your certificate
If your IdP certificate expires or is rotated, SSO will stop working for all users. To update it without disrupting access:
Go to Settings > Account > Authentication.
Click Edit configuration.
Paste your new certificate into the Certificate field.
Click Next and test the connection to confirm everything is working.
If successful, tick the checkbox: I was able to sign in successfully using SSO.
Click Finish to finalize the changes.
Tip: Update your certificate before it expires to avoid disrupting your users' access.
Deleting or deactivating your SAML connection
If required, you can delete or temporarily deactivate your SAML connection at any time.
Go to Settings > Account > Authentication.
Click Delete, and then Delete again to confirm you would like to proceed.
If you only need to deactivate the SAML option temporarily, click the green toggle instead. Once it is grey, it is deactivated.
Note: You will not be able to deactivate or delete your SAML connection if it is the only authentication option enabled for your account. Make sure Password, Google or another SAML connection is enabled before attempting to delete or deactivate it.
Managing authentication options
If you would like to disable the Password or Google sign-in options after you have successfully configured SAML:
Go to Settings > Account > Authentication.
Click the green toggle next to the authentication options you want to disable.
You can manage these options at any time, but always need at least one authentication option enabled.
Note: We recommend keeping password authentication enabled as a backup, even when SAML/SSO is active. This ensures you can still access Culture Amp if SSO encounters an issue, and users who may not be added to your IdP still have a way to access the platform if needed.
Troubleshooting
Users cannot log in via SSO
Users cannot log in via SSO
Work through the following checks:
Check SSO is enabled
Go to Settings > Account > Authentication and confirm that your SSO connection is appearing with the toggle showing 'enabled.'
Check that the user is assigned in your IdP
In your IdP admin panel, confirm the affected user is assigned to the Culture Amp application.
Check that the user exists in Culture Amp
Go to Settings > Users and search for the affected user. If they don't exist, add them first.
Check the user’s email address matches
Confirm the user’s email address is identical in both Culture Amp and your IdP.
Check your IdP certificate hasn't expired
If your certificate has expired, renew it in your IdP and update it in Culture Amp. See Certificate expiration and renewal above.
SSO configuration test fails
SSO configuration test fails
Check the following in your IdP configuration:
The ACS URL in your IdP exactly matches the URL shown in Culture Amp's authentication settings.
The Entity ID in your IdP exactly matches the value shown in Culture Amp's authentication settings.
The certificate is complete, in X.509 PEM format.
The SAML endpoint URL starts with https:// or http://.
The Nameid-format in Culture Amp matches what your IdP is configured to send.
My SSO configuration won't save
My SSO configuration won't save
Check the following:
Your SAML endpoint URL starts with https:// or http://.
Your certificate is in X.509 format.
You’ve selected a Nameid-format (Email Address or Unspecified).
You’ve entered an Identity provider friendly name — this field is required.
You have the Account Admin or Account Configuration role in Culture Amp.
I'm locked out after enabling SSO
I'm locked out after enabling SSO
Password login is automatically enabled when you first set up an SSO connection to prevent lockouts. To regain access:
Go to the Culture Amp login page.
Click Can't Sign In.
Reset your password via email.
Log in with your email and new password.
Fix your SSO configuration, test it, then reactivate.
FAQs
Can users still log in with a native password after SSO is activated?
Can users still log in with a native password after SSO is activated?
Yes. By default, users can log in using any enabled authentication method. SSO, password, or Google OAuth. You can request to disable other methods if you want to enforce SSO-only login, but we recommend keeping password enabled as a backup.
Do all users have to use SSO?
Do all users have to use SSO?
No. Users can choose which login method to use, provided that method is enabled. However, if a user is not assigned to Culture Amp in your IdP, they cannot use SSO and will need to use another method.
What happens if SSO stops working?
What happens if SSO stops working?
Users can still log in using the native password option if enabled. Account Admins and Account Configuration users can access and edit the configuration, test it, and activate it, all without needing to contact support.
Can I import my configuration from a metadata URL?
Can I import my configuration from a metadata URL?
No. The self-service SAML wizard does not support importing from a metadata URL or uploading a metadata XML file. You must manually copy and paste each of the following from your identity provider:
SAML endpoint URL
SAML cert (X.509 signing certificate)
Nameid-format
If your IdP offers a metadata URL, you can use it as a reference to find the correct values; you’ll just need to copy each field individually. If you need help with a more complex setup, contact Culture Amp support.
What SAML version does Culture Amp support?
What SAML version does Culture Amp support?
Culture Amp supports SAML 2.0. SAML 1.1 is not supported.
Does Culture Amp automatically create accounts for users who log in via SSO?
Does Culture Amp automatically create accounts for users who log in via SSO?
No. Users must already exist in Culture Amp before they can log in via SSO. There is no automatic account creation (sometimes called Just-In-Time or JIT provisioning).
Can I test SSO without affecting my users?
Can I test SSO without affecting my users?
As soon as you click Next on the first step of your configuration, your SSO connection should be active (provided all details have been entered accurately). This means once you are on the Verify page, where you can test before finalizing, there is a chance users will be able to access the SSO login flow.
If your testing shows errors and you're unable to fix these by editing the configuration, feel free to start a support conversation and 'ask a person' to be connected with the support team. They help to reset the flow to ensure users are not seeing the option to log in via SSO while the issues are looked into.
Can I use employee ID instead of email address to authenticate?
Can I use employee ID instead of email address to authenticate?
Yes. If your identity provider (IdP) uses employee ID as the identifier rather than email address, select Unspecified as the Nameid-format in Step 3 of the SSO setup wizard.
You'll also need to configure your IdP to send the employee ID as the SAML Name ID with the name ID format set to Unspecified. The exact steps depend on your IdP, but the general approach is:
The employee ID value in your directory must match the employee ID stored against the user's account in Culture Amp. If you need help configuring this for your specific IdP, contact Culture Amp support.
Can I configure more than one SSO integration?
Can I configure more than one SSO integration?
Yes! If needed, once you have set up and finalized your first SAML configuration, you can click +Add SAML Provider to go through the same process and integrate with another. Just make sure you set unique friendly names for each, as your users will see all activated options and must select the one that is relevant for them.
💬 Need help? Just reply with "Ask a Person" in a support conversation to speak with a Product Support Specialist.