Skip to main content

Set up SAML Single Sign-On (SSO)

Set up, configure, and manage SAML SSO for your Culture Amp account. Covers Okta, Azure AD, and Google Workspace, plus testing, troubleshooting, and advanced options.

Written by Sterling Rayment

Who can use this feature?

Available on:

  • All Culture Amp subscriptions

Note: Self-service SSO setup is currently available to new Culture Amp accounts created after April 30, 2026 on the US data center. It will be available on the EU and AU data centers from next week, and to all existing accounts soon (expected late May).

If you don't yet have self-service access, see here for instructions on how to get set up with the assistance of our support team.

Single Sign-On (SSO) lets your team securely access Culture Amp using your organization's existing identity provider (IdP), such as Okta, Microsoft Azure AD, or Google Workspace. Once configured, your employees sign in using the same credentials they use for other work applications, with no separate password required.

This article covers how to set up, configure, and manage SSO for your Culture Amp account.

Before You Start

To set up SSO, you'll need:

Note: SSO setup typically takes 15–30 minutes to complete.

Setting up SSO

The following steps can be used to set up SSO for the account, without ever needing to contact Culture Amp support.

Step 1: Access Authentication settings

  1. Log in to Culture Amp as an Account administrator or Account Configuration (Full Permissions) user.

  2. Go to Settings > Account > Authentication.

  3. Click +Add SAML Provider.

Note: If you've previously started but not completed an SSO setup, clicking +Add SAML Provider will return you to your existing draft rather than creating a new one. Only one draft configuration can exist at a time.

Step 2: Add Culture Amp to your identity provider

Culture Amp displays two values in the setup wizard. Copy each one exactly into your IdP:

SAML Callback/Assertion Consumer Service (ACS) URL:

Copy this URL exactly and paste it into your IdP.

SAML Audience / Entity ID:

Copy this value exactly and paste it into your IdP.

Tip: Make sure your users are assigned to the Culture Amp application in your IdP. Users not assigned to your IdP won't be able to log in via SSO.

Step 3: Enter your identity provider details

Refer to your identity provider's settings to find the following details. Each value must be copied and pasted manually into Culture Amp:

Note: Culture Amp does not currently support importing configuration from a metadata URL or XML file. All fields must be entered manually by copying from your identity provider.

  1. Enter your SAML endpoint URL: The sign-in URL from your identity provider. Must start with https://

  2. Enter your SAML cert: Your identity provider’s X.509 signing certificate. Copy it exactly as shown in your IdP, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines, with no extra spaces or line breaks.

  3. Select your Nameid-format: choose Email Address if your IdP sends the user’s email address (recommended for most setups), or Unspecified if your IdP sends a different identifier, such as employee ID.

  4. Click Next to save your configuration and proceed to the verification step.

Step 4: Set a friendly name

In the Identity provider friendly name field, enter a display name for your SSO provider. This is a required field.

  • Enter a custom name for your SSO provider (e.g., Hooli SSO).

  • This name appears on the login button as Sign in with [Hooli SSO].

  • A live preview is shown as you type, so you can see exactly how the button will appear to your users.

  • Click Next to proceed to the Verify screen.

Step 5: Verify your SSO connection

On the Verify screen, you’ll see a test sign-in link. Follow these steps:

  1. Click the copy button next to the Sign in page link, and paste it into a private or incognito browser window.

  2. Log in using your IdP credentials.

  3. If successful, return to the wizard and tick the checkbox: “I was able to sign in successfully using SSO”.

  4. Click Finish to complete setup and enable SSO.

  5. If the test fails, click Back to return to the configuration screen and review your settings. See Troubleshooting below for help.

Password login temporarily enabled: To make sure you’re not locked out, Culture Amp automatically enables password login while you’re setting up SSO. If you get stuck, click Forgot Password on the sign-in page to regain access. Once you’ve confirmed SSO is working, you can disable password login from your Authentication settings.

Step 6: Setup complete

After clicking Finish, a confirmation screen appears: SSO is now enabled. Users can now log in to Culture Amp using SSO. Click Return to settings to go back to your Authentication settings.

Managing your SSO

Editing your configuration

  1. Go to Settings > Account > Authentication.

  2. Click Edit SSO configuration.

  3. Update the required fields.

  4. Click Save.

  5. Test the connection to confirm it's still working correctly.

Important: Changes to an active SSO configuration take effect immediately. Incorrect settings could prevent users from logging in. We recommend testing any changes outside of peak hours.

Updating your certificate

If your IdP certificate expires or is rotated, SSO will stop working for all users. To update it without disrupting access:

  1. Go to Settings > Account > Authentication.

  2. Click Edit SSO configuration.

  3. Paste your new certificate into the Certificate field, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

  4. Click Save and test the connection to confirm everything is working.

Tip: Update your certificate before it expires to avoid disrupting your users' access.

Deactivating SSO

To temporarily disable SSO:

  1. Go to Settings > Account > Authentication.

  2. Click Deactivate SSO.

  3. Confirm the deactivation.

Users will no longer be able to log in via SSO and will need to use another enabled authentication method. Your configuration is saved and can be reactivated at any time.

Managing authentication options

You can control which login methods are available to your users at any time. By default, email and password and Google OAuth are both enabled alongside SSO.

  1. Go to Settings > Account > Authentication.

  2. Toggle the login methods you want to enable or disable.

  3. Click Save.

Note: We recommend keeping email and password authentication enabled as a backup, even when SSO is active. This ensures you can still access Culture Amp if SSO encounters an issue.

Troubleshooting

Users cannot log in via SSO

Work through the following checks:

  1. Check SSO is activated

    Go to Settings > Account Settings > Authentication and confirm SSO status shows as Active.

  2. Check that the user is assigned in your IdP

    In your IdP admin panel, confirm the affected user is assigned to the Culture Amp application.

  3. Check that the user exists in Culture Amp

    Go to Settings > Users and search for the affected user. If they don't exist, add them first.

  4. Check the user’s email address matches

    Confirm the user’s email address is identical in both Culture Amp and your IdP.

  5. Check your IdP certificate hasn't expired

    If your certificate has expired, renew it in your IdP and update it in Culture Amp. See Certificate expiration and renewal above.

SSO configuration test fails

Check the following in your IdP configuration:

  • The ACS URL in your IdP exactly matches the URL shown in Culture Amp's authentication settings.

  • The Entity ID in your IdP exactly matches the value shown in Culture Amp's authentication settings.

  • The certificate is complete, in X.509 PEM format, with no extra spaces or line breaks

  • The SAML endpoint URL starts with https:// or http://.

  • The Nameid-format in Culture Amp matches what your IdP is configured to send.

My SSO configuration won't save

Check the following:

  • Your SAML endpoint URL starts with https:// or http://.

  • Your certificate is in X.509 format and includes the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines, with no extra spaces or line breaks.

  • You’ve selected a Nameid-format (Email Address or Unspecified).

  • You’ve entered an Identity provider friendly name — this field is required.

  • You have Account Admin access in Culture Amp.

I'm locked out after enabling SSO

Password login is automatically enabled when you set up SSO to prevent lockouts. To regain access:

  1. Go to the Culture Amp login page.

  2. Click Forgot Password.

  3. Reset your password via email.

  4. Log in with your email and new password.

  5. Fix your SSO configuration, test it, then reactivate.

My certificate has formatting errors

Your certificate must be in X.509 PEM format. Copy it exactly as provided by your IdP. Do not modify any whitespace. It should look like this:

-----BEGIN CERTIFICATE----- [Certificate data] -----END CERTIFICATE-----

Common mistakes:

  • Missing the -----BEGIN CERTIFICATE----- or -----END CERTIFICATE----- lines.

  • Extra spaces or line breaks within the certificate data.

  • Copying the entire certificate chain instead of just the signing certificate.

FAQs

Can users still log in with email and password after SSO is activated?

Yes. By default, users can log in using any enabled authentication method. SSO, email and password, or Google OAuth. You can disable other methods if you want to enforce SSO-only login, but we recommend keeping email and password enabled as a backup.

Do all users have to use SSO?

No. Users can choose which login method to use, provided that method is enabled. However, if a user is not assigned to Culture Amp in your IdP, they cannot use SSO and will need to use another method.

What happens if SSO stops working?

Users can still log in using email and password if it's enabled. Account Admins can deactivate SSO, fix the configuration, test it, and reactivate it, all without needing to contact support.

Can I have multiple SSO integrations?

No. Culture Amp currently supports one SAML SSO configuration per account. If you need to switch identity providers, deactivate your existing configuration and set up a new one.

Can I import my configuration from a metadata URL?

No. The self-service SAML wizard does not support importing from a metadata URL or uploading a metadata XML file. You must manually copy and paste each of the following from your identity provider:

  • SAML endpoint URL

  • SAML cert (X.509 signing certificate)

  • Nameid-format

If your IdP offers a metadata URL, you can use it as a reference to find the correct values; you’ll just need to copy each field individually. If you need help with a more complex setup, contact Culture Amp support.

Does my configuration save if I close the wizard before finishing?

Your configuration is saved each time you click Next, so it won’t be lost if you close the wizard. However, SSO won’t be enabled for your users until you complete the full wizard and click Finish. To return to an incomplete setup, go to Settings > Account > Authentication and click Add SAML provider — you’ll be taken back to your existing draft.

What SAML version does Culture Amp support?

Culture Amp supports SAML 2.0. SAML 1.1 is not supported.

Does Culture Amp automatically create accounts for users who log in via SSO?

No. Users must already exist in Culture Amp before they can log in via SSO. There is no automatic account creation (sometimes called Just-In-Time or JIT provisioning).

Can I test SSO without affecting my users?

Yes. Configure your SSO settings and use the Test button to verify everything is working before clicking Activate. Testing does not affect your users.

Can I use employee ID instead of email address to authenticate?

Yes. If your identity provider (IdP) uses employee ID as the identifier rather than email address, select Unspecified as the Nameid-format in Step 3 of the SSO setup wizard.

You'll also need to configure your IdP to send the employee ID as the SAML Name ID with the name ID format set to Unspecified. The exact steps depend on your IdP, but the general approach is:

The employee ID value in your directory must match the employee ID stored against the user's account in Culture Amp. If you need help configuring this for your specific IdP, contact Culture Amp support.

💬 Need help? Just reply with "Ask a Person" in a support conversation to speak with a Product Support Specialist.

Related Articles
Single Sign-On
Set up SAML SSO - ADFS specific configuration
Sign In to Culture Amp
Pave Integration
Multi-Account Log In
Did this answer your question?