Who is this article for?
Account administrators, Account Configuration (Full Permissions)
Available on:
All Culture Amp subscriptions
Prerequisite Guide for Okta Users: This article provides the core information needed to configure Okta to connect successfully with Culture Amp during the self-service SSO setup process.
Please note that Okta may update its user interface independently, meaning some navigational steps outlined below may vary. For assistance with navigating the Okta platform or troubleshooting interface changes, please contact Okta Support or refer to their official documentation.
This article explains how to configure Okta as your identity provider before connecting it to Culture Amp.
To connect Okta to Culture Amp:
Before You Begin
You'll need:
Administrator access to your Okta account
Administrator or Account Configuration access to Culture Amp
Important: You must create a custom SAML application in Okta. Pre-built connectors from the Okta Integration Network are not supported.
Configuration Steps
Step 1: Get Culture Amp's SAML details
In Culture Amp, go to Settings > Account > Authentication
Click + Add SAML Provider
Copy the following two values — you'll paste them into Okta in the next step:
SAML Callback / Assertion Consumer Service (ACS) URL
SAML Audience / Entity ID
Step 2: Create a custom SAML application in Okta
In the Okta Admin Console, go to Applications > Applications
Click Create App Integration
Select SAML 2.0 and click Next
Enter an app name (e.g. Culture Amp) and click Next
Step 3: Configure app with Culture Amp's connection details
In the SAML Settings screen, configure the following:
Single sign-on URL: Paste Culture Amp's ACS URL
Audience URI (SP Entity ID): Paste Culture Amp's Entity ID
Name ID format: EmailAddress
Application username: Email
We also recommend adding attribute statements to pass user details through to Culture Amp. For detailed instructions, see Define attribute statements in the Okta documentation. The recommended mappings are:
email → user.email
firstName → user.firstName
lastName → user.lastName
Complete the wizard and save. For a full walkthrough of the Okta app creation process, see Create SAML app integrations in the Okta documentation.
Step 4: Assign users in Okta
In your Culture Amp application, go to the Assignments tab
Assign the users or groups who should have access to Culture Amp
Note: Only users assigned to the application in Okta will be able to log in to Culture Amp via SSO.
Step 5: Collect Okta's SAML information
In your Culture Amp application, go to the Sign On tab
Click View SAML setup instructions
Copy the following values:
Identity Provider Single Sign-On URL
X.509 Certificate — copy the entire certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines
For help managing your signing certificate, see Manage signing certificates in the Okta documentation.
Step 6: Complete setup in Culture Amp
Return to the SSO setup page in Culture Amp
Enter the following values:
SAML endpoint URL: Paste Okta's Identity Provider Single Sign-On URL
X.509 signing certificate: Paste Okta's certificate
Nameid-format: Email Address
Friendly name: Enter a label for the login button (e.g. Sign in with Okta)
Save the configuration
Test the connection by opening an incognito browser window and signing in
Once successful, activate SSO
For more information on completing the connection in Culture Amp, see Set up SAML Single Sign-On (SSO).
Troubleshooting
Problem | What to check |
"Invalid SAML Response" | Verify the ACS URL and Entity ID in Okta exactly match the values copied from Culture Amp — no extra spaces or characters. |
"User is not assigned to application" | Assign the user to the Culture Amp application in Okta's Assignments tab (see Step 3). |
Certificate errors | Ensure you copied the entire X.509 certificate, including the BEGIN and END lines, with no extra spaces. |
Name ID format errors | Verify that both Okta and Culture Amp are set to Email Address as the Name ID format, unless using Employee ID for authentication, in which case these should be set as unspecified. |
FAQs
Can I authenticate users with Employee ID instead of email?
Can I authenticate users with Employee ID instead of email?
Yes. By default, Okta sends email addresses to identify users in Culture Amp, but you can configure it to use Employee ID instead. You'll need to make changes in both Okta and Culture Amp.
Before you start:
Employee IDs must already be populated in Okta's user directory (typically stored in the employeeNumber field)
Employee IDs in Okta must exactly match the Employee IDs set in Culture Amp — including capitalisation and formatting
Employee IDs must be unique per user
To verify employee IDs are populated, go to Directory > People in the Okta Admin Console, select a user, and confirm the Employee Number field contains data.
Changes in Okta (Step 3):
When configuring SAML settings, use the following instead of the email defaults:
Name ID format: Persistent or Unspecified (instead of EmailAddress)
Application username: Custom expression (instead of Email)
Custom expression: user.employeeNumber (or your Okta field name for Employee ID)
Changes in Culture Amp (Step 5):
When completing setup in Culture Amp, update the following field to match what you configured in Okta:
Nameid-format: Persistent or Unspecified (instead of Email Address)
All other fields in Culture Amp (SAML endpoint URL, X.509 certificate, friendly name) remain the same.