Skip to main content

Configure Azure AD (Microsoft Entra ID) for Culture Amp SAML SSO

How to configure Microsoft Entra ID (Azure AD) as your SAML identity provider before connecting it to Culture Amp, including troubleshooting and employee ID authentication.

Written by Sterling Rayment

Who is this article for?
Account administrators, Account Configuration (Full Permissions)

Available on:
All Culture Amp subscriptions

Prerequisite Guide for Microsoft Entra ID Users: This article provides the core information needed to configure Microsoft Entra ID (formerly Azure AD) to connect successfully with Culture Amp during the self-service SSO setup process.

Please note that Microsoft Entra ID may update its user interface independently, meaning some navigational steps outlined below may vary. For assistance with navigating the Microsoft Entra ID platform or troubleshooting interface changes, please contact Microsoft Support or refer to their official documentation.


This article explains how to configure Microsoft Entra ID (formerly Azure AD) as your identity provider before connecting it to Culture Amp.


To connect Azure AD to Culture Amp, you'll:

  1. Get Culture Amp's SAML details

  2. Create a non-gallery Enterprise Application in Azure AD

  3. Configure SAML single sign-on with Culture Amp's details

  4. Set up user attributes and claims

  5. Assign users or groups

  6. Collect Entra's SAML details

  7. Complete the connection in Culture Amp

Note: Note: Azure AD is now called Microsoft Entra ID. This guide uses both names interchangeably.

Before You Begin

You'll need:

  • Global Administrator or Application Administrator access to Microsoft Entra ID

  • Administrator or Account Configuration access to Culture Amp

Important: You must create a non-gallery Enterprise Application. Pre-built applications from the Azure AD Gallery are not supported.

Configuration Steps

Step 1: Get Culture Amp's SAML details

  1. In Culture Amp, go to Settings > Account > Authentication

  2. Click + Add SAML Provider

  3. Copy the following two values — you'll paste them into Entra ID in the next steps:

    • SAML Callback / Assertion Consumer Service (ACS) URL

    • SAML Audience / Entity ID

Step 2: Create a non-gallery Enterprise Application

  1. Sign in to the Azure portal (portal.azure.com)

  2. Navigate to Microsoft Entra ID

  3. Go to Enterprise applications > New application

  4. Click Create your own application

  5. Enter an app name (e.g. Culture Amp)

  6. Select Integrate any other application you don't find in the gallery

  7. Click Create

Step 3: Configure SAML single sign-on

  1. In your Culture Amp application, select Single sign-on

  2. Select SAML

  3. Click Edit in the Basic SAML Configuration section

  4. Enter the following:

  5. Identifier (Entity ID): Paste Culture Amp's Entity ID

  6. Reply URL (Assertion Consumer Service URL): Paste Culture Amp's ACS URL

  7. Save

Step 4: Configure user attributes and claims

  1. Click Edit in the Attributes & Claims section

  2. Click on Unique User Identifier (Name ID)

  3. Configure the following:

    • Source attribute: user.mail

    • Name identifier format: Email address

  4. Save

For detailed instructions, see Microsoft's Enable SAML single sign-on for enterprise applications guide.

Step 5: Assign users or groups

  1. In your Culture Amp application, go to Users and groups

  2. Click + Add user/group

  3. Select the users or groups who should have access to Culture Amp

  4. Click Assign

    For more details, see Assign users and groups to an application.

Note: Only users assigned to the application in Azure AD will be able to log in to Culture Amp via SSO.

Step 6: Collect Entra ID's SAML information

  1. Return to Single sign-on in your Culture Amp application

  2. In the SAML Certificates section, download Certificate (Base64)

  3. Open the certificate file in a text editor and copy the full contents, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines

  4. In the Set up Culture Amp section, copy the Login URL

For more information, see Manage certificates for federated single sign-on.

Step 7: Complete setup in Culture Amp

  1. Return to the SSO setup page in Culture Amp

  2. Enter the following values:

  3. SAML endpoint URL: Paste Entra ID's Login URL

    • X.509 signing certificate: Paste Entra ID's certificate

    • Nameid-format: Email Address (or Persistent / Unspecified if authenticating via Employee ID)

    • Friendly name: Enter a label for the login button (e.g. Sign in with Microsoft)

  4. Save the configuration

  5. Test the connection by opening an incognito browser window and signing in

  6. Once successful, activate SSO

For more information on completing the connection in Culture Amp, see Set up SAML Single Sign-On (SSO).

Certificate Renewal

Azure AD SAML certificates typically expire after 3 years. To renew:

  1. In Entra ID, go to your Culture Amp application > Single sign-on

  2. In the SAML Certificates section, create or upload a new certificate

  3. In Culture Amp, edit your SAML provider and replace the existing certificate with the new one

  4. Test the connection before deactivating the old certificate

Tip: Plan to update certificates at least two weeks before expiry to avoid login disruption for your users.

Troubleshooting

Problem

What to check

"AADSTS50105: User not assigned to a role"

Assign the user to the Culture Amp application in Entra ID (see Step 5).

"SAML assertion validation failed"

Verify the Reply URL and Entity ID in Entra ID exactly match the values copied from Culture Amp — no extra spaces or characters.

"Invalid NameID format"

Ensure the Name ID source attribute is set to user.mail with Email address format in Entra ID, and that Email Address is selected in Culture Amp.

Certificate errors

Download the Certificate (Base64) format — not Raw or XML. Ensure you copied the full certificate including the BEGIN and END lines.

"The reply URL does not match"

Check for an exact match of the ACS URL — watch for trailing slashes or http vs https mismatches.

FAQs

Can I authenticate users with Employee ID instead of email?

Yes. By default, Entra ID sends email addresses to identify users in Culture Amp, but you can configure it to use Employee ID instead. You'll need to make changes in both Entra ID and Culture Amp.

Before you start

  • Employee IDs must already be populated in Entra ID's user directory (typically stored in the employeeid attribute)

  • Employee IDs in Entra ID must exactly match the Employee IDs set in Culture Amp — including capitalisation and formatting

  • Employee IDs must be unique per user

To verify employee IDs are populated, go to Microsoft Entra ID > Users, select a user, and confirm the Employee ID field contains data.

Changes in Entra ID (Step 4):

When editing the Unique User Identifier (Name ID) claim, use the following instead of the email defaults:

  • Source attribute: user.employeeid (instead of user.mail)

  • Name identifier format: Persistent or Unspecified (instead of Email address)

Changes in Culture Amp (Step 7):

When completing setup in Culture Amp, update the following field to match what you configured in Entra ID:

  • Nameid-format: Persistent or Unspecified (instead of Email Address)

All other fields in Culture Amp (SAML endpoint URL, X.509 certificate, friendly name) remain the same.

Related Articles
Single Sign-On
Set up SAML Single Sign-On (SSO)
Configure Okta for Culture Amp SAML SSO
Configure Ping Identity for Culture Amp SAML SSO
Configure Google Workspace for Culture Amp SAML SSO
Did this answer your question?