Who is this article for?
Account administrators, Account Configuration (Full Permissions)
Available on:
All Culture Amp subscriptions
Prerequisite Guide for OneLogin Users: This article provides the core information needed to configure OneLogin to connect successfully with Culture Amp during the self-service SSO setup process.
Please note that OneLogin may update its user interface independently, meaning some navigational steps outlined below may vary. For assistance with navigating the OneLogin platform or troubleshooting interface changes, please contact OneLogin Support or refer to their official documentation.
This article explains how to configure OneLogin as your identity provider before connecting it to Culture Amp.
To connect OneLogin to Culture Amp:
Before You Begin
You'll need:
Administrator access to your OneLogin account
Administrator or Account Configuration access to Culture Amp
Important: Use the "SAML Custom Connector (Advanced)" for maximum compatibility. Pre-built catalog applications are unsupported.
Configuration Steps
Step 1: Get Culture Amp's SAML details
In Culture Amp, go to Settings > Account > Authentication
Click + Add SAML Provider
Copy the following two values — you'll paste them into OneLogin in the next steps:
SAML Callback / Assertion Consumer Service (ACS) URL
SAML Audience / Entity ID
Step 2: Create a custom SAML application in OneLogin
In the OneLogin Admin console, go to Applications > Applications
Click Add App
Search for SAML Custom Connector (Advanced) and select it
Enter an app name (e.g. Culture Amp) and click Save
Step 3: Configure the app with Culture Amp's connection details
In your Culture Amp application, go to the Configuration tab and enter the following:
Recipient: Paste Culture Amp's ACS URL
ACS (Consumer) URL: Paste Culture Amp's ACS URL
ACS (Consumer) URL Validator: Paste Culture Amp's ACS URL (same value)
Audience (Entity ID): Paste Culture Amp's Entity ID
SAML nameID format: Select Email
SAML signature element: Select Both (recommended)
Step 4: Configure parameters (attribute mapping)
In your Culture Amp application, go to the Parameters tab
Add the following parameters (check Include in SAML assertion for each):
Field name: email → Value: Email
Field name: firstName → Value: First Name
Field name: lastName → Value: Last Name
Save
For more details, see OneLogin's SAML documentation.
Step 5: Assign users to the application
In your Culture Amp application, go to the Users tab
Add users who should have access, or go to the Roles tab to assign by role
Save
For help with your signing certificate, see the OneLogin SAML documentation.
Step 6: Collect OneLogin's SAML information
In your Culture Amp application, go to the SSO tab
Copy the SAML 2.0 Endpoint (HTTP)
Click View Details next to X.509 Certificate and copy the full certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines
For additional help, visit the OneLogin Support Center.
Step 7: Complete setup in Culture Amp
Return to the SSO setup page in Culture Amp
Enter the following values:
SAML endpoint URL: Paste Google's SSO URL
X.509 signing certificate: Paste Google's certificate
Nameid-format: Email Address
Friendly name: Enter a label for the login button (e.g. Sign in with Google)
Save the configuration
Test the connection by opening an incognito browser window and signing in
Once successful, activate SSO
For more information on completing the connection in Culture Amp, see Set up SAML Single Sign-On (SSO).
Troubleshooting
Problem | What to check |
"Invalid SAML Response" | Verify the ACS URL and Audience (Entity ID) in OneLogin exactly match the values copied from Culture Amp — no extra spaces or characters. |
"User is not assigned to the application" | Assign the user to the Culture Amp application in OneLogin's Users or Access tab |
Certificate errors | Ensure you copied the full X.509 certificate from the SSO tab, including the BEGIN and END lines, with no extra spaces. |
Name ID format errors | Verify the SAML nameID format in OneLogin is set to emailAddress, and that Email Address is selected in Culture Amp. |
"ACS URL does not match" | Ensure both the ACS URL and ACS URL Validator fields in OneLogin contain exactly the same value as the Culture Amp ACS URL. |
FAQs
Can I authenticate users with Employee ID instead of email?
Can I authenticate users with Employee ID instead of email?
Yes. By default, OneLogin sends email addresses to identify users in Culture Amp, but you can configure it to use Employee ID instead. You'll need to make changes in both OneLogin and Culture Amp.
Before you start:
Employee IDs must already be populated in OneLogin's user directory
Employee IDs in OneLogin must exactly match the Employee IDs set in Culture Amp — including capitalisation and formatting
Employee IDs must be unique per user
To verify employee IDs are populated, go to Users, select a user, and check that the Employee ID field contains data. Alternatively, go to Users > All Users in OneLogin and check that the External ID or Employee Number field contains data for the relevant users.
Changes in OneLogin (Step 3):
In the Configuration tab of your Culture Amp application, update the Name ID field:
Name ID format: Select the field that holds your Employee ID (e.g. External ID or Employee Number, depending on how your directory is configured)
SAML nameID format: Change to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent or urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Changes in Culture Amp (Step 5):
When completing setup in Culture Amp, update the following field to match what you configured in OneLogin:
Nameid-format: Persistent or Unspecified (instead of Email Address)
All other fields in Culture Amp (SAML endpoint URL, X.509 certificate, friendly name) remain the same.