Skip to main content

Configure OneLogin for Culture Amp SAML SSO

How to configure OneLogin as your SAML identity provider before connecting it to Culture Amp, including troubleshooting and employee ID authentication.

Written by Sterling Rayment

Who is this article for?
Account administrators, Account Configuration (Full Permissions)

Available on:
All Culture Amp subscriptions

Prerequisite Guide for OneLogin Users: This article provides the core information needed to configure OneLogin to connect successfully with Culture Amp during the self-service SSO setup process.

Please note that OneLogin may update its user interface independently, meaning some navigational steps outlined below may vary. For assistance with navigating the OneLogin platform or troubleshooting interface changes, please contact OneLogin Support or refer to their official documentation.


This article explains how to configure OneLogin as your identity provider before connecting it to Culture Amp.


To connect OneLogin to Culture Amp:

Before You Begin


You'll need:

  • Administrator access to your OneLogin account

  • Administrator or Account Configuration access to Culture Amp

Important: Use the "SAML Custom Connector (Advanced)" for maximum compatibility. Pre-built catalog applications are unsupported.

Configuration Steps


Step 1: Get Culture Amp's SAML details

  1. In Culture Amp, go to Settings > Account > Authentication

  2. Click + Add SAML Provider

  3. Copy the following two values — you'll paste them into OneLogin in the next steps:

    • SAML Callback / Assertion Consumer Service (ACS) URL

    • SAML Audience / Entity ID

Step 2: Create a custom SAML application in OneLogin

  1. In the OneLogin Admin console, go to Applications > Applications

  2. Click Add App

  3. Search for SAML Custom Connector (Advanced) and select it

  4. Enter an app name (e.g. Culture Amp) and click Save

Step 3: Configure the app with Culture Amp's connection details

In your Culture Amp application, go to the Configuration tab and enter the following:

  • Recipient: Paste Culture Amp's ACS URL

  • ACS (Consumer) URL: Paste Culture Amp's ACS URL

  • ACS (Consumer) URL Validator: Paste Culture Amp's ACS URL (same value)

  • Audience (Entity ID): Paste Culture Amp's Entity ID

  • SAML nameID format: Select Email

  • SAML signature element: Select Both (recommended)

Step 4: Configure parameters (attribute mapping)

  1. In your Culture Amp application, go to the Parameters tab

  2. Add the following parameters (check Include in SAML assertion for each):

    • Field name: email → Value: Email

    • Field name: firstName → Value: First Name

    • Field name: lastName → Value: Last Name

  3. Save

For more details, see OneLogin's SAML documentation.

Step 5: Assign users to the application

  1. In your Culture Amp application, go to the Users tab

  2. Add users who should have access, or go to the Roles tab to assign by role

  3. Save

For help with your signing certificate, see the OneLogin SAML documentation.

Step 6: Collect OneLogin's SAML information

  1. In your Culture Amp application, go to the SSO tab

  2. Copy the SAML 2.0 Endpoint (HTTP)

  3. Click View Details next to X.509 Certificate and copy the full certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines

For additional help, visit the OneLogin Support Center.

Step 7: Complete setup in Culture Amp

  1. Return to the SSO setup page in Culture Amp

  2. Enter the following values:

    • SAML endpoint URL: Paste Google's SSO URL

    • X.509 signing certificate: Paste Google's certificate

    • Nameid-format: Email Address

    • Friendly name: Enter a label for the login button (e.g. Sign in with Google)

  3. Save the configuration

  4. Test the connection by opening an incognito browser window and signing in

  5. Once successful, activate SSO

For more information on completing the connection in Culture Amp, see Set up SAML Single Sign-On (SSO).

Troubleshooting


Problem

What to check

"Invalid SAML Response"

Verify the ACS URL and Audience (Entity ID) in OneLogin exactly match the values copied from Culture Amp — no extra spaces or characters.

"User is not assigned to the application"

Assign the user to the Culture Amp application in OneLogin's Users or Access tab

Certificate errors

Ensure you copied the full X.509 certificate from the SSO tab, including the BEGIN and END lines, with no extra spaces.

Name ID format errors

Verify the SAML nameID format in OneLogin is set to emailAddress, and that Email Address is selected in Culture Amp.

"ACS URL does not match"

Ensure both the ACS URL and ACS URL Validator fields in OneLogin contain exactly the same value as the Culture Amp ACS URL.

FAQs


Can I authenticate users with Employee ID instead of email?

Yes. By default, OneLogin sends email addresses to identify users in Culture Amp, but you can configure it to use Employee ID instead. You'll need to make changes in both OneLogin and Culture Amp.

Before you start:

  • Employee IDs must already be populated in OneLogin's user directory

  • Employee IDs in OneLogin must exactly match the Employee IDs set in Culture Amp — including capitalisation and formatting

  • Employee IDs must be unique per user

To verify employee IDs are populated, go to Users, select a user, and check that the Employee ID field contains data. Alternatively, go to Users > All Users in OneLogin and check that the External ID or Employee Number field contains data for the relevant users.

Changes in OneLogin (Step 3):

In the Configuration tab of your Culture Amp application, update the Name ID field:

  • Name ID format: Select the field that holds your Employee ID (e.g. External ID or Employee Number, depending on how your directory is configured)

  • SAML nameID format: Change to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent or urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Changes in Culture Amp (Step 5):

When completing setup in Culture Amp, update the following field to match what you configured in OneLogin:

  • Nameid-format: Persistent or Unspecified (instead of Email Address)

All other fields in Culture Amp (SAML endpoint URL, X.509 certificate, friendly name) remain the same.

Did this answer your question?