Who is this article for?
Account administrators, Account Configuration (Full Permissions)
Available on:
All Culture Amp subscriptions
Prerequisite Guide for Ping Identity Users: This article provides the core information needed to configure Ping Identity to connect successfully with Culture Amp during the self-service SSO setup process.
Please note that Ping Identity may update its user interface independently, meaning some navigational steps outlined below may vary. For assistance with navigating the Ping Identity platform or troubleshooting interface changes, please contact Ping Identity Support or refer to their official documentation.
This article explains how to configure Ping Identity (PingFederate or PingOne) as your identity provider before connecting it to Culture Amp.
To connect Ping Identity to Culture Amp:
Before You Begin
You'll need:
Administrator access to your Ping Identity account
Administrator or Account Configuration access to Culture Amp
Important: You must create a custom SAML application in Ping Identity. Pre-built application connectors from the Ping Identity catalogue are not supported.
Configuration Steps
Step 1: Get Culture Amp's SAML details
In Culture Amp, go to Settings > Account > Authentication
Click + Add SAML Provider
Copy the following two values — you'll paste them into Ping Identity in the next steps:
SAML Callback / Assertion Consumer Service (ACS) URL
SAML Audience / Entity ID
Step 2: Create a SAML application
PingOne:
In the PingOne admin console, go to Connections > Applications
Click + Add Application
Select Web App, then choose SAML as the connection type
Enter an app name (e.g. Culture Amp) and click Save
PingFederate:
In the PingFederate admin console, go to SP Connections
Click Create New
Select Browser SSO Profiles and proceed through the wizard
Step 3: Configure SAML settings and attribute mapping
PingOne:
In the SAML Configuration tab of your Culture Amp application, enter the following:
ACS URLs: Paste Culture Amp's ACS URL
Entity ID: Paste Culture Amp's Entity ID
Subject NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Subject NameID: Email Address
Save the configuration. We also recommend mapping these attributes: email → Email Address, firstName → Given Name, lastName → Family Name.
PingFederate:
In the Browser SSO > Protocol Settings section, enter the following:
Assertion Consumer Service URL: Paste Culture Amp's ACS URL
SP Entity ID: Paste Culture Amp's Entity ID
Subject Name ID format: Email Address
Save the configuration.
We also recommend mapping these attributes from your identity source (LDAP/AD): email → email, SAML_SUBJECT → user's email address.
Step 4: Assign users or groups
PingOne:
In your Culture Amp application, go to the Access tab and add the user groups or populations who should have access.
PingFederate:
User access is typically controlled via your attribute store or identity source (e.g. Active Directory or LDAP). Ensure the relevant users are included in the configured data store filter.
Note: Only users provisioned through Ping Identity will be able to log in to Culture Amp via SSO.
Step 5: Collect Ping Identity's SAML information
PingOne:
In your Culture Amp application, go to the Configuration tab
Copy the Single Sign-On Service URL
Download the signing certificate and open it in a text editor. Copy the full contents, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines
PingFederate:
In the PingFederate admin console, go to Server Configuration > Certificate Management > Signing & Decryption Keys & Certificates
Export the active signing certificate
Copy your PingFederate SSO endpoint URL (typically
https://your-domain:9031/idp/SSO.saml2)
For detailed instructions, see the PingFederate documentation or the PingOne documentation.
Step 6: Complete setup in Culture Amp
Return to the SSO setup page in Culture Amp
Enter the following values:
SAML endpoint URL: Paste Ping Identity's SSO URL
X.509 signing certificate: Paste Ping Identity's certificate
Nameid-format: Email Address
Friendly name: Enter a label for the login button (e.g. Sign in with Ping Identity)
Save the configuration
Test the connection by opening an incognito browser window and signing in
Once successful, activate SSO
For more information on completing the connection in Culture Amp, see Set up SAML Single Sign-On (SSO).
Troubleshooting
Problem | What to check |
"Invalid SAML Response" | Verify the ACS URL and Entity ID in Ping Identity exactly match the values copied from Culture Amp — no extra spaces or characters. |
"User not found" or login fails silently | Ensure the user is provisioned in Ping Identity and assigned to the Culture Amp application (see Step 4). |
Certificate errors | Ensure you exported and copied the full X.509 certificate, including the BEGIN and END lines, with no extra spaces. |
Name ID format errors | Verify the Subject NameID format in Ping Identity is set to emailAddress, and that Email Address is selected in Culture Amp. If using Employee ID for authentication, ensure these are set as unspecified. |
SP-initiated login fails but IdP-initiated works | Check that the ACS URL is set as the default in your Ping Identity application and that the SP Entity ID exactly matches Culture Amp's Entity ID. |
FAQs
Can I authenticate users with Employee ID instead of email?
Can I authenticate users with Employee ID instead of email?
Yes. By default, Ping Identity sends email addresses to identify users in Culture Amp, but you can configure it to use Employee ID instead. You'll need to make changes in both Ping Identity and Culture Amp.
Before you start:
Employee IDs must already be populated in Ping Identity's user directory
Employee IDs in Ping Identity must exactly match the Employee IDs set in Culture Amp — including capitalisation and formatting
Employee IDs must be unique per user
To verify employee IDs are populated, check the relevant user attribute in your Ping Identity directory (e.g. employeeNumber or a custom attribute mapped to your employee ID field).
Changes in Ping Identity (Step 3):
When configuring the Subject NameID, use the following instead of the email defaults:
Subject NameID: Map to the attribute containing your Employee ID (e.g. employeeNumber or a custom attribute)
Subject NameID Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent or urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Changes in Culture Amp (Step 6):
When completing setup in Culture Amp, update the following field to match what you configured in Ping Identity:
Nameid-format: Persistent or Unspecified (instead of Email Address)
All other fields in Culture Amp (SAML endpoint URL, X.509 certificate, friendly name) remain the same.