Who is this article for?
Account administrators, Account Configuration (Full Permissions)
Available on:
All Culture Amp subscriptions
Prerequisite Guide for Google Workspace Users: This article provides the core information needed to configure Google Workspace to connect successfully with Culture Amp during the self-service SSO setup process.
Please note that Google Workspace may update its user interface independently, meaning some navigational steps outlined below may vary. For assistance with navigating the Google Workspace platform or troubleshooting interface changes, please contact Google Support or refer to their official documentation.
This article explains how to configure Google Workspace as your SAML identity provider before connecting it to Culture Amp.
To connect Google Workspace to Culture Amp:
Before You Begin
You'll need:
Super Admin access to your Google Workspace account
Administrator or Account Configuration access to Culture Amp
Important: You must create a custom SAML application. Pre-built marketplace applications are not supported.
Configuration Steps
Step 1: Create a custom SAML application in Google Workspace
Sign in to the Google Admin console (admin.google.com)
Go to Apps > Web and mobile apps
Click Add app > Add custom SAML app
Enter an app name (e.g. Culture Amp)
(Optional) Add an icon and click Continue
Step 2: Collect Google's identity provider details
On the Google Identity Provider details screen:
Copy the SSO URL
Download or copy the Certificate
Click Continue
Keep these values — you'll need them when completing setup in Culture Amp.
Step 3: Get Culture Amp's SAML details
In a new browser tab, open Culture Amp and go to Settings > Account > Authentication. Click + Add SAML Provider and note these two values — you will need them in the next step:
SAML Callback / Assertion Consumer Service (ACS) URL
SAML Audience / Entity ID
Step 4: Configure service provider details in Google
On the Service provider details screen, enter the following and click Continue:
ACS URL: Paste Culture Amp's ACS URL
Entity ID: Paste Culture Amp's Entity ID
Name ID format: EMAIL
Name ID: Basic Information > Primary email
Step 5: Configure attribute mapping (recommended)
Map these Google Directory attributes to app attributes, then click Finish:
Primary email → email
First name → firstName
Last name → lastName
For detailed instructions, see Google's Set up your own custom SAML application guide.
Step 6: Enable the application for users
In your Culture Amp app in the Google Admin console, go to User access
Turn on the service for the relevant organisational units or groups who should have access to Culture Amp
Click Save
For more information, see Control user access to services in the Google Workspace documentation. Note: Changes can take up to 24 hours to propagate, but usually take only a few minutes.
Note: Only users with the service turned on in Google Workspace will be able to log in to Culture Amp via SSO.
Step 7: Complete setup in Culture Amp
Return to the SSO setup page in Culture Amp
Enter the following values:
SAML endpoint URL: Paste Google's SSO URL
X.509 signing certificate: Paste Google's certificate
Nameid-format: Email Address
Friendly name: Enter a label for the login button (e.g. Sign in with Google)
Save the configuration
Test the connection by opening an incognito browser window and signing in
Once successful, activate SSO
For more information on completing the connection in Culture Amp, see Set up SAML Single Sign-On (SSO).
Troubleshooting
Problem | What to check |
SP-initiated login fails (visiting Culture Amp redirects to an error) | Verify the Entity ID is entered correctly. |
"SAML response signature invalid" or similar certificate error | Ensure the Signed Response checkbox is ticked in Google Workspace (see Step 4). Also confirm the full certificate was pasted including the BEGIN and END lines. |
"Invalid SAML Response" or ACS URL mismatch | Verify the ACS URL in Google Workspace exactly matches the value copied from Culture Amp — no extra spaces or characters. |
User can't log in (403 or authentication error) | Confirm the email address on the user's Culture Amp profile exactly matches their Google Workspace primary email address. |
App launcher tile doesn't redirect correctly after login | Set a Start URL in the Google Workspace app settings. Without it, IdP-initiated login from the app launcher won't redirect correctly. |
User is not assigned to the application | Check that the user's organisational unit or group has the Culture Amp service turned on in Google Workspace (see Step 6). |
FAQs
Can I authenticate users with Employee ID instead of email?
Can I authenticate users with Employee ID instead of email?
Yes, but it requires additional setup. By default, Google Workspace sends email addresses to identify users. To use Employee IDs instead, you must first create a custom attribute in the Google Admin Console to store employee IDs.
In Step 4, set Name ID format to UNSPECIFIED or PERSISTENT and map Name ID to your custom Employee ID attribute (instead of Primary email). In Culture Amp (Step 7), set Nameid-format to Persistent or Unspecified. For help with custom attributes, see Add custom user fields.