What can I learn from this page? | Guidance on the different Single-Sign-On (SSO) options |
Who is this guide for? | Account Admins, IT |
Culture Amp supports Single-Sign-On (SSO) for your organization in two ways; sign in with Google or SAML. It's not possible to configure both methods for the same Culture Amp account. Once SSO has been enabled for your account, the recommended approach is to disable Email and Google sign in options so that SSO is the primary login method for users. Once SSO is enabled on your account, reach out to our support team: support@cultureamp.com to have the other login options disabled.
Google (Gmail) Apps Integration
If your organization uses Google Apps, you can use this to log into Culture Amp.
All you need to ensure is that the email address in Google matches the one provided in Culture Amp. This is usually the case, although it's possible for users to sometimes use an alias. If this occurs, ensure the email address used in Culture Amp is the same as the one used to log in.
To sign in with Google, simply select "Sign in with Google" at the bottom of the standard sign in page: https://identity.cultureamp.com/session/sign_in
SAML Integration
Culture Amp allows your users to sign in via your SAML/2.0 gateway.
This includes organizations with their own SAML infrastructure, as well as organizations using services such as Okta, Bitium, Microsoft Azure, Workday(IDP only), and OneLogin. When SAML is configured, we will give you a unique login link to Culture Amp. Hitting this link will trigger the SSO process and log your users into their Culture Amp account.
We will supply the following information:
SAML login URL (where a user should visit to initiate a login)
A callback URL (where the SAML provider will send the user’s credentials, for Culture Amp to verify)
Audience/Entity ID (the identity of the server that sends the login request. In this case, {subdomain}.cultureamp.com. For Microsoft Azure Active Directory services, they require the ID to be prefixed with https://)
To configure SAML, we simply require a single piece of information, the Identity Provider Details, in the form of:
Your SAML metadata URL
And that's it!
If you have a SAML or system administrator, you can provide them with the information we will supply to you, and have them contact support@cultureamp.com directly to coordinate the integration.
Configuring ADFS to support Service Provider Initiated SSO
For ADFS, you may need to configure custom Claim Rules in order to allow for authentication of your users when visiting {subdomain}.cultureamp.com URLs. For an example of the exact Rule Language, you can refer here for guidance.
For an alternate example configuration using the Claim Rules editing UI, see: SAML SSO - ADFS Specific Configuration
Standard Connectors (Okta and OneLogin)
There are standard connectors available for both Okta and Onelogin. Just search for 'Culture Amp SAML' in the relevant service provider directory to get started. For these, you should only need your account subdomain.
SAML Technical FAQs
Does Culture Amp support provisioning user accounts through SAML?
No. We do not support SCIM as we separate the authentication and employee data processes out in Culture Amp. The reason for this is that identity providers like Okta and Active Directory do not normally contain the depth of employee demographic information that you would see in an HRIS.
Why am I getting a 403 error message?
The error message is a result of a failed authentication. To successfully login via the SSO service, the email address being sent from the Active Directory must be the exact same email address as the one assigned to the user in their Culture Amp profile.
If you are not sure what email address is being sent from the Active Directory, you can run the below Chrome Extension during the sign on process. Once the user lands on the 403 error page, the extension will provide the option for the user to export a report. This report can be analysed by your IT Team or sent to support@cultureamp.com to confirm the email address that is being sent.
https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch?hl=en
Does the application support SAML 2.0?
Yes
Is IDP-initiated Sign-On supported (IDP-initiated would be you go into Okta and click on the Culture Amp application to log in)?
Yes
Is SP-initiated Sign-On supported (SP-initiated is when you visit subdomain.cultureamp.com, you get bounced to an SSO login screen and then returned to Culture Amp)?
Yes
What assertions are needed to send in the SAML token?
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress’
Does the application support SSO Federation?
Yes
Is the application available in the Azure AD Application Gallery?
No
Does Culture Amp support a Multi IDP Environment?
No