What can I learn from this page? | Guidance on the different Single-Sign-On (SSO) options |
Who is this guide for? | Account Admins, IT |
To enhance your organization's security and simplify the login process, Culture Amp supports Single Sign-On (SSO) via Google or SAML. This article will guide you through setting up SSO, including the options available and troubleshooting common issues.
What you need to know about SSO
Culture Amp supports SSO through two methods:
📌 Note: You cannot configure both methods simultaneously. Once SSO is enabled, it's recommended to disable Email and Google sign-in options to make SSO the primary login method. Our support team can assist with disabling other login methods. Just reply with "Ask a Person" in a support conversation to speak with a Product Support Specialist.
Google (Gmail) apps integration
If your organization uses Google Apps, you can use this for logging into Culture Amp. Here’s what you need to do:
Verify Email Address: Ensure the email address used in Google matches the one in Culture Amp. If there’s a discrepancy, such as an alias being used, update the Culture Amp email to match.
Sign In: On the Culture Amp sign-in page, select the Sign in with Google option: Sign in with Google.
📌 Note: If you or another user encounters an issue, confirm that the Google email address aligns with the one in Culture Amp
SAML integration
Culture Amp supports SSO through SAML/2.0 gateways. This method suits organizations with their own SAML infrastructure or using services like Okta, Bitium, Microsoft Azure, Workday (IDP only), and OneLogin.
When SAML is configured, we will give you a unique login link to Culture Amp. Hitting this link will trigger the SSO process and log your users into their Culture Amp account.
Steps for SAML setup:
Here's how it works:
Request Configuration Details: Have an Account Admin contact Culture Amp Support by replying with "Ask a Person" in a support conversation to speak with a Product Support Specialist. Request the following details:
SAML Login URL: The URL users will use to start their login.
Callback URL: Where the SAML provider sends user credentials for Culture Amp to verify.
Audience/Entity ID: The identity of the server that sends the login request. Usually in the format {subdomain}.cultureamp.com. For Microsoft Azure AD, they require the ID to be prefixed with https://.
Share Information: Share the details with your IT team or SAML administrator, who will handle the setup of your SAML service.
Configure SAML: To finalize the set-up in your Culture Amp account, have an Account Admin reply with "Ask a Person" in a support conversation to speak with a Product Support Specialist. During that support conversation provide the team with your SAML Metadata URL.
And that's it!
📌 Note: If you’re handling the SSO set-up as an IT team member or SAML administrator but aren’t an Account Admin, please ensure that an Account Admin is copied on all set-up requests and approves them. We need their approval before we can provide the SSO details or complete the connection.
Configuring ADFS to support service provider initiated SSO
For ADFS, you may need to configure custom Claim Rules for user authentication when visiting {subdomain}.cultureamp.com URLs. For an example of the exact Rule Language, you can refer to the servicenow documentation. Alternatively, you can review the SAML SSO - ADFS Specific Configuration support guide for a different example using the Claim Rules editing UI.
Standard connectors (Okta and OneLogin)
For Okta and OneLogin, standard connectors are available. Search for Culture Amp SAML in the relevant service provider directory. You’ll only need your account subdomain*
📌 *Note: For EU and AU data centre hosted Culture Amp accounts, you'll need to append either .eu or .au to your subdomain.
Example EU data centre: subdomain.eu
Example AU data centre: subdomain.au
📚Key Resources
Admin/IT:
Set up SAML SSO - ADFS specific configuration: Use this to guide you through an ADFS configuration where LDAP User-Principle-Name needs to be mapped to the outgoing claim type of 'name ID', with format of 'Email'.
Employee:
Login to Culture Amp: Discover how users can access Culture Amp using Email/Password, SSO, or Google login.
Technical FAQs
Does Culture Amp support provisioning user accounts through SAML?
Does Culture Amp support provisioning user accounts through SAML?
No. We do not support SCIM as we separate the authentication and employee data processes out in Culture Amp. The reason for this is that identity providers like Okta and Active Directory do not normally contain the depth of employee demographic information that you would see in an HRIS.
Why am I getting a 403 error message?
Why am I getting a 403 error message?
The error message is a result of a failed authentication. To successfully login via the SSO service, the email address being sent from the Active Directory must exactly match the email address associated with the user’s Culture Amp profile.
To address this issue, start by using the SAML Tracer Chrome Extension to check the email address being sent during the login attempt. Once you encounter the 403 error page, the extension will give you an option to export a report. Review this report with your IT team to confirm the email address being sent from the Active Directory.
If discrepancies are found, Account Admins can update the email in Culture Amp, while your IT team can make the necessary adjustments in your Active Directory.
If you need further help, just reply with "Ask a Person" in a support onversation to speak with a Product Support Specialist.
Does the application support SAML 2.0?
Does the application support SAML 2.0?
Yes
Is IDP-initiated Sign-On supported (IDP-initiated would be you go into Okta and click on the Culture Amp application to log in)?
Is IDP-initiated Sign-On supported (IDP-initiated would be you go into Okta and click on the Culture Amp application to log in)?
Yes
Is SP-initiated Sign-On supported (SP-initiated is when you visit subdomain.cultureamp.com, you get bounced to an SSO login screen and then returned to Culture Amp)?
Is SP-initiated Sign-On supported (SP-initiated is when you visit subdomain.cultureamp.com, you get bounced to an SSO login screen and then returned to Culture Amp)?
Yes
What assertions are needed to send in the SAML token?
What assertions are needed to send in the SAML token?
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress’
Does the application support SSO Federation?
Does the application support SSO Federation?
Yes
Is the application available in the Azure AD Application Gallery?
Is the application available in the Azure AD Application Gallery?
No
Does Culture Amp support a Multi IDP Environment?
Does Culture Amp support a Multi IDP Environment?
No
💬 Need help? Just reply with "Ask a Person" in a support onversation to speak with a Product Support Specialist.