Single sign-on

Culture Amp supports Single-Sign-On (SSO) for your organization in two ways; sign in with Google or SAML. It's not possible to configure both methods for the same Culture Amp account. Once SSO has been enabled for your account, it is no longer possible to sign in with an email and password on the Sign In page.

Google (Gmail) Apps Integration

If your organization uses Google Apps, you can use this to log into Culture Amp.

All you need to ensure is that the email address in Google matches the one provided in Culture Amp. This is usually the case, although it's possible for users to sometimes use an alias. If this occurs, ensure the email address used in Culture Amp is the same as the one used to log in.

To sign in with Google, simply select "Sign in with Google" at the bottom of the standard sign in page:

SAML Integration

Culture Amp allows your users to sign in via your SAML/2.0 gateway.

This includes organizations with their own SAML infrastructure, as well as organizations using services such as Okta, Bitium, Microsoft Azure, Workday(IDP only), and OneLogin. When SAML is configured, we will give you a unique login link to Culture Amp. Hitting this link will trigger the SSO process and log your users into their Culture Amp account.

We will supply the following information:

  • SAML login URL (where a user should visit to initiate a login)
  • A callback URL (where the SAML provider will send the user’s credentials, for Culture Amp to verify)
  • Audience/Entity ID (the identity of the server that sends the login request. In this case, {subdomain} For Microsoft Azure Active Directory services, they require the ID to be prefixed with https://)

To configure SAML, we simply require a single piece of information, the Identity Provider Details, in the form of:

  • Your SAML metadata URL 

And that's it!

If you have a SAML or system administrator, you can provide them with the information we will supply to you, and have them contact directly to coordinate the integration.

SAML Technical FAQs

  • Does the application support SAML 2.0? Yes
  • Is IDP-initiated Sign-On supported (IDP-initiated would be you go into Okta and click on the Culture Amp application to log in)? Yes
  • Is SP-initiated Sign-On supported (SP-initiated is when you visit, you get bounced to an SSO login screen and then returned to Culture Amp)? Yes
  • What assertions are needed to send in the SAML token? urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress’
  • Does the application support SSO Federation? Yes
  • Is the application available in the Azure AD Application Gallery? No
  • Does Culture Amp support a Multi IDP Environment? No
  • Does Culture Amp support provisioning user accounts through SAML? No

Configuring ADFS to support Service Provider Initiated SSO

  • For ADFS, you may need to configure custom Claim Rules in order to allow for authentication of your users when visiting {subdomain} URLs. For an example of the exact Rule Language, you can refer here for guidance.
  • For an alternate example configuration using the Claim Rules editing UI, see: SAML SSO - ADFS Specific Configuration

Standard Connectors (Okta and OneLogin)

There are standard connectors available for both Okta and Onelogin. Just search for 'Culture Amp SAML' in the relevant service provider directory to get started. For these, you should only need your account subdomain. 

Note, if you're an EU Data Centre customer, you'll need to append ".eu" to your subdomain; so enter it like this example "" 

Was this article helpful?
4 out of 15 found this helpful
Have more questions? Submit a request