On this page

Set up single sign-on (SSO) for Amplitude using another service

You can set up single sign-on (SSO) using a custom-built SSO provider or a provider not explicitly named in the Amplitude app. Amplitude is compatible with any SAML 2.0-compliant SSO provider.

Before you begin

Read single sign-on in Amplitude to understand the basic requirements.

What your identity provider must send

Amplitude expects your identity provider to send a SAML response that contains the user's email address. At a minimum:

  • Set the assertion Subject to the user's email address, with format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
  • Map at least one SAML attribute (for example, email) to a non-empty value. Some identity providers emit an empty <AttributeStatement> element when you don't configure any attributes, which prevents Amplitude from processing the SAML response.
  • Sign either the SAML response, the assertion, or both. Amplitude accepts any of these signing modes.

If your identity provider supports it, set the assertion Subject to the user's email address rather than a username or numeric ID. Amplitude looks at the Subject first when resolving the user.

Set up SSO for an unlisted ("Other") SSO provider

To set up SSO using a provider that isn't Auth0, AWS IAM Identity Center, G Suite, Microsoft Azure Active Directory, Okta, or OneLogin, click the gear icon in Amplitude and navigate to Organization Settings > Access & SSO Settings. Then, from the Identity Provider dropdown, select Other.

Find the Entity ID and Assertion Consumer Service (ACS) URL on the same Amplitude SSO settings page. Both values are specific to your organization and follow these patterns:

  • Entity ID: https://amplitude.com/saml/2/metadata/<your-org-id>
  • Assertion Consumer Service URL: https://amplitude.com/saml/2/acs/<your-org-id>

Enter the Entity ID and ACS URL in the appropriate fields in your identity provider's app configuration. Some providers label the Entity ID field as Audience.

Next, download the IdP metadata file from your provider. In Amplitude, upload the metadata file, then click Save.

Was this helpful?