Amplitude provides a single sign-on integration with AWS IAM Identity Center (formerly AWS SSO) for customers on Scholarship, Growth, or Enterprise plans. ## Before you begin For general information about SSO, go to [SSO in Amplitude](/docs/admin/single-sign-on/sso). To set up SSO, you must be an [org admin](/docs/admin/account-management/manage-users) for your Amplitude organization. You must also have permission to create and configure custom SAML 2.0 applications in AWS IAM Identity Center. ## Set up SSO for Amplitude using AWS IAM Identity Center To configure SSO for Amplitude using AWS IAM Identity Center: 1. Sign in to the AWS console and open _IAM Identity Center_. 2. In the left navigation, select _Applications_, then click **Add application**. 3. Select **I have an application I want to set up**, select the **SAML 2.0** application type, and then click **Next**. 4. Enter a **Display name** (for example, "Amplitude") and an optional **Description**. 5. In the IAM Identity Center metadata section, click **Download** to save the _IAM Identity Center SAML metadata file_. Save the XML file to your local drive. 6. In Amplitude, navigate to _Settings > Organization settings > Access & SSO Settings > Single Sign-On Settings_. From the _Identity Provider_ dropdown, select **Other**, and upload the metadata file you downloaded from AWS. 7. Copy the _Entity ID_ and _Assertion Consumer Service URL_ shown on the Amplitude SSO settings page. 8. In AWS, in the _Application metadata_ section, select **Manually type your metadata values** and paste the _Application ACS URL_ (the assertion consumer service URL from Amplitude) and the _Application SAML audience_ (the entity ID from Amplitude). Click **Submit** to create the application. 9. On the application detail page in AWS, open the _Actions_ dropdown and select _Edit attribute mappings_. Configure the **Subject** row with these values: - **Maps to this string value or user attribute in IAM Identity Center**: `${user:email}`. - **Format**: `emailAddress`. 10. Click **Add new attribute mapping** and add a second row with these values: - **User attribute in the application**: `email`. - **Maps to this string value or user attribute in IAM Identity Center**: `${user:email}`. - **Format**: `basic`. 11. Click **Save changes**. 12. On the application detail page, select the **Assigned users and groups** tab. 13. Click **Assign users and groups**, choose the IAM Identity Center users or groups that need to sign in to Amplitude, and click **Assign users**. 14. Confirm that each assigned user has a _Primary email_ set on their IAM Identity Center user record. Without it, the `${user:email}` mapping resolves to an empty value and sign-in fails. 15. Sign in to the AWS access portal as an assigned user and click the Amplitude tile to test the integration. {% callout type="note" %} Steps 9 and 10 are required. AWS IAM Identity Center doesn't send any user attributes by default. If you skip the attribute mappings, the SAML assertion AWS sends to Amplitude either contains placeholder text instead of the user's email or contains an empty attribute statement, and sign-in fails. {% /callout %}