Get Started
Data
Analytics
Amplitude AI
Session Replay
Guides and Surveys
AI Assistant
Experiment
Admin
SDKs APIs
Partners
FAQ
Admin
/
Single Sign-On
/
Set up single sign-on (SSO) for Amplitude using AWS IAM Identity Center

Set up single sign-on (SSO) for Amplitude using AWS IAM Identity Center

Amplitude provides a single sign-on integration with AWS IAM Identity Center (formerly AWS SSO) for customers on Scholarship, Growth, or Enterprise plans.

Before you begin

For some general information about SSO, go to this article on SSO in Amplitude.

To set up SSO, you must be an org admin for your Amplitude organization. You must also have permission to create and configure custom SAML 2.0 applications in AWS IAM Identity Center.

Set up SSO for Amplitude using AWS IAM Identity Center

To configure SSO for Amplitude using AWS IAM Identity Center, follow these steps:

  1. Sign in to the AWS console and open IAM Identity Center.
  2. In the left navigation, select Applications, then click Add application.
  3. Select I have an application I want to set up and then select the SAML 2.0 application type and then click Next.
  4. Enter a Display name (for example, "Amplitude") and an optional Description.
  5. In the IAM Identity Center metadata section, click Download to save the IAM Identity Center SAML metadata file. Save the XML file to your local drive.
  6. In Amplitude, navigate to Settings > Organization settings > Access & SSO Settings > Single Sign-On Settings. From the Identity Provider dropdown, select Other, and upload the metadata file you downloaded from AWS.
  7. Copy the Entity ID and Assertion Consumer Service URL shown on the Amplitude SSO settings page.
  8. In AWS, in the Application metadata section, select Manually type your metadata values and paste the Application ACS URL (the assertion consumer service URL from Amplitude) and the Application SAML audience (the entity ID from Amplitude). Click Submit to create the application.
  9. On the application detail page in AWS, open the Actions dropdown and select Edit attribute mappings. Configure the Subject row with these values:
    • Maps to this string value or user attribute in IAM Identity Center: ${user:email}.
    • Format: emailAddress.
  10. Click Add new attribute mapping and add a second row with these values:
    • User attribute in the application: email.
    • Maps to this string value or user attribute in IAM Identity Center: ${user:email}.
    • Format: basic.
  11. Click Save changes.
  12. On the application detail page, select the Assigned users and groups tab.
  13. Click Assign users and groups, choose the IAM Identity Center users or groups that should be able to sign in to Amplitude, and click Assign users.
  14. Confirm that each assigned user has a Primary email set on their IAM Identity Center user record. Without it, the ${user:email} mapping resolves to an empty value and sign-in fails.
  15. Sign in to the AWS access portal as an assigned user and click the Amplitude tile to test the integration.

Note

Steps 9 and 10 are required. AWS IAM Identity Center doesn't send any user attributes by default. If you skip the attribute mappings, the SAML assertion AWS sends to Amplitude either contains placeholder text instead of the user's email or contains an empty attribute statement, and sign-in fails.

Was this page helpful?

April 29th, 2026

Need help? Contact Support

Visit Amplitude.com

Have a look at the Amplitude Blog

Learn more at Amplitude Academy

Terms of Service Privacy Notice Acceptable Use Policy Legal

© 2026 Amplitude, Inc. All rights reserved. Amplitude is a registered trademark of Amplitude, Inc.