Get Started
Data
Analytics
Session Replay
Feature Experiment Web Experiment
Admin
SDKs APIs
Partners
FAQ
Monthly tracked users (MTUs) billing guide Usage reports: Understand how your organization uses Amplitude
The Settings page Change the unit of currency your project uses Set up SCIM provisioning in Amplitude Portfolio: Conduct cross-project analysis in Amplitude Manage organizations and projects Manage permissions at scale with permission groups Manage user privacy notifications in Amplitude Manage users and permissions User roles and permissions in Amplitude Self-service data deletion in Amplitude Webhooks for custom monitors
Single sign-on (SSO) in Amplitude Set up single sign-on (SSO) for Amplitude using Auth0 Set up single sign-on (SSO) for Amplitude using G Suite Set up single sign-on (SSO) for Amplitude using Microsoft Azure Active Directory Set up single sign-on (SSO) for Amplitude using Okta Set up single sign-on (SSO) for Amplitude using OneLogin Set up single sign-on (SSO) for Amplitude using another service
Admin
/

Single sign-on (SSO) in Amplitude

This article helps you:

  • Understand the basics of using single sign-on in Amplitude

Single sign-on (SSO) is an authentication scheme that enables users to use a single ID and password combination to log into multiple platforms, services, or systems. Amplitude supports SSO and is compatible with any SAML 2.0-compliant SSO provider, including:

Just click through to see more detailed information on setting up and configuring SSO with each of these services.

Feature availability

This feature is available to users on Growth and Enterprise plans only. See our pricing page for more details.

SSO Basics

Some things you should be aware of:

  • You can require members of your organization to sign in with SSO. Doing so will prevent users from signing in with their email and password, so make sure your SSO system is working and configured properly before turning it on in Amplitude.
  • You can also automatically grant new users access to your organization via just-in-time provisioning. Amplitude only requires a new user to successfully authenticate with your identity provider; once authentication is received, Amplitude will add the user to your organization. You can then configure roles for each new user to reflect their needs, and those of the organization.

Enterprise customers with access to project permissions can also choose the default project(s) that JIT-provisioned users will have access to.

  • When a user attempts to use SSO to sign in, Amplitude uses their email address in the SAML assertion to identify them. Amplitude will attempt to find the user's email by looking in these places, in this order:
  1. The assertion subject
  2. An email claim attribute (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
  3. An "emailaddress" attribute (case insensitive)
  4. An "email" attribute (case insensitive)

If a valid email address cannot be found, the user will not be able to log into Amplitude.

Was this page helpful?

Thanks for your feedback!

September 26th, 2024

Need help? Contact Support

Visit Amplitude.com

Have a look at the Amplitude Blog

Learn more at Amplitude Academy

Terms of Service Privacy Notice Acceptable Use Policy Legal

© 2024 Amplitude, Inc. All rights reserved. Amplitude is a registered trademark of Amplitude, Inc.