Single sign-on (SSO) in Amplitude

Single sign-on (SSO) is an authentication scheme that enables users to use a single ID and password combination to log into multiple platforms, services, or systems. Amplitude supports SSO and is compatible with any SAML 2.0-compliant SSO provider, including:

• Auth0
• AWS IAM Identity Center
• G Suite
• Microsoft Azure Active Directory
• Okta
• OneLogin
• Other providers not specifically named

Just click through to see more detailed information on setting up and configuring SSO with each of these services.

SSO Basics

Some things you should be aware of:

• You can require members of your organization to sign in with SSO. Doing so will prevent users from signing in with their email and password, so make sure your SSO system is working and configured properly before turning it on in Amplitude.
• You can also automatically grant new users access to your organization via just-in-time provisioning. Amplitude only requires a new user to successfully authenticate with your identity provider; once authentication is received, Amplitude will add the user to your organization. You can then configure roles for each new user to reflect their needs, and those of the organization.

Enterprise customers with access to project permissions can also choose the default project(s) that JIT-provisioned users will have access to.

What your identity provider must send

When a user signs in through SSO, Amplitude looks for their email in the SAML assertion in this order:

1. The assertion subject.
2. An email claim attribute (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress).
3. An emailaddress attribute (case insensitive).
4. An email attribute (case insensitive).

If Amplitude can't find a valid email, the user can't sign in. Most identity providers send the email by default. If yours doesn't, follow the provider-specific guide linked above to map the user's email into the assertion.