--- id: e2da7519-44bf-4d25-a8a7-1dccb9232ced blueprint: single-sign-on title: 'Set up single sign-on (SSO) for Amplitude using AWS IAM Identity Center' --- Amplitude provides a single sign-on integration with AWS IAM Identity Center (formerly AWS SSO) for customers on Scholarship, Growth, or Enterprise plans. ## Before you begin For some general information about SSO, go to [this article on SSO in Amplitude](/docs/admin/single-sign-on/sso). To set up SSO, you must be an [org admin](/docs/admin/account-management/manage-users) for your Amplitude organization. You must also have permission to create and configure custom SAML 2.0 applications in AWS IAM Identity Center. ## Set up SSO for Amplitude using AWS IAM Identity Center To configure SSO for Amplitude using AWS IAM Identity Center, follow these steps: 1. Sign in to the AWS console and open *IAM Identity Center*. 2. In the left navigation, select *Applications*, then click **Add application**. 3. Select **I have an application I want to set up** and then select the **SAML 2.0** application type and then click **Next**. 4. Enter a **Display name** (for example, "Amplitude") and an optional **Description**. 5. In the IAM Identity Center metadata section, click **Download** to save the *IAM Identity Center SAML metadata file*. Save the XML file to your local drive. 6. In Amplitude, navigate to *Settings > Organization settings > Access & SSO Settings > Single Sign-On Settings*. From the *Identity Provider* dropdown, select **Other**, and upload the metadata file you downloaded from AWS. 7. Copy the *Entity ID* and *Assertion Consumer Service URL* shown on the Amplitude SSO settings page. 8. In AWS, in the *Application metadata* section, select **Manually type your metadata values** and paste the *Application ACS URL* (the assertion consumer service URL from Amplitude) and the *Application SAML audience* (the entity ID from Amplitude). Click **Submit** to create the application. 9. On the application detail page in AWS, open the *Actions* dropdown and select *Edit attribute mappings*. Configure the **Subject** row with these values: - **Maps to this string value or user attribute in IAM Identity Center**: `${user:email}`. - **Format**: `emailAddress`. 10. Click **Add new attribute mapping** and add a second row with these values: - **User attribute in the application**: `email`. - **Maps to this string value or user attribute in IAM Identity Center**: `${user:email}`. - **Format**: `basic`. 11. Click **Save changes**. 12. On the application detail page, select the **Assigned users and groups** tab. 13. Click **Assign users and groups**, choose the IAM Identity Center users or groups that should be able to sign in to Amplitude, and click **Assign users**. 14. Confirm that each assigned user has a *Primary email* set on their IAM Identity Center user record. Without it, the `${user:email}` mapping resolves to an empty value and sign-in fails. 15. Sign in to the AWS access portal as an assigned user and click the Amplitude tile to test the integration. {{partial:admonition type='note'}} Steps 9 and 10 are required. AWS IAM Identity Center doesn't send any user attributes by default. If you skip the attribute mappings, the SAML assertion AWS sends to Amplitude either contains placeholder text instead of the user's email or contains an empty attribute statement, and sign-in fails. {{/partial:admonition}}