Single sign-on (SSO) is available to customers on the Enterprise plan.
SSO configuration in Amplitude is restricted to organization admins.
Before enabling SSO you will need to contact your Success Manager to configure your organization's email domains.
Table of Contents
SSO is supported via a number of SAML integrations:
Even if your identity provider is not listed Amplitude should work with any SAML 2.0 compliant provider.
You can force members of your organization to sign-in with SSO. Enabling this option will prevent all of your users (including you) from signing in with their email and password, so make sure SSO is working before you turn it on.
JIT Provisioning Role
Just-in-time provisioning is a way of automatically granting access to your organization. New users that successfully authenticate with your identity provider will be added to your organization without anyone needing to invite them. You can configure the role that these users will be granted.
Setting the role to "None" will disable this behavior and users won't have access to your organization until they are invited.
In order to identify users Amplitude must be provided each user's email address in the SAML Assertion.
Amplitude will attempt to find the user's email in this order:
- The Assertion Subject.
- An email claim Attribute (
- An "emailaddress" Attribute (case insensitive).
- 4. An "email" Attribute (case insensitive).
If a valid email address cannot be found the user will not be able to login to Amplitude.
Single Sign-On: Auth0
In order to setup SSO:
- Contact your Success Manager to enable SSO for your email domain.
- You must be an org admin for your organization in Amplitude.
- You must be able to configure Auth0 for your organization.
Then follow these setup steps:
Go to the Clients page in Auth0.
Create a new client for Amplitude. The client type isn't important because Amplitude will only be communicating with Auth0 via SAML.
Go to the Addons page and enable the SAML2 plugin.
A dialog will open and ask for the "Application Callback URL".
This is the Assertion Consumer Service URL that can be found in the SSO settings in Amplitude.
After entering the URL and saving the SAML2 settings go to the usage tab and download the Identity Provider Metadata.
Back in Amplitude select Auth0 as your identity provider and upload the metadata file.
Save your changes to enable SSO.