Single sign-on (SSO) is available to customers on the Enterprise plan.
SSO configuration in Amplitude is restricted to organization admins.
Table of Contents
Providers
SSO is supported via a number of SAML integrations:
Even if your identity provider is not listed Amplitude should work with any SAML 2.0 compliant provider.
Require SSO
You can force members of your organization to sign-in with SSO. Enabling this option will prevent all of your users (including you) from signing in with their email and password, so make sure SSO is working before you turn it on.
JIT Provisioning Role
Just-in-time provisioning is a way of automatically granting access to your organization. New users that successfully authenticate with your identity provider will be added to your organization without anyone needing to invite them. You can configure the role that these users will be granted.
Setting the role to "None" will disable this behavior and users won't have access to your organization until they are invited.
Enterprise plan Customers with access to project permissions, can also choose the default Project(s) that JIT provisioned users will have access to.
Emails
In order to identify users Amplitude must be provided each user's email address in the SAML Assertion.
Amplitude will attempt to find the user's email in this order:
- The Assertion Subject.
- An email claim Attribute (
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress). - An "emailaddress" Attribute (case insensitive).
- An "email" Attribute (case insensitive).
If a valid email address cannot be found the user will not be able to login into Amplitude.