Single sign-on (SSO) in Amplitude

  • Updated

Single sign-on (SSO) is an authentication scheme that enables users to use a single ID and password combination to log into multiple platforms, services, or systems. Amplitude supports SSO and is compatible with any SAML 2.0-compliant SSO provider, including:

Just click through to see more detailed information on setting up and configuring SSO with each of these services.

Feature availability

This feature is available to users on Growth and Enterprise plans only. See our pricing page for more details.

SSO Basics

Some things you should be aware of:

  • You can require members of your organization to sign in with SSO. Doing so will prevent users from signing in with their email and password, so make sure your SSO system is working and configured properly before turning it on in Amplitude.
  • You can also automatically grant new users access to your organization via just-in-time provisioning. Amplitude only requires a new user to successfully authenticate with your identity provider; once authentication is received, Amplitude will add the user to your organization. You can then configure roles for each new user to reflect their needs, and those of the organization.

    Enterprise customers with access to project permissions can also choose the default project(s) that JIT-provisioned users will have access to.

  • When a user attempts to use SSO to sign in, Amplitude uses their email address in the SAML assertion to identify them. Amplitude will attempt to find the user's email by looking in these places, in this order:
  1. The assertion subject
  2. An email claim attribute (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
  3. An "emailaddress" attribute (case insensitive)
  4. An "email" attribute (case insensitive)

If a valid email address cannot be found, the user will not be able to log into Amplitude.