Skip to main content

Single sign-on

Single sign-on (SSO) allows you to log in to Amplience (including Content Hub and Dynamic Content) without having to have an Amplience specific user name and password. You can use your own identity provider and the credentials you already have.

SSO provides many benefits, including:

  • You can switch between Content Hub and Dynamic Content easily. You don't need to log in to each app.
  • You use your existing credentials and do not need a new user name and password for Amplience.
  • For an organization it provides more control over who has access to the systems they use. For example, if someone leaves an organization and is removed from their identity provider platform, then they can no longer log in.
  • You can also take advantage of multi factor authentication and the password complexity and password expiry settings implemented by your identity provider.

Logging in using Single sign-on
Link copied!

When our provisioning team have enabled single sign-on on your account, you will be provided with a login URL to use to access Amplience services.

<yourcompanydomain>.app.amplience.net

If you're not currently logged in, then you will be taken to the login page. Clicking "Log in" will take you to your identity provider's login screen.

If you're already logged in, you'll be taken directly to the Amplience landing page.

The Amplience single sign-on login page

After clicking "Log in" on the Amplience login page, you'll be redirected to your identity provider's login page. The example below is using JumpCloud, but your chosen identity provider will be shown instead.

Log in using the name and password that you use for this identity provider and click the "SSO Login" button. The name and password will be verified with your identity provider and you'll be logged in to Amplience.

You are redirected to the login page for the identity provider used by your organization. You can log in using your usual credentials.

From the Amplience landing page (shown below) you can launch Dynamic Content or Content Hub, view the documentation site and launch the support portal.

The Amplience landing page. From here you can launch Dynamic Content and Content Hub and visit the documentation site, Dynamic Media playground or support hub.

Switching between apps
Link copied!

In both the Dynamic Content and Content Hub apps, you can open the app switcher which will allow you to switch between apps easily. Once logged in to Amplience, you won't need to log in to any of these services again.

The switcher menu is available in Dynamic Content and Content Hub and allows you to switch between apps.

Single sign-on configuration
Link copied!

Single-sign on (SSO) allows users to log in to Amplience using their organization's identity provider and without requiring an Amplience specific user name and password.

SSO login process
Link copied!

When using SSO, the login process will be as follows:

  • The user visits the Amplience single sign-on page for their organization and clicks the "Log in" button.

The Amplience single sign-on login page.

  • The user is redirected to the single sign-on page of the identity provider configured for their organization and enters their usual name and password.

From the login page you are redirected to the login page of your identity provider.

  • The identity provider then authenticates the user and sends a "claim" to the Amplience authentication service. This will include the user's email address.
  • Amplience will then check that the user is allowed access and if so logs the user in. If the user has not been set up for access to Amplience, then an error will be displayed.

Note that you must inform Amplience of the email address of each user that you wish to grant access. See adding a user.

Identity providers
Link copied!

Amplience single sign-on supports most enterprise identity providers, including (but not limited to) the following:

Almost all of the identity providers use Security Assertion Markup Language (SAML) or OpenID Connect authentication protocol (OIDC), as the authentication protocol to communicate between the identity provider and the service provider, which in this case will be Amplience.

The authentication protocol you use will determine how Amplience will be configured with your identity provider. In all cases we will provide you with some information to set up Amplience with your identity provider, while you will provide us with information to authenticate your users. Some identity providers support both SAML and OIDC and in this case the protocol you choose will depend on your information security requirements.

Configuring an identity provider using SAML
Link copied!

To configure SSO with SAML you will need to do the following:

  • Tell Amplience the domain you wish to use as part of your login URL:
<yourdomain>.app.amplience.net</yourdomain>
  • Provide Amplience with the login URL. This is the identity provider URL to which the user will be redirected when they login from the Amplience SSO landing page.

Set up an app in your identity provider
Link copied!

The app you create in the identity provider will need to be configured with SAML metadata, including the following information provided to you by Amplience:

  • Assertion customer service URL.

This the URL of the Amplience API endpoint where the identity provider should send the authenticated user's data.

  • EntityID.

This URI is a unique identifier used for the connection between Amplience and the identity provider.

X.509 certificates
Link copied!

Requests and responses between Amplience and your identity provider are signed using X.509 certificates. We will send you the Amplience X.509 certificate and you need to send us your identity provider's X.509 certificate. Using certificates ensures that requests and responses can be verified as originating from Amplience or the identity provider, and that the data has not been modified in transit.

Unique user identifier (nameID)
Link copied!

You need to configure additional SAML attributes that are used to identify the user. These attributes should include:

AttributeNotes
nameIDThis is the unique identifier for the user. We require that the user's email address is sent as the unique identifier. nameID is a required attribute.
nameThe name that is shown in the user list in Account Management. name must be lowercase
emailThe user's email must also be specified in this attribute. We use the email to determine which Amplience account to use. email must be lowercase

All the above is specified in XML format.

Configuring an identity provider using OIDC
Link copied!

To configure SSO with an OIDC identity provider you will need to do the following:

  • Tell Amplience the domain you wish to use as part of your login URL:
<yourdomain>.app.amplience.net</yourdomain>

  • Provide Amplience with the login URL. This is the identity provider URL to which the user should be redirected when they log in from the Amplience SSO landing page.

  • Set up an app in your identity provider. As part of this process you will generate a key and secret which should be sent to Amplience in a secure manner.

Adding a user
Link copied!

User accounts are automatically created when new single sign-on users log in to Amplience. However, users must still be granted permissions before they can use the Amplience platform.

Your organization administrator can set Dynamic Content permissions. Note, if Dynamic Content users require permission to access assets stores and assets through the Assets tab, you'll need to request Assets tab provisioning.

For Content Hub permissions, please raise a request through Amplience Support or contact your Customer Success Manager.

Google Workspace

Azure Active Directory

Okta

Ping