Single sign-on configuration

Single-sign on (SSO) allows users to log in to Amplience using their organization's identity provider and without requiring an Amplience specific user name and password.

On this page we'll explain how you can setup your identity provider to use Amplience. For an overview of logging in and switching between apps using SSO, see the introducing SSO page.

SSO login process

When using SSO, the login process will be as follows:

  • The user visits the Amplience single sign-on page for their organization and clicks the "Log in" button.
The Amplience single sign-on login page.
The Amplience single sign-on login page.
  • The user is redirected to the single sign-on page of the identity provider configured for their organization and enters their usual name and password.
From the login page you are redirected to the login page of your identity provider.
From the login page you are redirected to the login page of your identity provider.
  • The identity provider then authenticates the user and sends a "claim" to the Amplience authentication service. This will include the user's email address.
  • Amplience will then check that the user is allowed access and if so logs the user in. If the user has not been set up for access to Amplience, then an error will be displayed.

Note that you must inform Amplience of the email address of each user that you wish to grant access. See adding a user.

Identity providers

Amplience single sign-on supports most enterprise identity providers, including (but not limited to) the following:

Almost all of the identity providers use Security Assertion Markup Language (SAML) or OpenID Connect authentication protocol (OIDC), as the authentication protocol to communicate between the identity provider and the service provider, which in this case will be Amplience.

The authentication protocol you use will determine how Amplience will be configured with your identity provider. In all cases we will provide you with some information to set up Amplience with your identity provider, while you will provide us with information to authenticate your users. Some identity providers support both SAML and OIDC and in this case the protocol you choose will depend on your information security requirements.

Configuring an identity provider using SAML

To configure SSO with SAML you will need to do the following:

  • Tell Amplience the domain you wish to use as part of your login URL:
    <yourdomain>.app.amplience.net
    
  • Provide Amplience with the login URL. This is the identity provider URL to which the user will be redirected when they login from the Amplience SSO landing page.

Set up an app in your identity provider

The app you create in the identity provider will need to be configured with SAML metadata, including the following information provided to you by Amplience:

  • Assertion customer service URL.

This the URL of the Amplience API endpoint where the identity provider should send the authenticated user's data.

  • EntityID.

This URI is a unique identifier used for the connection between Amplience and the identity provider.

X.509 certificates

Requests and responses between Amplience and your identity provider are signed using X.509 certificates. We will send you the Amplience X.509 certificate and you need to send us your identity provider's X.509 certificate. Using certificates ensures that requests and responses can be verified as originating from Amplience or the identity provider, and that the data has not been modified in transit.

User identifier

SAML allows you to include extra information in the request and Amplience requires that the user's email address is sent as a user identifier.

All the above can be exchanged in XML format.

Configuring an identity provider using OIDC

To configure SSO with an OIDC identity provider you will need to do the following:

  • Tell Amplience the domain you wish to use as part of your login URL:
    <yourdomain>.app.amplience.net
    
  • Provide Amplience with the login URL. This is the identity provider URL to which the user should be redirected when they log in from the Amplience SSO landing page.

  • Set up an app in your identity provider. As part of this process you will generate a key and secret which should be sent to Amplience in a secure manner.

Adding a user

While the identity provider lets you authenticate a user's credentials, that user will still need to be provided with access to Amplience. When you want to add a new user, contact your Customer Success Manager or raise a support ticket that includes the email address of the user to add. Once set up, the user will be able to log in to Amplience using their usual identity provider credentials.

Introducing Amplience SSO

Google Workspace

Azure Active Directory

Okta

Ping