SSO Integration Guide

Logging in with Single Sign-On (SSO)

Amplified supports Single Sign-On through the following identity providers:

• Google (OAuth2)
• Google Workspace (SAML)
• Okta (OIDC)
• Okta (SAML)
• Microsoft Entra ID (formerly Azure AD) (SAML)

Google OAuth2 SSO integration

Requirements

Your users must already have been invited to, and accepted their invitation to your Amplified team.

Configuration Steps 

No configuration is necessary to sign in with Google. Your users can click the Sign in with Google button on the Amplified log in page, which will redirect to Google to authenticate and then send your users back to Amplified.

Google Workspace SAML integration

Supported features

The Google Workspace/Amplified SAML integration currently supports the following features:

• SP-initiated single sign-on - this allows users to sign into Amplified using Google Workspace for authentication, after visiting the Amplified login page; and
• IdP-initiated single sign-on - this allows users to sign into Amplified from their Google Workspace app launcher.

Requirements

In order to configure SAML SSO through Google Workspace, you must:

• Have your own Google Workspace account;
• Be a super administrator of that account;
• Have a confirmed Amplified admin account; and
• Have an Enterprise subscription to Amplified. Please see Amplified billing for details or to get in touch.

Configuration Steps

1. Navigate to the Google Workspace admin console
2. Select Apps and then Web and mobile apps
3. Click Add app and then Add custom SAML app
4. Input Amplified as the app name, and an optional description. If you would like to attach an app icon, you can use this Amplified logo. Click Continue.
5. Under Option 1, click the Download Metadata button. This will download an XML file named GoogleIDPMetadata.xml to your computer, which we will use to configure Amplified. Click Continue.
6. In a new browser window, open the Single Sign-on configuration page in Amplified. Click Get started, and select Configure SAML. Locate the GoogleIDPMetadata.xml file on your computer and either drag and drop it to the Amplified window, or click Choose File and select the file on your computer. Click Next. Once Amplified has verified the metadata, you should see the identity provider as Google.
7. If you would like your users to be able to sign into Amplified with a username and password in addition to single sign-on, check the Allow password authentication box.
8. If you would like to provision new users in Amplified when they sign in for the first time, check the Provision new users automatically box and select which Amplified role you would like them to have.
9. Click Submit to save your SAML configuration in Amplified.
10. When the Single Sign-on table loads, you will see two columns with information that we need to provide to Google: Assertion Consumer Service (ACS) URL and Entity ID. Click the ACS URL to copy it to the clipboard, and paste it into the ACS URL field in the Service provider details form in Google Workspace. Repeat this process for the Entity ID value. Click Continue in Google Workspace.
11. In Attributes, click Add mapping, then under Google Directory attributes select First name . In the corresponding App attributes field, enter the value first_name . Repeat this process for Last name, entering last_name as the app attribute.
12. Click Finish. This completes the SAML configuration steps.
13. By default, the Amplified app is not available to users in Google Workspace. To enable access, click User access and then choose ON for everyone or select the groups or organizational units who should have access to Amplified. This will permit them to log into Amplified via Google Workspace.

Congratulations!

Amplified is now fully configured for SAML single sign-on with Google Workspace.

Logging into Amplified with Google Workspace SSO

You can log into Amplified using Google Workspace SSO in two ways: IdP-initiated or SP-initiated authentication:

1. IdP-initiated: By clicking the Amplified application in your Google Workspace app launcher; or
2. SP-initiated: On the Amplified login page, enter your email address and click Continue.
   • If you have Allow password authentication enabled you can then either enter your password, or click the Continue with Single Sign-on button. Your browser will be redirected to Google Workspace for authentication, and then returned to your Amplified dashboard.
   • If you do not have Allow password authentication enabled, your browser will be immediately redirected to Google Workspace for authentication, and then returned to your Amplified dashboard.

Okta OIDC SSO integration

Supported Features

• Identity Provider (IDP) initiated authentication This allows users to sign into Amplified from their Okta application dashboard

Requirements

In order to configure SSO through Okta, you must:

• Have your own Okta tenant;
• Be an administrator of that tenant;
• Have a confirmed Amplfied admin account with team members configured for each user who will sign in via Okta; and
• Have an Enterprise subscription to Amplified. Please see Amplified billing for details or to get in touch.

Configuration Steps

To enable SSO with Amplified, you need to add the Amplified app to your Okta tenant.

1. Log in to your organisation’s Okta tenant;
2. Navigate to Applications > Applications > Browse App Catalog and search for Amplified, then click Add Integration;
3. Enter an Application Label or accept the recommended default, Amplified . This is the name as which the Amplified app will appear to users on your Okta dashboard;
4. Click Next;
5. On the Sign-On Options tab, in the Sign on methods section choose OpenID Connect.
6. Click Done.
7. Click the Assignments tab of the Amplified application in Okta, and assign Amplified to everyone, a group, or those of your users who have Amplified accounts;
8. Click the Sign-On tab, and then click Edit in the Settings section;
9. In the OpenID Connect section, locate the Client ID field and copy the value to the clipboard;
10. In the Advanced Sign-on Settings section, paste your Client ID into the Client ID field, and at the bottom of the form click Save;
11. In another browser window, open the Single Sign-on configuration page in Amplified. Click Get started and select Configure OIDC. Paste your Client ID into the Client ID field, but do not click Submit yet - we have more values to copy from Okta in the next step;
12. Return to your Okta window and click the Sign On tab, and copy the Secret value from Client secrets. Also make note of your Okta domain (e.g. yourcompany.okta.com), found in the dropdown user menu in the upper right corner of the page;
13. Return to your Amplified window and paste in the Okta domain (prefixing it with https:// if necessary), and Client secret values copied in the previous step, and click Submit.

This completes the configuration of the Amplified integration with Okta. Your users should now be able to sign into Amplified from their Okta dashboard.

Congratulations!

Amplified is now fully configured for OIDC single sign-on with Okta.

Okta SAML integration

Supported features

The Okta/Amplified SAML integration currently supports the following features:

• SP-initiated single sign-on - this allows users to sign into Amplified using Okta for authentication, after visiting the Amplified login page;
• IdP-initiated single sign-on - this allows users to sign into Amplified from their Okta application dashboard.

Requirements

In order to configure SAML SSO through Okta, you must:

• Have your own Okta tenant;
• Be an administrator of that tenant;
• Have a confirmed Amplified admin account with team members configured for each user who will sign in via Okta; and
• Have an Enterprise subscription to Amplified. Please see Amplified billing for details or to get in touch.

Configuration Steps

To enable SSO with Amplified, you need to add the Amplified app to your Okta tenant.

1. Log in to your organisation’s Okta tenant;
2. Navigate to Applications > Applications > Browse App Catalog and search for Amplified, then click Add Integration;
3. Enter an Application Label or accept the recommended default, Amplified . This is the name as which the Amplified app will appear to users on your Okta dashboard;
4. Click Next;
5. On the Sign-On Options tab, under SAML 2.0 locate the Metadata details section. Copy the Metadata URL to the clipboard.
6. In a new browser window, open the Single Sign-on configuration page in Amplified. Click Get started, and select Configure SAML. Locate the Federation metadata URL field, paste in the URL you copied from Okta in the previous step, and click Next. Once Amplified has downloaded and verified the metadata, you should see the identity provider as Okta, with your Tenant ID shown underneath. Click the tenant ID to copy this value to the clipboard.
7. If you would like your users to be able to sign into Amplified with a username and password in addition to single sign-on, check the Allow password authentication box.
8. If you would like to provision new users in Amplified when they sign in for the first time, check the Provision new users automatically box and select which Amplified role you would like them to have.
9. Click Submit to save your SAML configuration in Amplified.
10. Return to your Okta browser window, and in the Advanced Sign-on Settings locate the Tenant ID field and paste in your Tenant ID copied from Amplified in step 6.
11. Click Done.
12. Click the Assignments tab of the Amplified application in Okta, and assign Amplified to everyone, a group, or those of your users who have Amplified accounts. This will provide them with the Amplified application on their Okta dashboard.

Congratulations!

Amplified is now fully configured for SAML single sign-on with Okta.

Logging into Amplified with Okta SSO

For both SAML and OIDC, you can log into Amplified using Okta SSO in two ways:

1. By clicking the Amplified application in your Okta dashboard; or
2. On the Amplified login page, enter your email address and click Continue.
   • If you have Allow password authentication enabled you can then either enter your password, or click the Continue with Single Sign-on button. Your browser will be redirected to Okta for authentication, and then returned to your Amplified dashboard.
   • If you do not have Allow password authentication enabled, your browser will be immediately redirected to Okta for authentication, and then returned to your Amplified dashboard.

Microsoft Entra ID SAML integration

Supported features

The Entra ID/Amplified SAML integration currently supports the following features:

• SP-initiated single sign-on - this allows users to sign into Amplified using Entra ID for authentication, after visiting the Amplified login page; and
• IdP-initiated single sign-on - this allows users to sign into Amplified from their Entra ID application dashboard.

Requirements

In order to configure SAML SSO through Entra ID, you must:

• Have your own Entra tenant;
• Be an administrator of that tenant;
• Have a confirmed Amplified admin account; and
• Have an Enterprise subscription to Amplified. Please see Amplified billing for details or to get in touch.

Configuration Steps

1. Navigate to the Entra Admin Center
2. Select Enterprise applications
3. Select New application
4. Select Create your own application
5. Input Amplified as the name, and choose Non-gallery as the application type. Click Create.
6. Under Manage click Single sign-on, then choose SAML .
7. In section 3, copy the App Federation Metadata Url to the clipboard
8. In a new browser window, open the Single Sign-on configuration page in Amplified. Click Get started, and select Configure SAML. Locate the Federation metadata URL field, paste in the URL you copied from Entra ID in the previous step, and click Next. Once Amplified has downloaded and verified the metadata, you should see the identity provider as Microsoft Entra ID.
9. If you would like your users to be able to sign into Amplified with a username and password in addition to single sign-on, check the Allow password authentication box.
10. If you would like to provision new users in Amplified when they sign in for the first time, check the Provision new users automatically box and select which Amplified role you would like them to have.
11. Click Submit to save your SAML configuration in Amplified.
12. When the Single Sign-on table loads, click the ... options button, select Download metadata, and note the location of the downloaded file Amplified SAML metadata.xml
13. Return to Entra Admin Center, and click Upload metadata file choosing the file you just downloaded from Amplified, and click Add .
14. Review the Basic SAML Configuration settings, click Save, and close that pane. This completes the SAML configuration steps.
15. Under Manage, select Users and groups and assign Amplified to everyone, a group, or those of your users who have Amplified accounts. This will permit them to log into Amplified via Entra ID.

Congratulations!

Amplified is now fully configured for SAML single sign-on with Entra ID.

Logging into Amplified with Entra ID SSO

You can log into Amplified using Entra ID SSO in two ways: IdP-initiated or SP-initiated authentication:

1. IdP-initiated: By clicking the Amplified application in your Entra dashboard; or
2. SP-initiated: On the Amplified login page, enter your email address and click Continue.
   • If you have Allow password authentication enabled you can then either enter your password, or click the Continue with Single Sign-on button. Your browser will be redirected to Entra ID for authentication, and then returned to your Amplified dashboard.
   • If you do not have Allow password authentication enabled, your browser will be immediately redirected to Entra ID for authentication, and then returned to your Amplified dashboard.