!!Enterprise Licenses Only\\
__Prerequisits:__ on the Preferences panel [Misc page|Misc] need to set the __Remember invalid usernames__ parameter value to __0__ and clear the __HTTP Redirect Base__ field value. This is a __must__ with any plugin integration scenario.
\\
\\
Amazon supports custom SAML 2.0 applications. See [https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html]\\
__Restriction!!!__: Redirect of CrushFTP user to the SAML provider is not supported.\\
{{{
https://domain.com/?u=SSO_SAML&p=redirect
}}}\\
\\
!1. Amazon SSO SAML 2.0 Configurations:
\\
Open the IAM Identity Center Console [https://console.aws.amazon.com/singlesignon] and create a new custom application.\\
\\
[custom_app.png]\\
\\
Configure the name, Application ACS URL, and SAML Audience, then submit the application.\\
{{{
Application ACS URL example:
https://your.crushftp.com/?u=SSO_SAML&p=none
}}}\\
{{{
SAML Audience example:
https://your.crushftp.com/
}}}\\
\\
[custom_app_settings.png]\\ 
\\
Configure the attribute mappings of your application.\\
\\
[custom_app_attribute_mappings_edit.png]\\
\\
Add new attribute mapping.\\
{{{
Maps to this string value or user attribute in IAM Identity Center:
${user:subject}
}}}\\
[csutom_app_new_attribute.png]\\
\\
__Warning:__ Assign users/groups to the created application!\\
\\
[custom_app_assign_users.png]\\
\\
!2. SAMLSSO plugin configuration\\
\\
Download the __IAM Identity Center SAML metadata__ file.\\
{{{
[Amazon SSO SAML 2.0 Configuration]                                    [CrushFTP settings] 

entityID value of IAM Identity Center SAML metadata XML file        -> SAML Provider URL (EntityID)

Application SAML audience                                           -> SAML Audience

SingleSignOnService SAML:2.0:bindings:HTTP-POST Location value 
of IAM Identity Center SAML metadata XML file                       -> IDP Redirect URL (HTTP-POST)

IAM Identity Center SAML issuer URL                                 -> SAML Issuer

X509Certificate value of IAM Identity Center SAML metadata XML file -> Base64 encoded PEM Signing certificate
}}}
\\
On CrushFTP SAMLSSO plugin for "__Authentication type:__" set "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport".\\
\\
{{{
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
}}}\\
\\
[custom_app_crushftp_settings.png]\\
\\