\\
Amazon supports custom SAML 2.0 applications. See [https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html]\\
__Restriction!!!__: CrushFTP redirecting a user to the SAML provider is not supported.\\
{{{
http://domain.com/?u=SSO_SAML&p=redirect
}}}\\
\\
!1. Amazon SSO SAML 2.0 Configurations:
\\
Open the IAM Identity Center Console [https://console.aws.amazon.com/singlesignon] and create a new custom application.\\
[custom_app.png]\\
\\
Configure the name, Application ACS URL, and SAML Audience, then submit the application.\\
{{{
Application ACS URL example:
https://your.crushftp.com/?u=SSO_SAML&p=none
}}}\\
{{{
SAML Audience example:
https://your.crushftp.com/?u=SSO_SAML&p=none
}}}\\
\\
[custom_app_settings.png]\\
\\
Configure the attribute mappings of your application.\\
\\
[custom_app_attribute_mappings_edit.png]\\
\\
Add new attribute mapping.\\
{{{
Maps to this string value or user attribute in IAM Identity Center:
${user:subject}
}}}\\
[csutom_app_new_attribute.png]\\
\\
__Warning:__ Assign users/groups to the created application!\\
\\
[custom_app_assign_users.png]\\
\\
!2. SAMLSSO plugin configuration\\
\\
Download the __IAM Identity Center SAML metadata__ file.\\
{{{
[Amazon SSO SAML 2.0 Configuration] [CrushFTP settings]
entityID value of IAM Identity Center SAML metadata XML file -> SAML Provider URL (EntityID)
Application SAML audience -> SAML Audience
SingleSignOnService SAML:2.0:bindings:HTTP-POST Location value
of IAM Identity Center SAML metadata XML file -> IDP Redirect URL (HTTP-POST)
IAM Identity Center SAML issuer URL -> SAML Issuer
X509Certificate value of IAM Identity Center SAML metadata XML file -> Base64 encoded PEM Signing certificate
}}}
\\
On CrushFTP SAMLSSO plugin for "_Authentication type:_" set "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport".\\
\\
{{{
Authentication type:urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
}}}\\
\\
[custom_app_crushftp_settings.png]\\
\\