Amazon supports custom SAML 2.0 applications. See Amazon: Set up your own SAML 2.0 application Link

---

⚠️ Important: User to the SAML Provider Is Not Supported. Amazon SAML 2.0 does not support automatic redirection of CrushFTP users to the SAML provider using a direct login URL like:

https://domain.com/?u=SSO_SAML&p=redirect

Users must access the application through the SAML identity provider’s portal (such as AWS IAM Identity Center or similar), where they are authenticated and then redirected back to CrushFTP.

---

⚠️ Proxy Configuration: If your server accesses the internet through a proxy, make sure to whitelist the following domains required for Amazon SAML SSO to function properly:
• signin.aws.amazon.com
• sts.amazonaws.com
• iam.amazonaws.com
• amazonaws.com (general endpoint access)

---

1. Amazon SSO SAML 2.0 Configurations:#

Open the IAM Identity Center Console Link and create a new custom application.



Configure SAML Settings:
Enter the Application Name, Application ACS URL, and SAML Audience in the provided fields.
Once all required values are set, click Submit to complete the application setup.

Application ACS URL example:
https://your.crushftp.com/?u=SSO_SAML&p=none

SAML Audience example:
https://your.crushftp.com/

Configure Attribute Mappings:
Set up the attribute mappings for your application to define which user details (such as username, email, or roles) are passed during the SAML authentication process.
These mappings ensure that the correct user information is shared between your identity provider and the application.



Add New Attribute Mapping:
To create a new attribute mapping, specify the value you want to send to the application. In the field Maps to this string value or user attribute in IAM Identity Center, enter:

Maps to this string value or user attribute in IAM Identity Center:
${user:subject}

This maps the attribute to the user’s unique identifier in IAM Identity Center, typically used as the username or user ID during authentication.



⚠️ Warning: Assign Users/Groups to the Application!
After creating the application, make sure to assign the appropriate users or groups to it in your IAM Identity Center.

2. SAMLSSO plugin configuration
#

⚠️ Download the IAM Identity Center SAML metadata file. This file contains important configuration details required by the service provider (e.g., CrushFTP) to establish a secure SAML connection.

[Amazon SSO SAML 2.0 Configuration]                                    [CrushFTP settings] 

entityID value of IAM Identity Center SAML metadata XML file        -> SAML Provider URL (EntityID)

Application SAML audience                                           -> SAML Audience

SingleSignOnService SAML:2.0:bindings:HTTP-POST Location value 
of IAM Identity Center SAML metadata XML file                       -> IDP Redirect URL (HTTP-POST)

IAM Identity Center SAML issuer URL                                 -> SAML Issuer

X509Certificate value of IAM Identity Center SAML metadata XML file -> Base64 encoded PEM Signing certificate

On CrushFTP SAMLSSO plugin for Authentication type: set urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport