\\
Amazon supports custom SAML 2.0 applications. See [Amazon: Set up your own SAML 2.0 application Link|https://docs.aws.amazon.com/singlesignon/latest/userguide/customermanagedapps-set-up-your-own-app-saml2.html]\\
----
⚠️ __Important__:  User to the SAML Provider Is Not Supported. Amazon SAML 2.0 does not support automatic redirection of CrushFTP users to the SAML provider using a direct login URL like:\\
{{{
https://domain.com/?u=SSO_SAML&p=redirect
}}}\\
Users must access the application through the SAML identity provider’s portal (such as AWS IAM Identity Center or similar), where they are authenticated and then redirected back to CrushFTP.\\
----
⚠️ __Proxy Configuration__: If your server accesses the internet through a proxy, make sure to whitelist the following domains required for __Amazon SAML SSO__ to function properly:\\
• __signin.aws.amazon.com__\\
• __sts.amazonaws.com__\\
• __iam.amazonaws.com__\\
• __amazonaws.com__ (general endpoint access)\\
----
!1. Amazon SSO SAML 2.0 Configurations:
\\
Open the IAM Identity [Center Console Link|https://console.aws.amazon.com/singlesignon] and create a new __custom application__.\\
\\
[custom_app.png]\\
\\
Configure SAML Settings:\\
Enter the __Application Name__, __Application ACS URL__, and __SAML Audience__ in the provided fields.\\
Once all required values are set, click Submit to complete the application setup.\\
{{{
Application ACS URL example:
https://your.crushftp.com/?u=SSO_SAML&p=none
}}}\\
{{{
SAML Audience example:
https://your.crushftp.com/
}}}\\
\\
[custom_app_settings.png]\\ 
\\
Configure Attribute Mappings:\\
Set up the attribute mappings for your application to define which user details (such as username, email, or roles) are passed during the SAML authentication process.\\
These mappings ensure that the correct user information is shared between your identity provider and the application.\\
\\
[custom_app_attribute_mappings_edit.png]\\
\\
Add New Attribute Mapping:\\
To create a new attribute mapping, specify the value you want to send to the application. In the field __Maps to this string value or user attribute in IAM Identity Center,__ enter:
{{{
Maps to this string value or user attribute in IAM Identity Center:
${user:subject}
}}}\\
This maps the attribute to the user’s unique identifier in IAM Identity Center, typically used as the username or user ID during authentication.\\
\\
[csutom_app_new_attribute.png]\\
\\
⚠️ __Warning__: Assign Users/Groups to the Application!\\
After creating the application, make sure to assign the appropriate users or groups to it in your IAM Identity Center.\\
\\
[custom_app_assign_users.png]\\
\\
!2. SAMLSSO plugin configuration\\
\\
⚠️ Download the __IAM Identity Center SAML metadata__ file. This file contains important configuration details required by the service provider (e.g., CrushFTP) to establish a secure SAML connection.\\
{{{
[Amazon SSO SAML 2.0 Configuration]                                    [CrushFTP settings] 

entityID value of IAM Identity Center SAML metadata XML file        -> SAML Provider URL (EntityID)

Application SAML audience                                           -> SAML Audience

SingleSignOnService SAML:2.0:bindings:HTTP-POST Location value 
of IAM Identity Center SAML metadata XML file                       -> IDP Redirect URL (HTTP-POST)

IAM Identity Center SAML issuer URL                                 -> SAML Issuer

X509Certificate value of IAM Identity Center SAML metadata XML file -> Base64 encoded PEM Signing certificate
}}}
\\
On CrushFTP SAMLSSO plugin for __Authentication type:__ set __urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport__\\
\\
{{{
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
}}}\\
\\
[custom_app_crushftp_settings.png]\\
\\