Amazon (AWS) SAML

Important: These instructions apply only to Flow on-premises.


Below is a step-by-step guide for connecting your AWS account to Flow with SSO. Here is a list of all other SSO hosts we support.

Configuring Your Amazon SSO Integration

  1. Go to your AWS organization account, you can search for “AWS Single Sign-On (SSO)”. Make sure the you have AWS SSO enabled. If you do not, take the steps to do so.
  2. Once you are authorized for SSO, go to the Single Sign-On Page that looks like this:
  3. Select Applications.
  4. Select Add on a new application.
  5. Select the option Custom SAML 2.0 application and click Add.
  6. Scroll to the AWS SSO metadata section of the page. Сlick Download to download the SSO SAML metadata file. This will download to your computer, you will need this metadata to add within the Flow app.
  7. Copy this information to your clipboard.
  8. In another tab, open your Flow App, starting on your Flow Home page go to the left navigation bar. At the bottom go to Settings > SSO.
  9. Select New SAML Integration.
  10. In the Configure SAML integration modal, fill out these four fields:
    1. Paste the metadata you just copied from the AWS SSO SAML metadata file.
    2. Login URL this is the entity ID which also doubles as your login URL, you can use your company name or division or team of the company in the field, whatever is most relevant.
    3. Embed Link is optional and should only be used if the main Entity ID does not work directly.
    4. Role Key - User roles will be mapped from the attribute value assertion via this key.
    5. Check this box if you want Flow to manage your user’s role. New users will be give a default role upon logging in.
    6. Merge New Users on Email - Check this box if you already have Users invited into your Flow account using non-SSO logins. This will automatically delete the previous logins and force all existing Users to login via your SSO platform.
    7. Fill in this field like it is shown: 'FirstName' 'LastName'
    8. Fill in this field like it is shown: 'Email' - both of these fields are attributes that are mapped within AWS and correspond.
  11. After you have filled this out, you can click Save and you will be returned to this page, you will see your URL. Copy this URL to your clipboard, we will need to add this to the AWS account.
  12. Go back to your AWS webpage, scroll to the bottom where it says Application metadata and click on If you don't have a metadata file, you can manually type your metadata values.
  13. Fill out these fields:
    1. Application ACS URL*: Use the copied URL link from the Flow App in Step 12.
    2. Application SAML audience*--This identifies the audience [Service providers] to whom this assertion is intended for, most of the time this is just the name of your organization. It can be anything, but make this something that your end users can identify.
    3. Application start URL: Paste the same URL link as your did in the first box.
  14. Click Save changes.
  15. If you were successful your configuration will have been saved and you will see the following message:
  16. Next go to the Attribute mappings tab.
  17. Click Add new attribute mapping fields three times to three new attribute fields.

    This what your screen should look like:

  18. Fill out these attributes, they are case sensitive. will be auto-populated, in the value section just add 'test' as a filler.
    1. Subject - test - unspecified
    2. email - Email - unspecified
    3. familyName - LastName - unspecified
    4. givenName - FirstName - unspecified
  19. Click Save changes.
  20. You will get a confirmation that these have been added.
  21. The final step is to connect with the directory you have set up in AWS. Go to the Assigned Users tab and click connect your directory.
  22. You have successfully added your customer SAML application!

back to top

If you need help, please contact Pluralsight Support.