If you're using AWS IAM Identity Center (formerly AWS SSO) for your identity provider, you can connect it to Genius via SAML to enable Single Sign-On for your users. 

AWS IAM Identity Center (AWS SSO) Steps:

1. Login to AWS IAM Identity Center
2. Navigate to Applications

3. Choose the Customer managed tab
4. On the top-right of the Customer managed tab choose Add application

5.  On the Select application type screen:
   1. For Setup preference choose “I have an application I want to set up”
   2. For Application type choose “SAML 2.0”
   3. Once you have selected those 2 options, click the Next button in the bottom-right

6. On the Configure application screen
   1. In the Display name field name this interface something like “Genius” or “AVOXI Genius”
   2. [Optional] In the Description field provide a description of this interface such as “SAML 2.0 setup for SSO usage in AVOXI Genius”
   3. In the IAM Identity Center SAML metadata section - copy the contents of theIAM Identity Center SAML metadata file field (no need to download, just copy that URL and save it for later as we will need that in Genius.
   4. You can ignore all the other URLs shown in the IAM Identity Center metadata section for now, they simply provide us with additional options for an SSO integration
   5. In the Application properties, choose a relavant timeout. You do not need to specify an Application Start URL or Relay state
   6. In the Application metadata section choose the “Manually type your metadata values” option and specify the following:
      1. Application ACS URL: https://genius.avoxi.com/api/v1/auth/saml/consume
      2. Application SAML audience: https://genius.avoxi.com
   7. Click the Submit button in the bottom-right once finished

7.  You should now have the Genius application created in AWS SSO and be on the AVOXI Genius applicaiton page. From here you will want to click on the Actions dropdown in the top-right and choose “Edit attribute mappings”

8. On the Attribute mappings screen:
   1. In the Maps to this string value or user attribute in IAM Identity Center specify:  ${user:email}
   2. In the Format dropdown, select emailAddress
   3. Once this is completed, click Save Changes

9.  You should now be back on the Application screen for Genius. At the bottom of this screen click on Assign users and groups so we can get at least one user assigned to the application for testing

10. At this point you will need to choose at least 1 user or group to assign to Genius. This should at least be the initial user you're going to use to test logging in (such as your own user). IMPORTANT This user's email address NEEDS to match the email address for that user in Genius. If the email addresses do not match, that user will not be able to sign in to Genius through AWS SSO.
    1. Once you choose a User or Group, click Assign in the bottom-right
    2. This is the final step in AWS IAM Identity Center, at this point you will need to sign in as an Administrator within Genius to complete the setup.

Genius Steps:

1. First, sign into Genius as an Administrator user. From there, navigate to Home → Settings → Security Controls

2. Next we'll need to make sure the Single Sign-On flag is enabled. If it is disabled, click on the button to enable Single Sign On
3. In the first dropdown in the Single Sign-On box, select SAML
4. In the Login Button Label box, choose a Label for your sign in button. Something like “AWS SSO” works fine but choose something your users will recognize and know to click on.
5. In the Metadata URL box, take the metadata URL from step 6 in the AWS IAM Identity Center Steps above and paste in this box
6. Click Save

7. You should now be able to sign in via SSO. Logout of Genius in the top-right and this will navigate us back to the Login screen
8. On the login screen, enter your email address and click Continue (see section on Account Login below if you want to auto-forward to SSO login)

9.  On the password screen, you should now see a button below the login button that says “AWS SSO”, click that button

10. Enter your Amazon credentials and, if your email matches the email of your user in Genius, you should now be logged in! If you encounter any errors at this point, please double-check the setup steps above and if you cannot resolve those errors please contact Support.