This guide walks you through integrating AWS IAM Identity Center (formerly AWS SSO) Single Sign-On with Axya using SAML 2.0. Once configured, your users can log in to Axya using their existing AWS organization credentials.
Send the following information to Axya's security team at security@axya.co:
| Information | Description |
|---|---|
| User domain name | The email domain used for SSO (e.g., user@yourcompany.com) |
| IAM Identity Center SAML metadata URL | The metadata URL for the application (preferred), or provide the items below manually |
| SSO URL | The IAM Identity Center sign-in URL for the application |
| Issuer URL | The IAM Identity Center issuer (Entity ID) |
| X.509 Certificate | The signing certificate from IAM Identity Center |
| Test account | A test user with valid credentials for Axya to validate the SSO flow |
In the Applications list, click on the Axya application.
Go to the Attribute mappings tab.
Configure the following mappings:
| Application attribute | Maps to this value in IAM Identity Center | Format |
|---|---|---|
Subject |
${user:email} |
emailAddress |
email |
${user:email} |
unspecified |
firstName |
${user:givenName} |
unspecified |
lastName |
${user:familyName} |
unspecified |
Click Save changes.
Important: Only users assigned to the application (directly or through a group) will be able to log in to Axya through SSO. If you use an external identity source (e.g., Active Directory connected via AWS Directory Service), ensure the relevant users are synced to IAM Identity Center.
Email the following to security@axya.co:
The Axya security team will configure the SSO connection and provide the ACS URL and Entity ID if not already shared.
"User is not assigned to this application" error
The user has not been assigned to the Axya application in IAM Identity Center. Complete Step 4 above to assign the user or their group.
"Response ACS URL does not match" error
The ACS URL configured in the IAM Identity Center application does not match what Axya expects. Contact security@axya.co to confirm the correct ACS URL and update the application metadata.
"Invalid SAML response" or attribute error
The attribute mappings may be incorrect. Verify that the Subject attribute is mapped to ${user:email} with the emailAddress format as described in Step 3.
Users synced from an external directory cannot log in
Ensure the users are properly provisioned in IAM Identity Center and that their email addresses match the expected domain. Check the Users section of IAM Identity Center to confirm the user exists and is active.
Note: This guide covers the general AWS IAM Identity Center SSO setup. Configuration steps may vary depending on your AWS organization structure and identity source. Refer to the official AWS IAM Identity Center documentation for the most current instructions.
For assistance, contact the Axya security team at security@axya.co.