I would have also assumed you'd read the Integration Guide I wrote for it, but given your question I suspect maybe you didn't, so I imagine that would be a good idea. But I didn't get much into the fact that it's distinct from AWS' own IdP IAM setup in that doc either. -- Scott