That is a mouthful and the process could be clearer. doesn't help that there's a lot of outdated information and conflicting articles with links upon links pointing you in every which way but the right way.
I'll use Google Apps as a SAML provider for the purpose of this gist.
The process is triggered from the AES Console and required multiple steps to configure the IAM Roles and chosen IDP