Hi Robert. Thanks for that, that's excellent and I really appreciate it. There really isn't a lot of information out there on this and as I'm fairly new to both AWS and APM it was proving a little difficult.
I have made progress and do now have it working along the lines of what you've done in your example. In fact your way is a little nicer when it comes to the VPE so I will modify my policy today to simplify it a bit. The only issue that remains for me is handling people who may be in more than one AD group and thus need to be able to access more than one role. The AWS console handles it nicely in that if you have access to more than one role you get the option to choose. I am trying to replicate that with the SAML assertions but it's difficult with the way the multi-valued attributes work. The only way I could see it working was if there's a way to add or remove attribute values based on a group membership. I haven't as of yet found a way to do that yet but if you know of any way of potentially doing that. If not thanks for your assistance anyway.
Nick.