Configuration Guides

Configuring SAML SSO with AWS IAM and PingOne for Enterprise

Enable AWS sign-on from the PingOne for Enterprise console (IdP-initiated sign-on).

Before you begin

  • Link PingOne for Enterprise to an identity repository containing the users that require application access.

  • Populate AWS with at least one user to test application access.

  • You must have administrative access to PingOne for Enterprise and AWS.

Set up the AWS Application in PingOne for Enterprise and extract the metadata

  1. Sign on to PingOne for Enterprise and go to Applications → Application Catalog.

  2. In the Application Catalog, search for Amazon Web Services.

  3. Click the right arrow to expand the Amazon Web Services entry and then click Setup.

    PingOne Application catalog showing the results of a search for Amazon Web Services. The right arrow is highlighted.

  4. Click Continue to Next Step twice.

  5. Map SAML_SUBJECT to the attribute containing the username value.

    The AWS console showing the Attribute Mapping step. SAML_SUBJECT and the Advanced button are highlighted in red.

  6. Click Advanced.

  7. Set Name ID Format to sent to SP to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

    The AWS console showing the Advanced Attribute Options. The Name ID Format to send to SP value is highlighted in red.

  8. Click Save.

  9. Map the AWS Role attribute to a fixed value or your attribute holding the user’s AWS role name.

    The AWS console showing the Attribute Mapping step. MyRole and the Advanced button are highlighted in red.

  10. Click Advanced.

  11. Set NameFormat to urn:oasis:names:tc:SAML:2.0:attrname-format:uri.

    The AWS Advanced Attribute Options menu. The NameFormat value is highlighted in red.

  12. Click Save.

  13. Click Continue to Next Step twice.

  14. Click Add for each user group that you want to have access to AWS.

    The Group Access page showing group names.

  15. Download the metadata.

    The Single Logout Response Endpoint section with the Download link outlined in red.

  16. Click Finish.

Add the PingOne for Enterprise IdP connection to AWS

  1. Sign on to your AWS console as an administrator.

  2. Select the IAM service.

    The AWS console showing service options. IAM is highlighted in red.

  3. Go to Access Management → Identity Providers and click Add Provider.

    The IAM menu in AWS. In the sidebar, Identity providers is outlined in red.

  4. Set the following:

    • Provider Type: SAML

    • Provider Name: PingOne for Enterprise

    • Metadata Document: Select the PingOne for Enterprise metadata download file

  5. Continue through to the final screen and click Create.

  6. Copy the ARN value of the provider.

    The IAM menu in AWS. The ARN value is outlined in red.

  7. Select Roles from the side menu, and then select the role that you want PingOne for Enterprise SSO to have access to.

  8. Click the Trust Relationship tab.

  9. Click Edit Trust Relationship.

    The IAM Roles section in AWS showing the Trust relationships tab on the Summary page. The Edit trust relationship button is outlined in red.

  10. Add the provider ARN value that you copied previously to the policy for the role.

    The Trust relationships tab in AWS.

Test PingOne for Enterprise IdP-initiated SSO

  1. Go to your Ping desktop as a user with AWS access.

    You can find the Ping desktop URL in the Admin console at Setup → Dock → PingOne Dock URL

  2. Authenticate with PingOne for Enterprise.

    PingOne sign on page.

    You’re redirected to your AWS domain.

    The AWS console.