---
title: Configuring SAML SSO with AWS IAM and PingOne for Enterprise
description: Enable AWS sign-on from the PingOne for Enterprise console (IdP-initiated sign-on).
component: configuration_guides
page_id: configuration_guides:amazon:config_saml_aws_p1
canonical_url: https://docs.pingidentity.com/configuration_guides/amazon/config_saml_aws_p1.html
revdate: May 20, 2024
section_ids:
  before-you-begin: Before you begin
  set-up-the-aws-application-in-pingone-for-enterprise-and-extract-the-metadata: Set up the AWS Application in PingOne for Enterprise and extract the metadata
  add-the-pingone-for-enterprise-idp-connection-to-aws: Add the PingOne for Enterprise IdP connection to AWS
  test-pingone-for-enterprise-idp-initiated-sso: Test PingOne for Enterprise IdP-initiated SSO
---

# Configuring SAML SSO with AWS IAM and PingOne for Enterprise

Enable AWS sign-on from the PingOne for Enterprise console (IdP-initiated sign-on).

## Before you begin

* Link PingOne for Enterprise to an identity repository containing the users that require application access.

* Populate AWS with at least one user to test application access.

* You must have administrative access to PingOne for Enterprise and AWS.

## Set up the AWS Application in PingOne for Enterprise and extract the metadata

1. Sign on to PingOne for Enterprise and go to **Applications → Application Catalog**.

2. In the **Application Catalog**, search for `Amazon Web Services`.

3. Click the right arrow to expand the **Amazon Web Services** entry and then click **Setup**.

   ![PingOne Application catalog showing the results of a search for Amazon Web Services. The right arrow is highlighted.](_images/wfb1617988989973.png)

4. Click **Continue to Next Step** twice.

5. Map **SAML\_SUBJECT** to the attribute containing the username value.

   ![The AWS console showing the Attribute Mapping step. SAML\_SUBJECT and the Advanced button are highlighted in red.](_images/uqq1617989274270.png)

6. Click **Advanced**.

7. Set **Name ID Format to sent to SP** to `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`.

   ![The AWS console showing the Advanced Attribute Options. The Name ID Format to send to SP value is highlighted in red.](_images/hnz1619502415218.png)

8. Click **Save**.

9. Map the **AWS Role** attribute to a fixed value or your attribute holding the user's AWS role name.

   ![The AWS console showing the Attribute Mapping step. MyRole and the Advanced button are highlighted in red.](_images/ihv1619502545618.png)

10. Click **Advanced**.

11. Set **NameFormat** to `urn:oasis:names:tc:SAML:2.0:attrname-format:uri`.

    ![The AWS Advanced Attribute Options menu. The NameFormat value is highlighted in red.](_images/bii1619502605011.png)

12. Click **Save**.

13. Click **Continue to Next Step** twice.

14. Click **Add** for each user group that you want to have access to AWS.

    ![The Group Access page showing group names.](_images/dnh1619502683691.png)

15. Download the metadata.

    ![The Single Logout Response Endpoint section with the Download link outlined in red.](_images/eqr1619502738999.png)

16. Click **Finish**.

## Add the PingOne for Enterprise IdP connection to AWS

1. Sign on to your AWS console as an administrator.

2. Select the IAM service.

   ![The AWS console showing service options. IAM is highlighted in red.](_images/inz1619502811583.png)

3. Go to **Access Management → Identity Providers** and click **Add Provider**.

   ![The IAM menu in AWS. In the sidebar, Identity providers is outlined in red.](_images/rgl1619502907798.png)

4. Set the following:

   * **Provider Type**: SAML

   * **Provider Name**: PingOne for Enterprise

   * **Metadata Document**: Select the PingOne for Enterprise metadata download file

5. Continue through to the final screen and click **Create**.

6. Copy the **ARN** value of the provider.

   ![The IAM menu in AWS. The ARN value is outlined in red.](_images/ryz1619502980624.png)

7. Select **Roles** from the side menu, and then select the role that you want PingOne for Enterprise SSO to have access to.

8. Click the **Trust Relationship** tab.

9. Click **Edit Trust Relationship**.

   ![The IAM Roles section in AWS showing the Trust relationships tab on the Summary page. The Edit trust relationship button is outlined in red.](_images/xep1619503151526.png)

10. Add the provider ARN value that you copied previously to the policy for the role.

    ![The Trust relationships tab in AWS.](_images/koz1619503263641.png)

## Test PingOne for Enterprise IdP-initiated SSO

1. Go to your Ping desktop as a user with AWS access.

   |   |                                                                                               |
   | - | --------------------------------------------------------------------------------------------- |
   |   | You can find the Ping desktop URL in the Admin console at **Setup → Dock → PingOne Dock URL** |

2. Authenticate with PingOne for Enterprise.

   ![PingOne sign on page.](_images/reg1619503321292.png)

   You're redirected to your AWS domain.

   ![The AWS console.](_images/lgc1619503389418.png)