Configuration Guides

Configuring SAML SSO with AWS IAM and PingFederate

Enable Amazon Web Services (AWS) sign-on from a PingFederate URL (IdP-initiated sign-on).

Before you begin

  • Configure PingFederate to authenticate against an identity provider (IdP) or datastore containing the users requiring application access.

  • Populate AWS with at least one user to test access.

  • You must have administrative access to PingFederate and AWS.

Create the PingFederate SP Connection for AWS

  1. Sign on to the PingFederate administrative console.

  2. Configure using Browser SSO profile SAML 2.0.

  3. Set Partner’s Entity ID to urn:amazon:webservices.

  4. Enable the IdP-Initiated SSO SAML profile.

  5. Enable the SP Initiated SSO SAML profile.

  6. In Assertion Creation → Attribute Contract:

    • Extend the contract to add the attributes SAML_NAME_FORMAT and https://aws.amazon.com/SAML/Attributes/Role.

    • Set https://aws.amazon.com/SAML/Attributes/Role to have an Attribute Name Format of urn:oasis:names:tc:SAML:2.0:attrname-format:uri.

  7. In Assertion Creation → Authentication Source Mapping → Attribute Contract Fulfillment:

    • Map SAML_SUBJECT to an attribute containing the username value.

    • Map SAML_NAME_FORMAT to a text value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

    • Map https://aws.amazon.com/SAML/Attributes/Role to a fixed value or your attribute holding the user’s AWS role name.

    • In Protocol Settings → Assertion Consumer Service URL, set Binding to Post and set Endpoint URL to https://signin.aws.amazon.com/saml.

      • In Protocol Settings → Allowable SAML Bindings, enable POST.

      • In Credentials → Digital Signature Settings, select the PingFederate Signing Certificate.

  8. Save the configuration.

  9. Export the signing certificate.

  10. Export the metadata file, open it in a text editor, and copy the value of the entityID and the Location entry (https://your value/idp/SSO.saml2).

Add the PingFederate IdP connection to AWS

  1. Sign on to your AWS console as an administrator.

  2. In the Security, Identity, & Compliance section, select the IAM service.

    Screen capture of the AWS console with the IAM link highlighted in red in the Security, Identity, and Compliance section.
  3. Go to Access Management → Identity Providers.

  4. Click Add Provider.

    Screen capture of the AWS console with the Identity providers section highlighted in red in the Access management menu.
  5. Set the following:

    Provider Type

    SAML

    Provider Name

    PingFederate

    Metadata Document

    Select the PingFederate metadata download file you downloaded previously.

  6. Continue through to the final page and click Create.

  7. Copy the ARN value of the provider.

    Screen capture of the AWS console open to the Identity providers page under the Access Management menu. The ARN value is highlighted in red.
  8. In the side menu, select Roles.

  9. Select the role that PingFederate SSO should have access to and then click the Trust relationships tab.

  10. Click Edit Trust Relationship.

    Screen capture of the AWS console with the Roles page open under the Access management menu. The Edit trust relationship button is highlighted in red on the Trust relationships tab.
  11. Add the provider ARN value you copied previously to the policy for this role.

    Screen capture of the AWS console with the Trust relationships tab open.

Test the PingFederate IdP-initiated SSO integration:

  1. Go to the PingFederate SSO Application Endpoint for the AWS SP connection.

  2. Complete the PingFederate authentication.

    You are redirected to your AWS domain.

    Screen capture of the AWS console open to the AWS Management Console page.