---
title: Configuring SAML SSO with AWS IAM and PingFederate
description: Enable Amazon Web Services (AWS) sign-on from a PingFederate URL (IdP-initiated sign-on).
component: configuration_guides
page_id: configuration_guides:amazon:config_saml_aws_pf
canonical_url: https://docs.pingidentity.com/configuration_guides/amazon/config_saml_aws_pf.html
revdate: May 15, 2024
section_ids:
  before-you-begin: Before you begin
  create-the-pingfederate-sp-connection-for-aws: Create the PingFederate SP Connection for AWS
  add-the-pingfederate-idp-connection-to-aws: Add the PingFederate IdP connection to AWS
  test-the-pingfederate-idp-initiated-sso-integration: Test the PingFederate IdP-initiated SSO integration:
---

# Configuring SAML SSO with AWS IAM and PingFederate

Enable Amazon Web Services (AWS) sign-on from a PingFederate URL (IdP-initiated sign-on).

## Before you begin

* Configure PingFederate to authenticate against an identity provider (IdP) or datastore containing the users requiring application access.

* Populate AWS with at least one user to test access.

* You must have administrative access to PingFederate and AWS.

## Create the PingFederate SP Connection for AWS

1. Sign on to the PingFederate administrative console.

2. Configure using **Browser SSO** profile **SAML 2.0**.

3. Set **Partner's Entity ID** to `urn:amazon:webservices`.

4. Enable the **IdP-Initiated SSO** SAML profile.

5. Enable the **SP Initiated SSO** SAML profile.

6. In **Assertion Creation → Attribute Contract**:

   * Extend the contract to add the attributes `SAML_NAME_FORMAT` and `https://aws.amazon.com/SAML/Attributes/Role`.

   * Set **https\://aws.amazon.com/SAML/Attributes/Role** to have an **Attribute Name Format** of `urn:oasis:names:tc:SAML:2.0:attrname-format:uri`.

7. In **Assertion Creation → Authentication Source Mapping → Attribute Contract Fulfillment**:

   * Map **SAML\_SUBJECT** to an attribute containing the `username` value.

   * Map **SAML\_NAME\_FORMAT** to a text value of `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`.

   * Map **https\://aws.amazon.com/SAML/Attributes/Role** to a fixed value or your attribute holding the user's AWS role name.

   * In **Protocol Settings → Assertion Consumer Service URL**, set **Binding** to **Post** and set **Endpoint URL** to `https://signin.aws.amazon.com/saml`.

     * In **Protocol Settings → Allowable SAML Bindings**, enable **POST**.

     * In **Credentials → Digital Signature Settings**, select the **PingFederate Signing Certificate**.

8. Save the configuration.

9. Export the signing certificate.

10. Export the metadata file, open it in a text editor, and copy the value of the **entityID** and the **Location** entry (https\://*your value*/idp/SSO.saml2).

## Add the PingFederate IdP connection to AWS

1. Sign on to your AWS console as an administrator.

2. In the **Security, Identity, & Compliance** section, select the **IAM** service.

   ![Screen capture of the AWS console with the IAM link highlighted in red in the Security, Identity, and Compliance section.](_images/lfb1619229721205.png)

3. Go to **Access Management → Identity Providers**.

4. Click **Add Provider**.

   ![Screen capture of the AWS console with the Identity providers section highlighted in red in the Access management menu.](_images/xwb1619229772253.png)

5. Set the following:

   |                       |                                                                           |
   | --------------------- | ------------------------------------------------------------------------- |
   | **Provider Type**     | SAML                                                                      |
   | **Provider Name**     | PingFederate                                                              |
   | **Metadata Document** | Select the PingFederate metadata download file you downloaded previously. |

6. Continue through to the final page and click **Create**.

7. Copy the **ARN** value of the provider.

   ![Screen capture of the AWS console open to the Identity providers page under the Access Management menu. The ARN value is highlighted in red.](_images/doo1619229815784.png)

8. In the side menu, select **Roles**.

9. Select the role that PingFederate SSO should have access to and then click the **Trust relationships** tab.

10. Click **Edit Trust Relationship**.

    ![Screen capture of the AWS console with the Roles page open under the Access management menu. The Edit trust relationship button is highlighted in red on the Trust relationships tab.](_images/zbc1619229841082.png)

11. Add the provider ARN value you copied previously to the policy for this role.

    ![Screen capture of the AWS console with the Trust relationships tab open.](_images/rbt1619229875203.png)

## Test the PingFederate IdP-initiated SSO integration:

1. Go to the PingFederate SSO Application Endpoint for the AWS SP connection.

2. Complete the PingFederate authentication.

   You are redirected to your AWS domain.

   ![Screen capture of the AWS console open to the AWS Management Console page.](_images/kqk1619229904875.png)