Amazon

Configuring AWS session tags for PingOne OIDC connections

You can configure AWS session tag support for OpenID Connect (OIDC) connections in PingOne by changing the attribute mappings in your OIDC application.

Before you begin

  • Create an Amazon Web Services (AWS) console account and policy that uses session tags. For help, see AWS prerequisites in the PingAccess documentation.

  • Sign on to your PingOne account as an administrator.

  • Configure an external identity provider, such as PingFederate, with a Tags attribute. The value must be in JSON format as specified by the AWS session tag feature.

Steps

  1. Go to Applications → OIDC.

  2. Select the application you want to edit and click Edit.

  3. In the Default User Profile Attribute Contract section, click Add Attribute.

  4. Enter http://aws.amazon.com/tags as shown, then click Next.

    This screen capture shows the Default User Profile Attribute Contract section with the AWS tag entered as an attribute.
  5. In the Attribute Mapping section, map the http://aws.amazon.come/tags attribute to the external identity provider attribute that contains the JSON formatted session tags data as shown.

    This screen capture shows the Attribute Mapping section with the newly-created AWS attribute mapped to the external identity provider attribute.