Amazon

Configuring AWS session tags for PingOne SAML connections

You can create a custom SAML application to support AWS Identity and Access Management (IAM) and AWS IAM Identity Center session tags for SAML connections in PingOne.

Before you begin

  • Create an Amazon Web Services (AWS) console account and policy that uses session tags. For help, see AWS prerequisites in the PingAccess documentation.

  • Sign on to your PingOne account as an administrator.

  • Configure an external identity provider, such as PingFederate, that will provide the values for the AWS attributes.

About this task

In the PingOne App Catalog, PingOne provides a ready-made AWS application template. That template uses static SAML attributes, and cannot be used for session tags. The following steps allow you to create a custom SAML application to use with AWS session tags.

Steps

  1. On the PingOne console, go to Applications → My Applications → Add Application → New SAML Application.

  2. Enter an application name, such as AWS with Session Tags.

  3. Enter the application description, category, and application icon and then click Continue to Next Step.

  4. In the Application Configuration section, enter the following:

    1. In the Assertion Consumer Service (ACS)field, enter https://signin.aws.amazon.com/saml.

    2. In the Entry ID field, enter urn:amazon:webservices.

  5. Click Continue to Next Step.

  6. In the SSO Mapping Attributessection, click Add new attribute. Enter the session tags attributes that you plan to use.

    Choose from:

    • If you are using AWS IAM Identity Center, include the access control tags based on the following format: https://aws.amazon.com/SAML/Attributes/AccessControl:{attribute}

    • If you are using AWS IAM, enter the AWS Principal Tags and TransitiveTagKeys, based on the following examples:

    • https://aws.amazon.com/SAML/Attributes/AccessControl:{attribute}

    • https://aws.amazon.com/SAML/Attributes/PrincipalTag:project

    • https://aws.amazon.com/SAML/Attributes/Role

    • https://aws.amazon.com/SAML/Attributes/RoleSessioName

    • https://aws.amazon.com/SAML/Attributes/TransitiveTagKeys

      This screen capture shows the SSO Attribute Mapping section with examples of potential Principal Tags and TransitiveTagKeys for AWS IAM.
  7. Click Continue to Next Step twice and then click Finish to create the AWS Session Tag SAML application.