Amazon

Configuring AWS session tags for PingFederate SAML connections

You can configure AWS Identity and Access Management (IAM) and AWS IAM Identity Center session tag support for SAML connections in PingFederate.

Before you begin

  • If you want to use OGNL expressions to populate the values of the AWS session tags, see Enabling and disabling expressions in the PingFederate documentation.

  • Create an Amazon Web Services (AWS) console account and policy that uses session tags. For help, see AWS prerequisites in the PingAccess documentation.

Steps

  1. Open your service provider (SP) connection. Go to SP Connection → Browser SSO → Assertion Creation → Attribute Contract.

  2. Extend the contract of the AWS SP connection.

    Choose from:

    This screen capture shows the Attribute Contract tab with the example AWS IAM PrincipalTag and TransitiveTagKeys attributes.

  3. Go to SP Connection → Browser SSO → Assertion Creation → IdP Adapter Mapping → Attribute Sources & User Lookup → Attribute Contract Fulfillment.

  4. Configure the attribute contract fulfillment for the AWS attributes.

    Example 1: This example shows AWS IAM Identity Center attributes mapped directly from an HTML Form Adapter instance.

    This screen capture shows the Attribute Contract Fulfillment tab with AWS IAM Identity Center attributes mapped to Adapter sources.

    Example 2: This example shows AWS IAM attributes mapped from a data source and manipulated by the OGNL expression language available in PingFederate.

    This screen capture shows the Attribute Contract Fulfillment tab with AWS IAM attributes mapped to Adapter and LDAP sources.

  5. Click Save.

Result

The AWS session tags are now included in the SAML assertion created by PingFederate.