PingOne

Adding an identity provider - Amazon

Adding Amazon as an external identity provider (IdP) gives your users the option to sign in with Amazon when accessing your application.

Before you begin

Ensure that the application is added to PingOne.

Set the Grant Type for the application to Implicit.

Learn more in Adding an application.

Creating a security profile with Amazon

Before you can set up Amazon as an external IdP, you must create a security profile for your application. For more information, see https://developer.amazon.com/docs/login-with-amazon/register-web.html.

Before you begin

Ensure that you have the following information for your application:

  • Name

  • Description

  • Privacy notice URL

  • Logo (optional)

Steps

  1. Go to the Amazon Developer Console at https://login.amazon.com.

    You’ll be asked to sign on to the Developer Console. If you don’t have an account you can create one now.

  2. Click Create a New Security Profile.

  3. Enter the following:

    • Security Profile Name: A unique identifier for the application, which will appear on the consent page when users agree to sign on with Amazon.

    • Security Profile Description: A brief characterization of the application.

    • Privacy Notice URL: The location of the privacy notice for your application.

    • Consent Logo Image: (Optional). The image that appears on the consent page to represent your application.

  4. Click Save.

Enabling Login with Amazon

If you created a new security profile, Login with Amazon should be enabled by default. If you are adding an application to an existing security profile, enable Login with Amazon.

Steps

  1. Go to the Amazon Developer Console at https://developer.amazon.com/loginwithamazon/console/site/lwa/overview.html.

    Result:

    You are asked to sign on to the Developer Console.

  2. Click Select a security profile, then choose your security profile in the menu.

  3. Click Confirm.

  4. In the form that opens, enter a Consent Privacy Notice URL.

    This is the location of your application’s privacy policy.

  5. Click Save.

Getting the client ID and client secret

Copy the client ID and client secret from the Amazon Developer Console. You’ll need these values when you add the application to PingOne.

Steps

  1. Go to the Amazon Developer Console at https://login.amazon.com.

  2. Locate the appropriate security profile.

  3. Click Web Settings.

  4. Copy the Client ID and Client secret to a secure location.

    You can always access these values on the Amazon Developer Console.

Adding Amazon as an identity provider in PingOne

Configure the identity provider connection in PingOne.

Before you begin

You should have the following information ready:

  • Client ID

  • Client secret

Ensure that registration is enabled in the authentication policy. See Editing an authentication policy

Steps

  1. In PingOne, go to Integrations → External IdPs.

  2. Click Add Provider.

  3. Click Amazon.

  4. On the Create Profile page, enter the following information:

    • Name: A unique identifier for the IdP.

    • Description: (Optional). A brief description of the IdP.

    You cannot change the icon and login button, in accordance with the provider’s brand standards.

  5. Click Next.

  6. On the Configure Connection page, enter the following information:

    • Client ID: The application ID that you copied earlier from the IdP. You can find this information on the Amazon Developer Console.

    • Client secret: The application secret that you copied earlier from the IdP. You can find this information on the Amazon Developer Console.

  7. Click Save and Continue.

  8. On the Map Attributes page, define how the PingOne user attributes are mapped to identity provider attributes.

    For more information, see Mapping attributes.

    • Enter the PingOne user profile attribute and the external IdP attribute. For more information about attribute syntax, see Identity provider attributes.

    • To add an attribute, click Add attribute.

    • To use the expression builder, click Build and test or Advanced Expression. See Using the expression builder.

    • Select the update condition, which determines how PingOne updates its user directory with the values from the identity provider. The options are:

      • Empty only: Update the PingOne attribute only if the existing attribute is empty.

      • Always: Always update the PingOne directory attribute.

    You can map the following attributes provided by Amazon:

    • email

    • name

    • user_id

    • postal_code

  9. Click Save and Finish.

Adding the callback URL to the Amazon Developer Console

Copy the callback URL and paste it in the Amazon Developer Console.

Steps

  1. In PingOne, go to Integrations → External IdPs.

  2. Locate the appropriate IdP and then click the Details icon to expand the IdP.

  3. Click the Connection tab.

  4. Copy the callback URL and paste it in a secure location.

  5. Go to the Amazon Developer Console at https://login.amazon.com.

  6. Select the appropriate profile.

  7. Go to the Web Settings section.

  8. For Allowed Return URLs, paste the value that you copied from the PingOne console.

  9. Click Save.

Next steps