--- title: Adding an identity provider - Amazon description: Add Amazon as an external identity provider in PingOne to allow users to sign on with Amazon when accessing your application. component: pingone page_id: pingone:integrations:p1_add_idp_amazon_overview canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_add_idp_amazon_overview.html revdate: May 29, 2025 page_aliases: ["p1_create_security_profile_amazon.adoc", "p1_enable_login_with_amazon.adoc", "p1_get_clientid_amazon.adoc", "p1_add_idp_amazon.adoc", "p1_add_callback_url_amazon.adoc"] section_ids: before-you-begin: Before you begin creating-a-security-profile-with-amazon: Creating a security profile with Amazon before-you-begin-2: Before you begin steps: Steps enabling-login-with-amazon: Enabling Login with Amazon steps-2: Steps result: Result: getting-the-client-id-and-client-secret: Getting the client ID and client secret steps-3: Steps adding-amazon-as-an-identity-provider-in-pingone: Adding Amazon as an identity provider in PingOne before-you-begin-3: Before you begin steps-4: Steps adding-the-callback-url-to-the-amazon-developer-console: Adding the callback URL to the Amazon Developer Console steps-5: Steps next-steps: Next steps --- # Adding an identity provider - Amazon Adding Amazon as an external identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)* gives your users the option to sign on with Amazon when accessing your application. ## Before you begin Ensure that you have: * A PingOne organization with an environment added. Learn more in [Starting a PingOne trial](../getting_started_with_pingone/p1_start_a_p1_trial.html). * Added your application to PingOne. Learn more in [Adding an application](../applications/p1_applications_add_applications.html). * An Amazon account. ## Creating a security profile with Amazon Before you can set up Amazon as an external IdP, you must create a security profile for your application. Learn more in [Register for Login with Amazon](https://developer.amazon.com/docs/login-with-amazon/register-web.html). ### Before you begin Ensure that you have the following information for your application: * Name * Description * Privacy notice URL * Logo (optional) ### Steps 1. Go to the [Amazon Developer Console](https://login.amazon.com) and sign on to your account. If you don't have an account you can create one now. 2. Click **Create a New Security Profile**. 3. Enter the following: * **Security Profile Name**: A unique identifier for the application, which will appear on the consent page when users agree to sign on with Amazon. * **Security Profile Description**: A brief description of the application. * **Privacy Notice URL**: The location of the privacy notice for your application. * **Consent Logo Image** (optional): The image that appears on the consent page to represent your application. 4. Click **Save**. ## Enabling Login with Amazon If you created a new security profile, `Login with Amazon` should be enabled by default. If you are adding an application to an existing security profile, enable `Login with Amazon`. ### Steps 1. Go to the [Amazon Developer Console](https://developer.amazon.com/loginwithamazon/console/site/lwa/overview.html). ### Result: You are asked to sign on to the Developer Console. 2. Click **Select a security profile**, then choose your security profile in the menu. 3. Click **Confirm**. 4. In the form that opens, enter a **Consent Privacy Notice URL**. This is the location of your application's privacy policy. 5. Click **Save**. ## Getting the client ID and client secret Copy the client ID and client secret from the Amazon Developer Console. You'll need these values when you add the application to PingOne. ### Steps 1. Go to the [Amazon Developer Console](https://login.amazon.com) and locate the appropriate security profile. 2. Click **Web Settings**. 3. Copy the **Client ID** and **Client secret** to a secure location. You can always access these values on the Amazon Developer Console. ## Adding Amazon as an identity provider in PingOne Configure the IdP connection in PingOne. ### Before you begin You should have the following information ready: * Client ID * Client secret Ensure that registration is enabled in the authentication policy. Learn more in [Editing an authentication policy](../authentication/p1_edit_auth_policy.html). ### Steps 1. In the PingOne admin console, go to **Integrations > External IdPs** and click **[icon: plus, set=fa]**. 2. Click **Amazon**. 3. Click **Next**. 4. On the **Add External Identity Provider** page, enter the following information: * **Name**: A unique identifier for the IdP. * **Description** (optional): A brief description of the IdP. * **Population**: A population that overrides the authentication policy's registration population and enables just-in-time registration from the IdP. | | | | - | -------------------------------------------------------------------------------------------------------- | | | You can't change the **Icon** and **Sign-on Button**, in accordance with the provider's brand standards. | 5. Click **Next**. 6. Configure the connection and enter the following information: * **Client ID**: The application ID that you copied earlier from the IdP. You can find this information on the [Amazon Developer Console](https://login.amazon.com). * **Client secret**: The application secret that you copied earlier from the IdP. You can find this information on the [Amazon Developer Console](https://login.amazon.com). * **Callback URL**: Copy the **Callback URL** to a secure location. You'll provide this value to the IdP later. 7. Click **Next**. 8. Define how the PingOne user attributes are mapped to IdP attributes. Learn more in [Mapping attributes](../directory/p1_editsamlattributemapping.html). * Enter the PingOne user profile attribute and the external IdP attribute. Learn more about attribute syntax in [Identity provider attributes](p1_idp_attributes.html). * To add an attribute, click **[icon: plus, set=fa]Add**. * To use the advanced expression builder, click the **Gear** icon. Learn more in [Using the expression builder](../pingone_expression_language/p1_use_expression_builder.html). * Select the update condition, which determines how PingOne updates its user directory with the values from the IdP. The options are: * **Empty only**: Update the PingOne attribute only if the existing attribute is empty. * **Always**: Always update the PingOne directory attribute. | | | | - | --------------------------------------------------------------------------------------------------------- | | | You can map the following attributes provided by Amazon:- `email` - `name` - `user_id` - `postal_code` | 9. Click **Save**. 10. To enable the IdP, click the toggle at the top of the details panel to the right (blue). | | | | - | ------------------------------------------------------------------ | | | You can disable the IdP by clicking the toggle to the left (gray). | ## Adding the callback URL to the Amazon Developer Console Copy the callback URL from the PingOne admin console and paste it in the Amazon Developer Console. ### Steps 1. In the PingOne admin console, go to **Integrations > External IdPs** and browse or search for the appropriate IdP. 2. Click the IdP to open the details panel. 3. On the **Connection** tab, copy the **Callback URL** to a secure location. 4. Go to the [Amazon Developer Console](https://login.amazon.com). 5. Select the appropriate profile. 6. Go to the **Web Settings** section. 7. For **Allowed Return URLs**, paste the value that you copied from the the PingOne admin console. 8. Click **Save**. ### Next steps * [Add the IdP to your authentication policy](../authentication/p1_edit_auth_policy.html). * [Apply the authentication policy to your application](../applications/p1_apply_auth_policy_to_applications.html).