PingOne for Enterprise

Adding Amazon Web Services to Your PingOne for Enterprise Dock

Add the Amazon Web Services (AWS) application to your PingOne for Enterprise dock from the application catalog.

Steps

  1. In the PingOne for Enterprise admin console, go to Applications → Application Catalog.

  2. Optional: In the Search field, search for the application.

  3. Click the Amazon Web Services application line to expand it and then click Setup.

  4. Sign on to your AWS administration account and go to the Management Console.

  5. Click your user name, clickMy Security Credentials, and click to expand Access Keys.

  6. Copy the Access Key ID and the Access Key Secret values.

    For more information about your access key ID and access key secret, see the related AWS documentation.

Next steps

In PingOne for Enterprise, click Continue to Next Step.

Amazon Web Services Connection Configuration

About this task

The ACS URL and Entity ID fields are populated with the correct values for Amazon Web Services (AWS).

All other fields are optional.

Steps

  1. In the Target Resource field, enter a URL to redirect the user to after IdP-initiated single sign-on (SSO).

  2. In the Single Logout Endpoint field, enter a URL for PingOne to send single logout (SLO) requests to.

  3. In the Single Logout Response Endpoint field, enter a URL for PingOne to send SLO responses to.

  4. To add a Primary Verification Certificate, click Browse to locate and upload a local certificate file used to verify SLO requests and responses coming from Achiever.

  5. To add a Secondary Verification Certificate, click Browse to locate and upload a local certificate used to verify SLO requests and responses in case the primary certificate fails.

  6. Select the Force Re-authentication check box to require your identity bridge to re-authenticate users with an active SSO session.

  7. Select the Encrypt Assertion check box to encrypt outgoing SAML assertions.

  8. On the Signing line:

    Choose from:

    • Click Sign Assertion to have PingOne sign outgoing SAML assertions. This is the default option.

    • Click Sign Response to have PingOne sign responses to incoming SAML assertions.

  9. From the Signing Algorithm list, select an algorithm with which to sign SAML assertions.

  10. Select the Use Custom URLcheck box to enter a customer URL to launch AWS from the dock.

  11. Select the Set Up Provisioning check box to configure user provisioning to AWS.

Next steps

Click Continue to Next Step.

Amazon Web Services Provisioning

About this task

If you don’t need to set up user provisioning, proceed to Amazon Web Services Attribute Mapping.

If you selected Set Up Provisioning on the Connection configuration tab:

Steps

  1. In the AWS Management Console, go to My Security Credentials.

  2. Expand the Access keys tab and click Create New Access Key.

  3. When prompted, click Show Access Key.

  4. Copy the Access Key ID and Access Key Secret.

  5. In PingOne, click Continue to Next Step to open the Application Configuration tab.

  6. On the Application Configuration tab, enter the credentials you copied in step 4 in the accessKey and accessKeySecret fields.

Next steps

Click Continue to Next Step.

Amazon Web Services Attribute Mapping

About this task

PingOne will automatically populate required SAML attributes.

For Amazon Web Services, the required attributes are:

Steps

  1. For SAML_SUBJECT:

    1. In the Identity Bridge Attribute or Literal Value field, enter or select Username.

    2. Click Advanced.

    3. In the Name ID Format to send to SP field, enter or select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

    4. Click Save

  2. For https://aws.amazon.com/SAML/Attributes/Role

    1. In the Identity Bridge Attribute or Literal Value field, select the attribute that matches Role.

    2. Click Advanced.

    3. In the NameFormat field, select urn:oasis:names:tc:SAML:2.0:attrname-format:uri.

    4. Click Save

    The expected format for this attribute is

    +

    arn:aws:iam::<account-number>:role/<role-name>,arn:aws:iam::<account-number>:saml-provider/<provider-name>
  3. To add an additional optional attribute, click Add new attribute.

  4. In the Application Attribute field, enter the attribute name as it appears in the application.

  5. In the Identity Bridge Attribute or Literal Value field, choose one of the following:

    Choose from:

    • Enter or select a directory attribute to map to the application attribute.

    • Select As Literal, then enter a literal value to assign to the application attribute.

  6. To create advanced attribute mappings, click Advanced.

For more information, see Create advanced attribute mappings.

Next steps

Click Continue to Next Step.

Amazon Web Services Customization

Steps

  • To change the application icon, click Select image and upload a local image file.

    The image file must be:

    • PNG, GIF, or JPG format

    • 312 x 52 pixels maximum

    • 2 MB maximum file size

      Images are scaled to 64 x 64 pixels for display.

  • To change the name of the application displayed on the dock, in the Name field, enter a new name.

  • To change the description of the application, in the Description field, enter the new description text.

  • To change the category to which the application is assigned on the dock, in the Category list, select a category.

    For information about creating custom application categories, see Creating a custom application category.

Next steps

Click Continue to Next Step.

Amazon Web Services Group Access

About this task

The Group Access tab shows every user group that you have created.

For more information about creating user groups, see Add user groups.

Steps

  • To add a group’s access to the application, on the line for that group, click Add.

  • To remove a group’s access, on the line for that group, click Remove.

  • When you’re finished assigning groups, click Continue to Next Step.

Next steps

Click Continue to Next Step.

Amazon Web Services SAML connection

About this task

After completing the Amazon Web Services configuration in the PingOne admin portal, you must authorize PingOne for Enterprise as a SAML provider in the AWS console.

Steps

  1. In the PingOne admin console, on the Review Setup tab, click Download to download the SAML Metadata file.

  2. Click Finish to add Amazon Web Services to your PingOne Dock.

  3. In the AWS console, create a SAML provider.

    For information about creating a SAML provider in AWS, see Creating IAM SAML identity providers in the AWS documentation.

  4. In the AWS console, create a SAML role.

    For more information about creating a SAML role in AWS, see Creating a role for a third-party Identity Provider in the AWS documentation.

Next steps

To configure AWS for multiple roles and accounts, see Configure Amazon Web Services SSO for multiple roles and accounts in the Ping Identity Knowledge Base.