---
title: Adding Amazon Web Services to Your PingOne for Enterprise Dock
description: Add the Amazon Web Services (AWS) application to your PingOne for Enterprise dock from the application catalog.
component: pingoneforenterprise
page_id: pingoneforenterprise:pingone_for_enterprise_app_catalog:p14eapps_aws
canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise_app_catalog/p14eapps_aws.html
revdate: October 4, 2023
section_ids:
  steps: Steps
  next-steps: Next steps
  amazon-web-services-connection-configuration: Amazon Web Services Connection Configuration
  about-this-task: About this task
  steps-2: Steps
  choose-from: Choose from:
  next-steps-2: Next steps
  amazon-web-services-provisioning: Amazon Web Services Provisioning
  about-this-task-2: About this task
  steps-3: Steps
  next-steps-3: Next steps
  amazon-web-services-attribute-mapping: Amazon Web Services Attribute Mapping
  about-this-task-3: About this task
  steps-4: Steps
  choose-from-2: Choose from:
  next-steps-4: Next steps
  amazon-web-services-customization: Amazon Web Services Customization
  steps-5: Steps
  next-steps-5: Next steps
  amazon-web-services-group-access: Amazon Web Services Group Access
  about-this-task-4: About this task
  steps-6: Steps
  next-steps-6: Next steps
  amazon-web-services-saml-connection: Amazon Web Services SAML connection
  about-this-task-5: About this task
  steps-7: Steps
  next-steps-7: Next steps
---

# Adding Amazon Web Services to Your PingOne for Enterprise Dock

Add the Amazon Web Services (AWS) application to your PingOne for Enterprise dock from the application catalog.

## Steps

1. In the PingOne for Enterprise admin console, go to **Applications > Application Catalog**.

2. **Optional:** In the **Search** field, search for the application.

3. Click the Amazon Web Services application line to expand it and then click **Setup**.

4. Sign on to your AWS administration account and go to the **Management Console**.

5. Click your user name, click**My Security Credentials**, and click to expand **Access Keys**.

6. Copy the **Access Key ID** and the **Access Key Secret** values.

   For more information about your access key ID and access key secret, see the related [AWS documentation](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html).

## Next steps

In PingOne for Enterprise, click **Continue to Next Step**.

## Amazon Web Services Connection Configuration

### About this task

The **ACS URL** and **Entity ID** fields are populated with the correct values for Amazon Web Services (AWS).

All other fields are optional.

### Steps

1. In the **Target Resource** field, enter a URL to redirect the user to after IdP-initiated single sign-on (SSO).

2. In the **Single Logout Endpoint** field, enter a URL for PingOne to send single logout (SLO) requests to.

3. In the **Single Logout Response Endpoint** field, enter a URL for PingOne to send SLO responses to.

4. To add a **Primary Verification Certificate**, click **Browse** to locate and upload a local certificate file used to verify SLO requests and responses coming from Achiever.

5. To add a **Secondary Verification Certificate**, click **Browse** to locate and upload a local certificate used to verify SLO requests and responses in case the primary certificate fails.

6. Select the **Force Re-authentication** checkbox to require your identity bridge to re-authenticate users with an active SSO session.

7. Select the **Encrypt Assertion** checkbox to encrypt outgoing SAML assertions.

8. On the **Signing** line:

   #### Choose from:

   * Click **Sign Assertion** to have PingOne sign outgoing SAML assertions. This is the default option.

   * Click **Sign Response** to have PingOne sign responses to incoming SAML assertions.

9. From the **Signing Algorithm** list, select an algorithm with which to sign SAML assertions.

10. Select the **Use Custom URL**checkbox to enter a customer URL to launch AWS from the dock.

11. Select the **Set Up Provisioning** checkbox to configure user provisioning to AWS.

### Next steps

Click **Continue to Next Step**.

## Amazon Web Services Provisioning

### About this task

|   |                                                                                                                                  |
| - | -------------------------------------------------------------------------------------------------------------------------------- |
|   | If you don't need to set up user provisioning, proceed to [Amazon Web Services Attribute Mapping](p14eapps_aws_attributes.html). |

If you selected **Set Up Provisioning** on the **Connection configuration** tab:

### Steps

1. In the AWS Management Console, go to **My Security Credentials**.

2. Expand the **Access keys** tab and click **Create New Access Key**.

3. When prompted, click **Show Access Key**.

4. Copy the **Access Key ID** and **Access Key Secret**.

5. In PingOne, click **Continue to Next Step** to open the **Application Configuration** tab.

6. On the **Application Configuration** tab, enter the credentials you copied in step 4 in the **accessKey** and **accessKeySecret** fields.

### Next steps

Click **Continue to Next Step**.

## Amazon Web Services Attribute Mapping

### About this task

PingOne will automatically populate required SAML attributes.

For Amazon Web Services, the required attributes are:

* `SAML_SUBJECT`

* `https://aws.amazon.com/SAML/Attributes/Role`

* If you selected **Set Up Provisioning**, `UserName(provisioning)`

### Steps

1. For `SAML_SUBJECT`:

   1. In the **Identity Bridge Attribute or Literal Value** field, enter or select **Username**.

   2. Click **Advanced**.

   3. In the **Name ID Format to send to SP** field, enter or select **urn:oasis:names:tc:SAML:2.0:nameid-format:persistent**.

   4. Click **Save**

2. For `https://aws.amazon.com/SAML/Attributes/Role`

   1. In the **Identity Bridge Attribute or Literal Value** field, select the attribute that matches `Role`.

   2. Click **Advanced**.

   3. In the **NameFormat** field, select **urn:oasis:names:tc:SAML:2.0:attrname-format:uri**.

   4. Click **Save**

   The expected format for this attribute is

   \+

   ```
   arn:aws:iam::<account-number>:role/<role-name>,arn:aws:iam::<account-number>:saml-provider/<provider-name>
   ```

3. To add an additional optional attribute, click **Add new attribute**.

4. In the **Application Attribute** field, enter the attribute name as it appears in the application.

5. In the **Identity Bridge Attribute or Literal Value** field, choose one of the following:

   #### Choose from:

   * Enter or select a directory attribute to map to the application attribute.

   * Select **As Literal**, then enter a literal value to assign to the application attribute.

6. To create advanced attribute mappings, click **Advanced**.

Learn more in [Creating advanced attribute mappings](../pingone_for_enterprise/p14e_creating_advaced_attribute_mappings.html).

### Next steps

Click **Continue to Next Step**.

## Amazon Web Services Customization

### Steps

* To change the application icon, click **Select image** and upload a local image file.

  The image file must be:

  * PNG, GIF, or JPG format

  * 312 x 52 pixels maximum

  * 2 MB maximum file size

    |   |                                                  |
    | - | ------------------------------------------------ |
    |   | Images are scaled to 64 x 64 pixels for display. |

* To change the name of the application displayed on the dock, in the **Name** field, enter a new name.

* To change the description of the application, in the **Description** field, enter the new description text.

* To change the category to which the application is assigned on the dock, in the **Category** list, select a category.

  Learn more in [Creating a custom application category](../pingone_for_enterprise/p14e_creating_custom_application_category.html).

### Next steps

Click **Continue to Next Step**.

## Amazon Web Services Group Access

### About this task

The **Group Access** tab shows every user group that you have created.

Learn more in [Adding user groups](../pingone_for_enterprise/p14e_add_groups.html).

### Steps

* To add a group's access to the application, on the line for that group, click **Add**.

* To remove a group's access, on the line for that group, click **Remove**.

* When you're finished assigning groups, click **Continue to Next Step**.

### Next steps

Click **Continue to Next Step**.

## Amazon Web Services SAML connection

### About this task

After completing the Amazon Web Services configuration in the PingOne for Enterprise admin portal, you must authorize PingOne for Enterprise as a SAML provider in the AWS console.

### Steps

1. In the PingOne for Enterprise admin console, on the **Review Setup** tab, click **Download** to download the **SAML Metadata** file.

2. Click **Finish** to add Amazon Web Services to your PingOne for Enterprise Dock.

3. In the AWS console, create a SAML provider.

   For information about creating a SAML provider in AWS, see [Create a SAML identity provider in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) in the AWS documentation.

4. In the AWS console, create a SAML role.

   For more information about creating a SAML role in AWS, see [Create a role for a third-party identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html) in the AWS documentation.

### Next steps

To configure AWS for multiple roles and accounts, see [Configure Amazon Web Services SSO for multiple roles and accounts](https://support.pingidentity.com/s/article/Configure-Amazon-Web-Services-SSO-for-multiple-roles-and-accounts) in the Ping Identity Knowledge Base.