Page created: 2 Apr 2021
|
Page updated: 10 Feb 2022
| 2 min read
Configuration User task Single Sign-on (SSO) Capability
Enable AWS sign on from the PingOne console (IdP-initiated sign on).
- Link PingOne to an identity repository containing the users that require application access.
- Populate AWS with at least one user to test application access.
- You must have administrative access to PingOne and AWS.
-
Set up the supplied AWS Application in PingOne and extract the metadata:
- Sign on to PingOne for Enterprise and go to Applications > Application Catalog.
- In the Application Catalog, search for Amazon Web Services.
-
Click the right arrow to expand the Amazon Web
Services entry and then click
Setup.
- Click Continue to Next Step twice.
-
Map SAML_SUBJECT to the attribute containing the
username value.
- Click Advanced.
-
Set Name ID Format to sent to SP to
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
- Click Save.
-
Map the AWS Role attribute to a fixed value or
your attribute holding the user's AWS role name.
- Click Advanced.
-
Set NameFormat to
urn:oasis:names:tc:SAML:2.0:attrname-format:uri.
- Click Save.
- Click Continue to Next Step twice.
-
Click Add for each user group that you want to
have access to AWS.
-
Download the metadata.
- Click Finish.
-
Add the PingOne IdP connection to AWS:
- Sign on to your AWS console as an administrator.
-
Select the IAM service.
-
Go to Access Management > Identity Providers and click Add Provider.
-
Set the following:
- Provider Type: SAML
- Provider Name: PingOne
- Metadata Document: Select the PingOne metadata download file
- Continue through to the final screen and click Create.
-
Copy the ARN value of the provider.
- Select Roles from the side menu, and then select the role that you want PingOne SSO to have access to.
- Click the Trust Relationship tab.
-
Click Edit Trust Relationship.
- Add the provider ARN value that you copied previously to the policy for the role.
-
Test PingOne IdP-initiated SSO:
-
Go to your Ping desktop as a user with AWS access.
Note:
You can find the Ping desktop URL in the Admin console at Setup > Dock > PingOne Dock URL
-
Authenticate with PingOne.
You're redirected to your AWS domain.
-
Go to your Ping desktop as a user with AWS access.