Page created: 2 Apr 2021
|
Page updated: 10 Feb 2022
| 2 min read
Configuration User task Single Sign-on (SSO) Capability
Enable AWS sign on from the PingOne console (IdP-initiated sign on).
- Link PingOne to an identity repository containing the users that require application access.
- Populate AWS with at least one user to test application access.
- You must have administrative access to PingOne and AWS.
-
Set up the supplied AWS Application in PingOne and extract the metadata:
- Sign on to PingOne for Enterprise and go to Applications > Application Catalog.
- In the Application Catalog, search for Amazon Web Services.
- Click the right arrow to expand the Amazon Web Services entry and then click Setup.
- Click Continue to Next Step twice.
- Map SAML_SUBJECT to the attribute containing the username value.
- Click Advanced.
- Set Name ID Format to sent to SP to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
- Click Save.
- Map the AWS Role attribute to a fixed value or your attribute holding the user's AWS role name.
- Click Advanced.
- Set NameFormat to urn:oasis:names:tc:SAML:2.0:attrname-format:uri.
- Click Save.
- Click Continue to Next Step twice.
- Click Add for each user group that you want to have access to AWS.
- Download the metadata.
- Click Finish.
-
Add the PingOne IdP connection to AWS:
- Sign on to your AWS console as an administrator.
- Select the IAM service.
- Go to Access Management > Identity Providers and click Add Provider.
-
Set the following:
- Provider Type: SAML
- Provider Name: PingOne
- Metadata Document: Select the PingOne metadata download file
- Continue through to the final screen and click Create.
- Copy the ARN value of the provider.
- Select Roles from the side menu, and then select the role that you want PingOne SSO to have access to.
- Click the Trust Relationship tab.
- Click Edit Trust Relationship.
- Add the provider ARN value that you copied previously to the policy for the role.
-
Test PingOne IdP-initiated SSO:
-
Go to your Ping desktop as a user with AWS access.
Note:
You can find the Ping desktop URL in the Admin console at Setup > Dock > PingOne Dock URL
-
Authenticate with PingOne.
You're redirected to your AWS domain.
-
Go to your Ping desktop as a user with AWS access.