Configuring SAML SSO with AWS IAM and PingOne

Page created: 2 Apr 2021 |

Page updated: 10 Feb 2022

| 2 min read

Configuration User task Single Sign-on (SSO) Capability

Enable AWS sign on from the PingOne console (IdP-initiated sign on).

Link PingOne to an identity repository containing the users that require application access.
Populate AWS with at least one user to test application access.
You must have administrative access to PingOne and AWS.

Set up the supplied AWS Application in PingOne and extract the metadata:
1. Sign on to PingOne for Enterprise and go to Applications > Application Catalog.
2. In the Application Catalog, search for Amazon Web Services.
3. Click the right arrow to expand the Amazon Web Services entry and then click Setup.
4. Click Continue to Next Step twice.
5. Map SAML_SUBJECT to the attribute containing the username value.
6. Click Advanced.
7. Set Name ID Format to sent to SP to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
8. Click Save.
9. Map the AWS Role attribute to a fixed value or your attribute holding the user's AWS role name.
10. Click Advanced.
11. Set NameFormat to urn:oasis:names:tc:SAML:2.0:attrname-format:uri.
12. Click Save.
13. Click Continue to Next Step twice.
14. Click Add for each user group that you want to have access to AWS.
15. Download the metadata.
16. Click Finish.
Add the PingOne IdP connection to AWS:
1. Sign on to your AWS console as an administrator.
2. Select the IAM service.
3. Go to Access Management > Identity Providers and click Add Provider.
4. Set the following:
  - Provider Type: SAML
  - Provider Name: PingOne
  - Metadata Document: Select the PingOne metadata download file
5. Continue through to the final screen and click Create.
6. Copy the ARN value of the provider.
7. Select Roles from the side menu, and then select the role that you want PingOne SSO to have access to.
8. Click the Trust Relationship tab.
9. Click Edit Trust Relationship.
10. Add the provider ARN value that you copied previously to the policy for the role.
Test PingOne IdP-initiated SSO:
1. Go to your Ping desktop as a user with AWS access.
  
  Note:
  You can find the Ping desktop URL in the Admin console at Setup > Dock > PingOne Dock URL
2. Authenticate with PingOne.
  
  You're redirected to your AWS domain.