Page created: 24 Jul 2019
|
Page updated: 8 Feb 2022
| 2 min read
Amazon Amazon Web Services Other Documents Integrations Language English Integration Content Type Product documentation Audience Administrator
To allow PingFederate to manage users in Amazon Web Services (AWS), create a service provider (SP) connection.
Note: You can follow these steps to create a new SP connection, or you can modify an
existing connection.
-
In the PingFederate administrator console, configure the data store that
PingFederate will use as the source of user data. For instructions, see Datastores in the PingFederate
documentation.
- When targeting users and groups for provisioning, exclude the user account that you will use to administer users in your connection to AWS. This prevents the PingFederate provisioning engine from interfering with the account that provisions users and groups.
-
Enable provisioning.
- On the System > Protocol Settings > Roles & Protocols screen, select Enable Identity Provider IdP Role and Support the Following.
- Select Outbound Provisioning. Click Save.
- Download the latest SAML metadata file from Amazon. Save it as aws-saml-metadata.xml.
-
Create an SP connection with the Amazon Web Services quick connection
template.
- On the Identity Provider screen, in the SP Connections area, click Create new.
- On the Connection Template screen, select Use a template for this connection.
- In the Connection Template list, select Amazon Web Services Connector.
- Click Choose File, select the aws-saml-metadata.xml that you downloaded, and then click Open. Click Next.
- On the Connection Type screen, clear Browser SSO Profiles and select Outbound Provisioning. Click Next.
- On the General Info screen, the basic connection information is populated by the metadata XML file. Click Next.
-
On the Outbound Provisioning screen, configure the
provisioning target and channel.
See Configuring outbound provisioning in the PingFederate Administrator's Manual.
- Click Configure Provisioning.
-
On the Target screen, complete the
Access Key ID and Access Key
Secret fields with the values that you noted in Create security credentials in Amazon Web Services.
Note: PingFederate verifies the credentials when you activate the channel and SP connection.
-
Under Provisioning
Options, customize the provisioning connector actions.
Click Next.
See Provisioning options.
-
On the Manage Channels screen, create a channel.
Click Done.
See Managing channels in the PingFederate documentation.Tip: If you want to force a one-time password change for new users:
- On the Manage Channels > Attribute Mapping screen, on the PasswordResetRequired line, click Edit.
- On the PasswordResetRequired mapping screen, under Options, click Create only. Click Save.
- On the Outbound Provisioning screen, click Next.
- On the Activation and Summary screen, above the Summary section, turn on the connection. Click Save.