Note: You can follow these steps to create a new SP connection, or you can modify an existing connection.
  1. In the PingFederate administrator console, configure the data store that PingFederate will use as the source of user data. For instructions, see Datastores in the PingFederate documentation.
    • When targeting users and groups for provisioning, exclude the user account that you will use to administer users in your connection to AWS. This prevents the PingFederate provisioning engine from interfering with the account that provisions users and groups.
  2. Enable provisioning.
    1. On the System > Protocol Settings > Roles & Protocols screen, select Enable Identity Provider IdP Role and Support the Following.
    2. Select Outbound Provisioning. Click Save.
  3. Download the latest SAML metadata file from Amazon. Save it as aws-saml-metadata.xml.
  4. Create an SP connection with the Amazon Web Services quick connection template.
    1. On the Identity Provider screen, in the SP Connections area, click Create new.
    2. On the Connection Template screen, select Use a template for this connection.
    3. In the Connection Template list, select Amazon Web Services Connector.
    4. Click Choose File, select the aws-saml-metadata.xml that you downloaded, and then click Open. Click Next.
  5. On the Connection Type screen, clear Browser SSO Profiles and select Outbound Provisioning. Click Next.
  6. On the General Info screen, the basic connection information is populated by the metadata XML file. Click Next.
  7. On the Outbound Provisioning screen, configure the provisioning target and channel.

    See Configuring outbound provisioning in the PingFederate Administrator's Manual.

    1. Click Configure Provisioning.
    2. On the Target screen, complete the Access Key ID and Access Key Secret fields with the values that you noted in Create security credentials in Amazon Web Services.
      Note: PingFederate verifies the credentials when you activate the channel and SP connection.
    3. Under Provisioning Options, customize the provisioning connector actions. Click Next.

      See Provisioning options.

    4. On the Manage Channels screen, create a channel. Click Done.
      See Managing channels in the PingFederate documentation.
      Tip: If you want to force a one-time password change for new users:
      1. On the Manage Channels > Attribute Mapping screen, on the PasswordResetRequired line, click Edit.
      2. On the PasswordResetRequired mapping screen, under Options, click Create only. Click Save.
    5. On the Outbound Provisioning screen, click Next.
  8. On the Activation and Summary screen, above the Summary section, turn on the connection. Click Save.