Note: You can follow these steps to create a new SP connection, or you can modify an existing connection.
  1. Download the latest SAML metadata file from Amazon. Save it as aws-saml-metadata.xml.
  2. In the PingFederate administrator console, configure an SP connection.
    1. On the Identity Provider screen, in the SP Connections area, click Create new.
    2. On the Connection Template screen, select Use a template for this connection.
    3. In the Connection Template list, select Amazon Web Services Connector.
    4. Click Choose File, select the aws-saml-metadata.xml that you downloaded, and then click Open. Click Next.
  3. On the Connection Type screen, select Browser SSO Profiles and clear Outbound Provisioning. Click Next.
  4. On the Connection Options screen, click Next.
  5. On the General Info screen, the basic connection information is populated by the metadata XML file. Click Next.
  6. On the Browser SSO screen, configure browser SSO.

    For a complete guide, see Configure IdP Browser SSO in the PingFederate documentation.

    1. On the Browser SSO > Assertion Creation > IdP Adapter Mapping > Attribute Contract Fulfillment screen, on the SAML_SUBJECT line, select a source.
    2. On the https://aws.amazon.com/SAML/Attributes/Role line, select Text.
    3. In the Value field, type the role ARN and provider ARN that you noted in Creating an identity provider in Amazon Web Services, and Creating a federation role in Amazon Web Services. Separate the ARNs with a comma, as follows:

      <role ARN>,<provider ARN>

    4. On the https://aws.amazon.com/SAML/Attributes/RoleSessionName line, select a value to use as the user's display name in AWS.
  7. On the Credentials screen, configure the connection credentials.

    See Configuring credentials in the PingFederate documentation.

  8. On the Activation and Summary screen, above the Summary section, click the toggle button to enable the connection. Click Save.