• If you want to use OGNL expressions to populate the values of the AWS session tags, see Enable and disable expressions in the PingFederate documentation.
  • Create an Amazon Web Services (AWS) console account and policy that uses session tags. For help, see AWS prerequisites in the PingAccess documentation.
  • Configure your PingFederate OAuth client for AWS console authentication.
  • Define a PingFederate OpenID Connect policy. For help, see Configuring OpenID Connect policies in the PingFederate documentation.
  1. Open your OpenID Connect policy.
    • For PingFederate 10.1 or later: go to Applications > OAuth > OpenID Connect Policy Management.
    • For PingFederate 10.0 or earlier: go to OAuth Server > OpenID Connect Policy Management.
  2. Select the client that you want to edit. Click Attribute Contract.
  3. Create a new attribute and name it http://aws.amazon.com/tags. Click Add.
  4. Click Contract Fulfillment and enter the required OGNL expression for the session tag.
    Note: You must construct the OGNL expression for the specific source data structure, as shown in the following example.

    Screen capture of the Contract Fulfillment tab showing the appropriate values in the Attribute Contract, Source and value columns.
  5. Click Save, then from Policy drop-down list, select the OpenID Connect policy you just created.
The ID token generated by PingFederate will include the following AWS Tags value:
"principal_tags ": {
          "project  ":["Project1],
          "cost_center": ["1234"]
"transitive_tags": ["cost_center"]