You can create a custom SAML application to support AWS Identity and Access Management (IAM) and AWS IAM Identity Center session tags for SAML connections in PingOne.
- Create an Amazon Web Services (AWS) console account and policy that uses session tags. For help, see AWS prerequisites in the PingAccess documentation.
- Sign on to your PingOne account as an administrator.
- Configure an external identity provider, such as PingFederate, that will provide the values for the AWS attributes.
In the PingOne App Catalog, PingOne provides a ready-made AWS application template. That template uses static SAML attributes, and cannot be used for session tags. The following steps allow you to create a custom SAML application to use with AWS session tags.
- On the PingOne console, go to .
- Enter an application name, such as AWS with Session Tags.
- Enter the application description, category, and application icon and then click Continue to Next Step.
In the Application Configuration section, enter the
- In the Assertion Consumer Service (ACS)field, enter https://signin.aws.amazon.com/saml.
- In the Entry ID field, enter urn:amazon:webservices.
- Click Continue to Next Step.
In the SSO Mapping Attributes section, click
Add new attribute. Enter the session tags attributes
that you plan to use.
- If you are using AWS IAM Identity Center, include the access control tags based on the
- If you are using AWS IAM, enter the AWS Principal Tags and
TransitiveTagKeys, based on the following examples:
- If you are using AWS IAM Identity Center, include the access control tags based on the following format:
- Click Continue to Next Step twice and then click Finish to create the AWS Session Tag SAML application.