There are three main contract attributes you need to define in the SP configuration:

  • SAML_SUBJECT
  • https://aws.amazon.com/SAML/Attributes/Role
  • https://aws.amazon.com/SAML/Attributes/RoleSessionName

The AWS metadata URL (https://signin.aws.amazon.com/static/saml-metadata.xml) includes these attributes and will simplify making the SP connection in PingFederate.

  1. Log in to the PingFederate Administration console.
  2. In the SP Connections section of the Identity Provider tab, click Create New.
  3. Select Browser SSO Profiles. Click Next.
  4. On the Connection Options tab, select the Browser SSO check box and click Next.
  5. On the Import Metadata tab, select URL, Manage Partner Metadata URLs, then Add New URL.
  6. Add the AWS metadata URL (https://signin.aws.amazon.com/static/saml-metadata.xml), then click Next. Click Save.
  7. Select the AWS metadata URL from the Metadata URL list on the Import Metadata tab and then click Load Metadata. Click Next.
  8. On the General Info tab, name your connection in the Connection Name field. Click Next.
  9. On the Browser SSO tab, click Configure Browser SSO. Select the IDP-Initiated SSO and SP-Initiated SSO check boxes and click Next until you reach the Assertion Creation tab. Click Configure Assertion Creation.
  10. On the Attribute Contract tab, select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified from the Subject Name Format list for SAML_SUBJECT . Click Next.
    Note:

    There are several extra attributes included in the AWS metadata URL (such as urn:oid:1.3.6.1.4.1.5923.1.1.1.1). These attributes are not required and can be deleted on the Attribute Contract tab.

  11. On the Authentication Source Mapping tab, click Map New Adapter Instance.
  12. Select your adapter instance and click Next until you reach the Attribute Contract Fulfillment tab.
  13. On the Attribute Contract Fulfillment tab, select Text from the SAML_SUBJECT Source list and in the SAML_SUBJECT Value field, enter null.
  14. Select Text from the https://aws.amazon.com/SAML/Attributes/Role Source field and in the https://aws.amazon.com/SAML/Attributes/Role Value field, enter the value using the following example: 
    arn:aws:iam::<your AWS instance number>:role/<your Role you created in AWS>,arn:aws:iam::<your AWS instance
number>:saml-provider/<your SAML Provider you created in AWS>
  15. Select Adapter from the https://aws.amazon.com/SAML/Attributes/RoleSessionName Source list and select username from the Value list. Click Next and Done until you complete the IdP Adapter Mapping.
  16. Click Next. Click Done to complete the Assertion Creation configuration.
  17. On the Protocol Settings tab, click Configure Protocol Settings.
  18. On the Allowable SAML Bindings tab, clear the Artifact and Soap check boxes and then click Next and Done until you complete the Protocol Settings configuration.
  19. Click Next then Done to complete the Browser SSO configuration.
  20. On the Credentials tab, click Configure Credentials and then select a signing certificate from the Signing Certificate list. Click Done.
  21. Click Save on the Activation and Summary tab to complete the SP connection configuration.