There are three main contract attributes you need to define in the SP configuration:
- SAML_SUBJECT
- https://aws.amazon.com/SAML/Attributes/Role
- https://aws.amazon.com/SAML/Attributes/RoleSessionName
The AWS metadata URL (https://signin.aws.amazon.com/static/saml-metadata.xml) includes these attributes and will simplify making the SP connection in PingFederate.
- Log in to the PingFederate Administration console.
- In the SP Connections section of the Identity Provider tab, click Create New.
- Select Browser SSO Profiles. Click Next.
- On the Connection Options tab, select the Browser SSO check box and click Next.
- On the Import Metadata tab, select URL, Manage Partner Metadata URLs, then Add New URL.
- Add the AWS metadata URL (https://signin.aws.amazon.com/static/saml-metadata.xml), then click Next. Click Save.
- Select the AWS metadata URL from the Metadata URL list on the Import Metadata tab and then click Load Metadata. Click Next.
- On the General Info tab, name your connection in the Connection Name field. Click Next.
- On the Browser SSO tab, click Configure Browser SSO. Select the IDP-Initiated SSO and SP-Initiated SSO check boxes and click Next until you reach the Assertion Creation tab. Click Configure Assertion Creation.
-
On the Attribute Contract tab, select
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
from the Subject Name Format list forSAML_SUBJECT
. Click Next.Note:There are several extra attributes included in the AWS metadata URL (such as
urn:oid:1.3.6.1.4.1.5923.1.1.1.1
). These attributes are not required and can be deleted on the Attribute Contract tab. - On the Authentication Source Mapping tab, click Map New Adapter Instance.
- Select your adapter instance and click Next until you reach the Attribute Contract Fulfillment tab.
- On the Attribute Contract Fulfillment tab, select Text from the SAML_SUBJECT Source list and in the SAML_SUBJECT Value field, enter null.
-
Select Text from the
https://aws.amazon.com/SAML/Attributes/Role
Source field and in the
https://aws.amazon.com/SAML/Attributes/Role
Value field, enter the value using the following
example:
arn:aws:iam::<your AWS instance number>:role/<your Role you created in AWS>,arn:aws:iam::<your AWS instance number>:saml-provider/<your SAML Provider you created in AWS>
- Select Adapter from the https://aws.amazon.com/SAML/Attributes/RoleSessionName Source list and select username from the Value list. Click Next and Done until you complete the IdP Adapter Mapping.
- Click Next. Click Done to complete the Assertion Creation configuration.
- On the Protocol Settings tab, click Configure Protocol Settings.
- On the Allowable SAML Bindings tab, clear the Artifact and Soap check boxes and then click Next and Done until you complete the Protocol Settings configuration.
- Click Next then Done to complete the Browser SSO configuration.
- On the Credentials tab, click Configure Credentials and then select a signing certificate from the Signing Certificate list. Click Done.
- Click Save on the Activation and Summary tab to complete the SP connection configuration.