Use Cases

Enabling SCIM provisioning with AWS IAM Identity Center and PingFederate

Learn how to enable automatic provisioning in Amazon Web Services (AWS) IAM Identity Center while integrating with PingFederate using Active Directory (AD) as an external datastore.

Before you begin

Make sure you have:

  • Administrative access to PingFederate

  • PingFederate 10.3 or later installed.

Steps

  1. Connect to your AD in PingFederate:

    1. In PingFederate, go to System → Data Stores.

    2. Click Add New Data Store.

    3. Name your connection and in the Type list, select Directory (LDAP). Click Next.

    4. On the LDAP Configuration tab, for Hostname(s), enter the IP address or hostname of the AD hosting server.

    5. For the User DN and Password fields, enter the admin credentials for who can access the AD.

    After you complete the required fields, the Test Connection button becomes available.

    1. Click Test Connection. Click Save.

  2. Create a password credential validator (PCV):

    1. In PingFederate, go to System → Password Credential Validators.

    2. Click Create New Instance.

    3. Enter an Instance Name and Instance ID.

    4. In the Type list, select LDAP Username Password Credential Validator. Click Next.

    5. On the Instance Configuration tab, in the Field Value list for LDAP Datastore, select the datastore you created in step 1.

    6. Enter a Search Base, such as dc=mylab,dc=local.

    7. For Search Filter, enter mail=${username}.

      • In AWS, the userName field must be mapped to an Attribute that is formatted as an email.

      • The userName must match the value that the user uses to sign onto PingFederate.

      • When using AD, specify the UserPrincipalName as the userName.

    8. Click Next twice. On the Summary tab, click Save.

  3. Create an HTML Form IdP adapter with AD PCV:

    1. In PingFederate, go to Authentication → IdP Adapters.

    2. Click Create New Instance.

    3. Enter an Instance Name and an Instance ID.

    4. In the Type list, select HTML Form IdP Adapter. Click Next.

    5. On the IdP Adapter tab, in the Password Credential Validator Instance section, click Add a new row to 'Credential Validators'.

    6. In the list that becomes available, select the PCV you created in step 2.

    7. In the Action column, click Update. Click Next.

    8. On the Extended Contract tab, click Next.

    9. On the Adapter Attributes tab, in the username row, select Pseudonym.

    10. On the Adapter Contract Mapping tab, click Next.

    11. On the Summary tab, click Save.

  4. Set up the AWS IAM Identity Center Provisioner:

    1. In PingFederate, in the Helpful Links section, click Resource Downloads.

      Result:

    You’re redirected to the PingFederate Downloads and Add-onspage.

    1. Click Add-ons and in the SaaS Connectors section, download the AWS IAM Ideneity Center Provisioner 1.0.

    2. Stop PingFederate.

    3. Extract the AWS IAM Identity Center Provisioner .zip archive and copy the contents of the dist file to <pf_install>/pingfederate/server/default/deploy.

    4. Enable STANDALONE for pf.provisioner.mode in run.properties.

    5. Start PingFederate again.

  5. Export SAML metadata from PingFederate.

    You’ll import this metadata during the AWS IAM Identity Center external identity provider (IdP) configuration.

  6. Enable provisioning in AWS:

    1. In the AWS IAM Identity Center console, in the Identity Source section, select External Identity Provider.

    2. Import the PingFederate metadata you downloaded in step 5.

    3. Enter your IdP URL, Entity ID, and the certificate you downloaded from PingFederate.

      The Entity ID is the SAML Entity ID from PingFederate.

    4. Download the AWS SAML metadata. Click Save.

    5. From the left navigation pane, go to Settings.

    6. In the Identity source section, next to Provisioning, select Enable automatic provisioning.

    This immediately enables automatic provisioning in AWS IAM Identity Center and displays the necessary endpoint and access token information.

    1. In the Inbound automatic provisioning dialog box, copy each of the values for SCIM endpoint and Access token.

      You’ll paste these values later when configuring provisioning in PingFederate.

  7. Create a service provider (SP) connection in PingFederate:

    1. In PingFederate, go to SP Connections.

    2. Click Create Connection.

    3. On the Connection Template tab, select Use a Template for this Connection.

    4. In the Connection Template list, select the AWS SSO Cloud Connector.

    5. Import the metadata file you downloaded from AWS IAM Identity Center in step 6. Click Next.

    6. On the Connection Type tab, select Outbound Provisioning. Click Next.

    7. On the General Info tab, make sure the autopopulated information is correct. Click Next.

    8. On the Outbound Provisioning tab, click Configure Provisioning.

    9. Enter the System for Cross-domain Identity Management (SCIM) endpoint and access token values you copied from AWS IAM Identity Center. Click Next.

    10. On the Manage Channels tab, click Create.

    11. On the Channel Info tab, enter a name for your channel. Click Next.

    12. On the Source tab, in the Active Data Store list, select your AD. Click Next.

    13. On the Source Settings tab, leave the default settings. Click Next.

    14. On the Source Location tab, enter your Base DN.

    15. Enter your Group DN for Users and Groups based on the location in your AD. Click Next.

    16. On the Attribute Mapping tab, for userName, select mail. Click Next and Save.

      Result:

      Users and groups are populated in AWS IAM Identity Center.

Troubleshooting

If your sync isn’t working, enable the DEBUG mode in log4j and open the Provisioner.log.

Next steps

  1. In the AWS IAM Identity Center user portal, open Settings.

  2. Sign on with your username and password, using your email in the username field.