--- title: Enabling SCIM provisioning with AWS IAM Identity Center and PingFederate description: Learn how to enable automatic provisioning in Amazon Web Services (AWS) IAM Identity Center while integrating with PingFederate using Active Directory (AD) as an external datastore. component: solution-guides page_id: solution-guides:single_sign-on_use_cases:scim_provisioning_aws_sso_pf canonical_url: https://docs.pingidentity.com/solution-guides/single_sign-on_use_cases/scim_provisioning_aws_sso_pf.html revdate: March 15, 2023 section_ids: before-you-begin: Before you begin steps: Steps result: Result: result-2: Result: troubleshooting: Troubleshooting next-steps: Next steps --- # Enabling SCIM provisioning with AWS IAM Identity Center and PingFederate Learn how to enable automatic provisioning in Amazon Web Services (AWS) IAM Identity Center while integrating with PingFederate using Active Directory (AD) as an external datastore. ## Before you begin Make sure you have: * Administrative access to PingFederate * PingFederate 10.3 or later installed. ## Steps 1. Connect to your AD in PingFederate: 1. In PingFederate, go to **System → Data Stores**. 2. Click **Add New Data Store**. 3. Name your connection and in the **Type** list, select **Directory (LDAP)**. Click **Next**. 4. On the **LDAP Configuration** tab, for **Hostname(s)**, enter the IP address or hostname of the AD hosting server. 5. For the **User DN** and **Password** fields, enter the admin credentials for who can access the AD. After you complete the required fields, the **Test Connection** button becomes available. 6. Click **Test Connection**. Click **Save**. 2. Create a password credential validator (PCV): 1. In PingFederate, go to **System → Password Credential Validators**. 2. Click **Create New Instance**. 3. Enter an **Instance Name** and **Instance ID**. 4. In the **Type** list, select **LDAP Username Password Credential Validator**. Click **Next**. 5. On the **Instance Configuration** tab, in the **Field Value** list for **LDAP Datastore**, select the datastore you created in step 1. 6. Enter a **Search Base**, such as `dc=mylab,dc=local`. 7. For **Search Filter**, enter `mail=${username}`. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | * In AWS, the **userName** field must be mapped to an **Attribute** that is formatted as an email. * The **userName** must match the value that the user uses to sign onto PingFederate. * When using AD, specify the `UserPrincipalName` as the **userName**. | 8. Click **Next** twice. On the **Summary** tab, click **Save**. 3. Create an HTML Form IdP adapter with AD PCV: 1. In PingFederate, go to **Authentication → IdP Adapters**. 2. Click **Create New Instance**. 3. Enter an **Instance Name** and an **Instance ID**. 4. In the **Type** list, select **HTML Form IdP Adapter**. Click **Next**. 5. On the **IdP Adapter** tab, in the **Password Credential Validator Instance** section, click **Add a new row to 'Credential Validators'**. 6. In the list that becomes available, select the PCV you created in step 2. 7. In the **Action** column, click **Update**. Click **Next**. 8. On the **Extended Contract** tab, click **Next**. 9. On the **Adapter Attributes** tab, in the **username** row, select **Pseudonym**. 10. On the **Adapter Contract Mapping** tab, click **Next**. 11. On the **Summary** tab, click **Save**. 4. Set up the AWS IAM Identity Center Provisioner: 1. In PingFederate, in the **Helpful Links** section, click **Resource Downloads**. ### Result: You're redirected to the **PingFederate Downloads and Add-ons** page. 2. Click **Add-ons** and in the **SaaS Connectors** section, download the **AWS IAM Identity Center Provisioner 1.0**. 3. Stop PingFederate. 4. Extract the AWS IAM Identity Center Provisioner `.zip` archive and copy the contents of the `dist` file to `/pingfederate/server/default/deploy`. 5. Enable **STANDALONE** for `pf.provisioner.mode` in `run.properties`. 6. Start PingFederate again. 5. [Export SAML metadata from PingFederate](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_exporting_selected_saml_metadata.html). | | | | - | -------------------------------------------------------------------------------------------------------------- | | | You'll import this metadata during the AWS IAM Identity Center external identity provider (IdP) configuration. | 6. Enable provisioning in AWS: 1. In the AWS IAM Identity Center console, in the **Identity Source** section, select **External Identity Provider**. 2. Import the PingFederate metadata you downloaded in step 5. 3. Enter your **IdP URL**, **Entity ID**, and the certificate you downloaded from PingFederate. | | | | - | -------------------------------------------------------------- | | | The **Entity ID** is the **SAML Entity ID** from PingFederate. | 4. Download the AWS SAML metadata. Click **Save**. 5. From the left navigation pane, go to **Settings**. 6. In the **Identity source** section, next to **Provisioning**, select **Enable automatic provisioning**. This immediately enables automatic provisioning in AWS IAM Identity Center and displays the necessary endpoint and access token information. 7. In the **Inbound automatic provisioning** dialog box, copy each of the values for **SCIM endpoint** and **Access token**. | | | | - | ------------------------------------------------------------------------------ | | | You'll paste these values later when configuring provisioning in PingFederate. | 7. Create a service provider (SP) connection in PingFederate: 1. In PingFederate, go to **SP Connections**. 2. Click **Create Connection**. 3. On the **Connection Template** tab, select **Use a Template for this Connection**. 4. In the **Connection Template** list, select the **AWS SSO Cloud Connector**. 5. Import the metadata file you downloaded from AWS IAM Identity Center in step 6. Click **Next**. 6. On the **Connection Type** tab, select **Outbound Provisioning**. Click **Next**. 7. On the **General Info** tab, make sure the autopopulated information is correct. Click **Next**. 8. On the **Outbound Provisioning** tab, click **Configure Provisioning**. 9. Enter the System for Cross-domain Identity Management (SCIM) endpoint and access token values you copied from AWS IAM Identity Center. Click **Next**. 10. On the **Manage Channels** tab, click **Create**. 11. On the **Channel Info** tab, enter a name for your channel. Click **Next**. 12. On the **Source** tab, in the **Active Data Store** list, select your AD. Click **Next**. 13. On the **Source Settings** tab, leave the default settings. Click **Next**. 14. On the **Source Location** tab, enter your **Base DN**. 15. Enter your **Group DN** for **Users** and **Groups** based on the location in your AD. Click **Next**. 16. On the **Attribute Mapping** tab, for **userName**, select **mail**. Click **Next** and **Save**. ### Result: Users and groups are populated in AWS IAM Identity Center. ## Troubleshooting If your sync isn't working, enable the **DEBUG** mode in log4j and open the `Provisioner.log`. ## Next steps 1. In the AWS IAM Identity Center user portal, open **Settings**. 2. Sign on with your username and password, using your email in the username field.