Configuring an SSO connection to Amazon Web Services

Published: 09/09/2014
This article describes how to configure an SSO connection to Amazon Web Services in PingOne. For more information on configuring Amazon Web Service for multiple roles and accounts, please see this knowledgebase article

The following steps describe how to configure an SSO connection with PingOne Amazon Web Services. The configuration is broken into 2 parts. PingOne configuration and Amazon configuration. 

PingOne SSO to Amazon Web Services Configuration:

1. Log into your PingOne account

2. Click "Applications" in the navigation tool bar then click the "Application Catalog" tab

3. Enter "Amazon" into the search and select the "Amazon Web Services" SAML option.



User-added image


4. Click "Set up" then "Continue to Next Step"


User-added image


5. The entity ID and ACS URL are preset and no change is necessary. Click "Continue to Next Step"


User-added image


6. You should now be on the attribute mappings section. For the SAML_SUBJECT field click advanced.


User-added image



Under "Name ID Format to send to SP:" click into the text field and select  "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" from the dropdown.


User-added image


Under "IDP Attribute Name or Literal Value" select an attribute mapping that corresponds to a directory attribute that matches the username that Amazon expects. For example if users login with their email and you are using AD, the field you would select is "mail." Once you have finished setting up the subject, click "Save."


User-added image




7. The next attribute: (https://aws.amazon.com/SAML/Attributes/Role) is a multipurpose attribute that actually handles the AWS account number, role name and SAML provider name in a single attribute. Click "Advanced."


User-added image



Click into the NameFormat Field and select "urn:oasis:names:tc:SAML:2.0:attrname-format:uri."



User-added image



In the "IDP Attribute Name or Literal Value" field, you will need to specify the account number, role and provider name in the format: arn:aws:iam::[account-number]:role/[role-name],arn:aws:iam::[account-number]:saml-provider/[provider-name] As an example, if your account number is 987654321012, your role name is "Users" and your provider is "PingOne," the value you would enter in is:
"arn:aws:iam::9876543212:role/Users,arn:aws:iam::987654321012:saml-provider/PingOne." After entering in the value, check the box "As Literal" and Click "Save."



User-added image

If you don’t know what your AWS values are, just enter “TO DO: Enter mapping,” check “As Literal,” click "Save" and move on to the next step for now.


8. The last attribute (https://aws.amazon.com/SAML/Attributes/RoleSessionName) which is optional is used to display the user name when the user has logged in to AWS. You can pick an attribute or you can use the advanced option to concatenate "givenName" and "sn" (if you are using AD) which will show the user's full name.

9. Once the attributes have been set, click "Continue to Next Step"

User-added image



10. Click "Save and Publish" to save the new PingOne connection.


User-added image



11. Locate "SAML Metadata" and click "Download." Save the file to your local file system. This file will be needed to configure some settings on the AWS side.




User-added image

 
The AWS SSO connection is now configured in PingOne. The next step is to configure Amazon Web Services. 

Amazon Web Services SSO Configuration:
 
1. You will need to add a SAML provider to SSO enable your AWS environment. Log into the AWS Console: http://aws.amazon.com/console/
 
Click “IAM”

User-added image


2. Click "Identity Providers."

User-added image


3. This step is where you will define PingOne as your SAML provider. Click "Create SAML Provider."


User-added image




4. Enter a provider name (PingOne) then click “Continue."


User-added image



5. Click “Choose File” and select the PingOne metadata file you downloaded in step 11 then click “Create.”


User-added image

 
6. AWS requires that you add a role for SSO usage. On the Create Provider Window click the “Do this now” link to set up your user roles in AWS.
 
 
User-added image
 
 
If you closed the window without setting up the role or need to come back to it later, you can configure the roles by selecting “Roles” in the left hand navigation and clicking “Create New Role.”

User-added image


7. Enter a role name. In this example, we will call it “User.” Click “Continue.”


User-added image


8. Select “Role for Identity Provider Access” and click “Select” for “Grant Web Single Sign-On (WebSSO) access to SAML providers.”


User-added image


9. In the Following screen, select the SAML provider, which is the name of the provider added in step 4 and click “Continue.”


User-added image


10. Click “Continue” on the following screen.

User-added image


11. The Next step is to set the actual permissions the users will have for this role. In this example the users are set to ReadOnly Access, but you will pick the policy that is appropriate for your users:

User-added image

12. Review the configuration values and Click “Continue.”


User-added image



13. Review the role settings and click “Create Role.”


User-added image


You will now see the user role in your "Roles" screen. To configure additional SSO roles, follow the same process and choose the desired permissions in AWS setup step 11.


User-added image


 
If you weren’t sure how the role attribute needed to be configured in Step 7 of the PingOne setup, you can now access that information in your AWS set up. As previously described, the format of the role variable value is:
 
arn:aws:iam::[account-number]:role/[role-name],arn:aws:iam::[account-number]:saml-provider/[provider-name]
 
To get to the required information click “Identify Providers” in the navigation toolbar and put a check in the “PingOne” checkbox.
You will see a value for Provider ARN which in this case is: arn:aws:iam::987654321012:saml-provider/PingOne

User-added image
 

Plug the values into the format specified above to give:
arn:aws:iam::987654321012:role/Users,arn:aws:iam::987654321012:saml-provider/PingOne
Paste this entire string into the attribute mapping for the role attribute and save your configuration in PingOne if necessary.
 

You have now completed your SSO configuration and can begin logging in via SSO to Amazon Web Services. You can configure for PingOne dock or you can use the direct SSO link in PingOne by clicking "Applications"-->Click "AWS" in the table.


User-added image


Copy the "Initiate Single Sign-On (SSO) URL" to use for SSO login.

User-added image





 
Category:
Setup , 
KB or other URL: