Configuring an SSO connection to Amazon Web Services
Local User Groups
BACK TO KNOWLEDGE BASE HOME >
Configuring an SSO connection to Amazon Web Services
This article describes how to configure an SSO connection to Amazon Web Services in PingOne. For more information on configuring Amazon Web Service for multiple roles and accounts, please see this
The following steps describe how to configure an SSO connection with PingOne Amazon Web Services. The configuration is broken into 2 parts. PingOne configuration and Amazon configuration.
PingOne SSO to Amazon Web Services Configuration:
1. Log into your PingOne account
2. Click "Applications" in the navigation tool bar then click the "Application Catalog" tab
3. Enter "Amazon" into the search and select the "Amazon Web Services" SAML option.
4. Click "Set up" then "Continue to Next Step"
5. The entity ID and ACS URL are preset and no change is necessary. Click "Continue to Next Step"
6. You should now be on the attribute mappings section. For the SAML_SUBJECT field click advanced.
Under "Name ID Format to send to SP:" click into the text field and select "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" from the dropdown.
Under "IDP Attribute Name or Literal Value" select an attribute mapping that corresponds to a directory attribute that matches the username that Amazon expects. For example if users login with their email and you are using AD, the field you would select is "mail." Once you have finished setting up the subject, click "Save."
7. The next attribute: (https://aws.amazon.com/SAML/Attributes/Role) is a multipurpose attribute that actually handles the AWS account number, role name and SAML provider name in a single attribute. Click "Advanced."
Click into the NameFormat Field and select "urn:oasis:names:tc:SAML:2.0:attrname-format:uri."
In the "IDP Attribute Name or Literal Value" field, you will need to specify the account number, role and provider name in the format: arn:aws:iam::[account-number]:role/[role-name],arn:aws:iam::[account-number]:saml-provider/[provider-name] As an example, if your account number is 987654321012, your role name is "Users" and your provider is "PingOne," the value you would enter in is:
"arn:aws:iam::9876543212:role/Users,arn:aws:iam::987654321012:saml-provider/PingOne." After entering in the value, check the box "As Literal" and Click "Save."
If you don’t know what your AWS values are, just enter “TO DO: Enter mapping,” check “As Literal,” click "Save" and move on to the next step for now.
8. The last attribute (https://aws.amazon.com/SAML/Attributes/RoleSessionName) which is optional is used to display the user name when the user has logged in to AWS. You can pick an attribute or you can use the advanced option to concatenate "givenName" and "sn" (if you are using AD) which will show the user's full name.
9. Once the attributes have been set, click "Continue to Next Step"
10. Click "Save and Publish" to save the new PingOne connection.
11. Locate "SAML Metadata" and click "Download." Save the file to your local file system. This file will be needed to configure some settings on the AWS side.
The AWS SSO connection is now configured in PingOne. The next step is to configure Amazon Web Services.
Amazon Web Services SSO Configuration:
1. You will need to add a SAML provider to SSO enable your AWS environment. Log into the AWS Console: http://aws.amazon.com/console/
2. Click "Identity Providers."
3. This step is where you will define PingOne as your SAML provider. Click "Create SAML Provider."
4. Enter a provider name (PingOne) then click “Continue."
5. Click “Choose File” and select the PingOne metadata file you downloaded in step 11 then click “Create.”
6. AWS requires that you add a role for SSO usage. On the Create Provider Window click the “Do this now” link to set up your user roles in AWS.
If you closed the window without setting up the role or need to come back to it later, you can configure the roles by selecting “Roles” in the left hand navigation and clicking “Create New Role.”
7. Enter a role name. In this example, we will call it “User.” Click “Continue.”
8. Select “Role for Identity Provider Access” and click “Select” for “Grant Web Single Sign-On (WebSSO) access to SAML providers.”
9. In the Following screen, select the SAML provider, which is the name of the provider added in step 4 and click “Continue.”
10. Click “Continue” on the following screen.
11. The Next step is to set the actual permissions the users will have for this role. In this example the users are set to ReadOnly Access, but you will pick the policy that is appropriate for your users:
12. Review the configuration values and Click “Continue.”
13. Review the role settings and click “Create Role.”
You will now see the user role in your "Roles" screen. To configure additional SSO roles, follow the same process and choose the desired permissions in AWS setup step 11.
If you weren’t sure how the role attribute needed to be configured in Step 7 of the PingOne setup, you can now access that information in your AWS set up. As previously described, the format of the role variable value is:
To get to the required information click “Identify Providers” in the navigation toolbar and put a check in the “PingOne” checkbox.
You will see a value for Provider ARN which in this case is: arn:aws:iam::987654321012:saml-provider/PingOne
Plug the values into the format specified above to give:
Paste this entire string into the attribute mapping for the role attribute and save your configuration in PingOne if necessary.
You have now completed your SSO configuration and can begin logging in via SSO to Amazon Web Services. You can configure for PingOne dock or you can use the direct SSO link in PingOne by clicking "Applications"-->Click "AWS" in the table.
Copy the "Initiate Single Sign-On (SSO) URL" to use for SSO login.
KB or other URL: