Configuring AWS session tags for PingOne SAML connections
You can create a custom SAML application to support AWS Identity and Access Management (IAM) and AWS IAM Identity Center session tags for SAML connections in PingOne.
Before you begin
-
Create an Amazon Web Services (AWS) console account and policy that uses session tags. For help, see AWS prerequisites (page 241) in the PingAccess documentation.
-
Sign on to your PingOne account as an administrator.
-
Configure an external identity provider, such as PingFederate, that will provide the values for the AWS attributes.
About this task
In the PingOne App Catalog, PingOne provides a ready-made AWS application template. That template uses static SAML attributes, and cannot be used for session tags. The following steps allow you to create a custom SAML application to use with AWS session tags. |
Steps
-
On the PingOne console, go to Applications > My Applications > Add Application > New SAML Application.
-
Enter an application name, such as
AWS with Session Tags
. -
Enter the application description, category, and application icon and then click Continue to Next Step.
-
In the Application Configuration section, enter the following:
-
In the Assertion Consumer Service (ACS)field, enter
https://signin.aws.amazon.com/saml
. -
In the Entry ID field, enter
urn:amazon:webservices
.
-
-
Click Continue to Next Step.
-
In the SSO Mapping Attributessection, click Add new attribute. Enter the session tags attributes that you plan to use.
Choose from:
-
If you are using AWS IAM Identity Center, include the access control tags based on the following format:
https://aws.amazon.com/SAML/Attributes/AccessControl:{attribute}
-
If you are using AWS IAM, enter the AWS Principal Tags and TransitiveTagKeys, based on the following examples:
-
https://aws.amazon.com/SAML/Attributes/AccessControl:{attribute}
-
https://aws.amazon.com/SAML/Attributes/PrincipalTag:project
-
https://aws.amazon.com/SAML/Attributes/Role
-
https://aws.amazon.com/SAML/Attributes/RoleSessioName
-
https://aws.amazon.com/SAML/Attributes/TransitiveTagKeys
-
-
Click Continue to Next Step twice and then click Finish to create the AWS Session Tag SAML application.