Configuring AWS session tags for PingFederate OIDC connections
You can configure AWS Session Tag support for OpenID Connect (OIDC) connections in PingFederate.
Before you begin
-
If you want to use OGNL expressions to populate the values of the AWS session tags, see Enabling and disabling expressions in the PingFederate documentation.
-
Create an Amazon Web Services (AWS) console account and policy that uses session tags. For help, see AWS prerequisites (page 241) in the PingAccess documentation.
-
Configure your PingFederate OAuth client for AWS console authentication.
-
Define a PingFederate OpenID Connect policy. For help, see Configuring OpenID Connect policies in the PingFederate documentation.
Steps
-
Open your OpenID Connect policy.
Choose from:
-
For PingFederate 10.1 or later: go to Applications > OAuth > OpenID Connect Policy Management.
-
For PingFederate 10.0 or earlier: go to OAuth Server > OpenID Connect Policy Management.
-
-
Select the client that you want to edit. Click Attribute Contract.
-
Create a new attribute and name it
http://aws.amazon.com/tags
. Click Add. -
Click Contract Fulfillment and enter the required OGNL expression for the session tag.
You must construct the OGNL expression for the specific source data structure, as shown in the following example.
-
Click Save, then from Policy drop-down list, select the OpenID Connect policy you just created.