Manage access to AWS centrally for Ping Identity users with AWS Single Sign-On

Posted on: Oct 7, 2020

Customers can now connect PingFederate to AWS Single Sign-On (SSO) once, manage access to AWS centrally in AWS SSO, and enable end users to sign in using PingFederate to access all their assigned AWS accounts. The integration helps customers simplify AWS access management across multiple accounts while maintaining familiar Ping Identity experiences for administrators who manage identities, and for end users as they sign in. AWS SSO and PingFederate use standards-based automation to provision users and groups into AWS SSO, saving administration time and increasing security.

The interoperability of AWS SSO and PingFederate enables administrators to assign users and groups access centrally to their AWS Organizations accounts and AWS SSO integrated applications. This makes it easier for an AWS administrator to manage access to AWS and ensure Ping Identity users have the right access to the right AWS accounts. Ongoing management is also simplified. For example, when using group assignments, PingFederate administrators can simply grant or remove AWS account access by adding or removing users from a group within a configured data store.

AWS and Ping Identity use the System for Cross-domain Identity Management (SCIM) standard to automate the process of provisioning users and groups into AWS SSO. AWS SSO also authenticates PingFederate users to their assigned AWS accounts through the Security Assertion Markup Language (SAML 2.0) standard. To configure the SCIM and SAML connections, administrators can use the AWS Single Sign-On Connector available from Ping Identity. 

Your end users get their familiar Ping Identity sign-in experience including MFA and central access to all of their assigned AWS accounts, including those created with AWS Control Tower account factory. In addition, your users can use their PingFederate credentials to sign in to the AWS Management Console, AWS Command Line Interface (CLI), AWS Console Mobile Application, and AWS integrated services, including AWS IoT SiteWise Monitor and Amazon SageMaker Notebooks.

It is easy to get started with AWS SSO. With just a few clicks in the AWS SSO management console, you can choose AWS SSO, Active Directory, or an external identity provider, now including PingFederate, as your identity source.

Your users sign in with the convenience of their familiar sign-in experience and get single-click access to all their assigned accounts from the AWS SSO user portal. To learn more, please visit AWS Single Sign-On. To connect PingFederate to AWS SSO as an external identity provider, please see the AWS SSO documentation.  

There is no cost for AWS SSO, and it is available in the US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Seoul), Asia Pacific (Tokyo), Asia Pacific (Mumbai), EU (Ireland), EU (Frankfurt), EU (London), and EU (Stockholm) Regions.