Along with adopting and managing a multi-account structure, customers must also manage user authentication and authorization. Customers who use a multi-account structure governed by AWS Control Tower require a centralized system to manage user authentication and authorization.

AWS Control Tower enables customers to manage and govern a multi-account structure. After you have launched AWS Control Tower in your  AWS management accounts, it configures AWS Single Sign-On (AWS SSO). You can manage users’ single sign-on access to their AWS accounts directly through AWS SSO, or you can authenticate users through SAML 2.0 from an external identity provider.

Ping Identity, available in AWS Marketplace, is an external identity provider that helps you manage a multi-account AWS environment while giving you flexibility in running and managing your identity solutions. Ping Identity’s Workforce360 has two options that enable you to manage users and their capabilities in AWS accounts. Workforce360 integrates with AWS Control Tower using one of the following solutions:

• Ping Identity’s Workforce 360 PingOne (PingOne) – a cloud-based solution suitable for customers with software-as-a-service (SaaS) apps.
• Ping Identity’s Workforce 360 PingFederate (PingFederate) – a solution for requirements around diverse application portfolios, complex SSO use cases, and intricate multi-factor authentication (MFA) flows. You can deploy PingFederate anywhere including on AWS EC2 instance, in AWS EKS, or on-premises.

In this blog post, I demonstrate how to integrate the PingOne and PingFederate solutions with AWS SSO to authenticate and authorize users to AWS accounts managed by AWS Control Tower. I also explain how to enable automatic provisioning of users in both solutions.

Solution overview

Setting up the integration between Ping Identity Workforce360 and AWS SSO involves three main steps:

1. Download the AWS SSO metadata.
2. Create an AWS SSO application in Ping Identity Workforce360 and exchange metadata.
3. Enable system for cross-domain identity management (SCIM) provisioning.

The following diagram shows how the Ping Identity Workforce360 solutions work with AWS SSO and AWS Control Tower.

Using your user directory of choice, you can integrate PingOne with AWS SSO using SAML and SCIM provisioning. This is done by creating an AWS SSO application within PingOne and exchanging metadata files between PingOne and AWS SSO. You will then enable automatic provisioning within AWS SSO by providing the SCIM endpoint and access token to PingOne.

PingFederate has a similar architecture, which you can see here.

Prerequisites

This solution has the following prerequisites:

• An AWS account with an AWS Control Tower environment that has AWS SSO configured.
• A Ping Identity Workforce360 PingOne or PingFederate account. If you don’t have an existing account, you can subscribe to Ping Identity in AWS Marketplace. You can also sign up for a free PingOne trial.
• A configured identity repository in PingOne or identity provider in PingFederate.

Step 1: Download the AWS SSO metadata file

This step is the same for both solutions.

1. Sign in to the AWS Management Console and open AWS Single Sign-On.
2. In the navigation pane, choose Settings.
3. On the Settings page, under Identity source, choose Change.
4. On the Change identity source page, select External identity provider.
5. In the Configure service provider metadata section, choose Download metadata file and then choose Save file.

Keep the AWS SSO console open. After you have set up your AWS SSO application in either PingOne or PingFederate in the following steps, you will return to the console to upload PingOne or PingFederate’s metadata.

Steps 2 and 3 for Workforce360 via PingOne

Here’s how to continue with the solution if you’re using Workforce360 via PingOne. If you’re using Workforce360 via PingFederate, see Steps 2 and 3 for Workforce360 via PingFederate.

Step 2: Add the PingOne AWS SSO application to the PingOne admin portal and complete the metadata exchange

2.a Log in to PingOne using your PingOne credentials and navigate to the AWS SSO application

1. In PingOne, choose Setup and select the identity repository that you will be using.
2. Choose Applications and then choose Application Catalog.
3. In the search field, enter AWS and select AWS Single Sign On (SAML with Provisioning).
4. Choose Setup.
5. Choose Continue to Next Step.

2.b Upload the metadata file that you downloaded in Step 1

1. On the Connection Configuration page, for Upload Metadata, select the AWS SSO metafile that you downloaded.
2. Choose Continue to Next Step.

2.c Configure and then download the application metadata file for PingOne

1. On the Attribute Mapping page, for SAML_SUBJECT, choose Email (Work) and then choose Continue to Next Step.
2. On the PingOne App Customization page, adjust the icon, name, and description as necessary and then choose Continue to Next Step.
3. On the Group Access page, search for and add the users and groups that you want to have access to AWS SSO and then choose Continue to Next Step.
4. On the Review Setup page, next to SAML Metadata, choose Download and then choose Save File.
5. Choose Finish.

2.d Upload the application metadata for PingOne to AWS SSO

1. Return to the AWS SSO console.
2. On the Change identity source page, next to IdP SAML metadata, browse and select the PingOne metadata file that you just downloaded.
3. Choose Next: Review.
4. In the Type “ACCEPT” to change your identity source field, enter ACCEPT into the field and choose Change identity Source.

PingOne is now set up as your external identity provider in AWS SSO.

Step 3: Enable automatic provisioning of users

3.a Get the SCIM endpoint and access token from AWS SSO

You need these to configure provisioning in PingOne.

1. On the AWS SSO console, in the navigation pane, choose Settings.
2. On the Settings page, under Identity source, for Provisioning, choose Enable automatic provisioning.
3. In the Inbound automatic provisioning dialog box, copy the SCIM endpoint and Access token.
4. Choose Close.

3.b Open your AWS SSO application for editing in PingOne

1. In PingOne, choose Applications and then choose My Applications.
2. Expand the AWS SSO application and choose Edit.
3. Choose Continue to Next Step.

3.c Set up automatic provisioning of users

1. On the Connection Configuration page, under PingOne dock URL, select Set up Provisioning.
2. Choose Continue to Next Step.
3. On the Application Configuration page, do the following:
   1. For SCIM_URL, enter the SCIM endpoint value that you copied in step 3.a.3.
   2. For ACCESS_TOKEN, enter the access token that you copied copied in step 3.a.3.
   3. For REMOVE_ACTION, choose the appropriate action.
   4. Choose Continue to Next Step.
4. On the Attribute Mapping page, choose values for SAML_SUBJECT and other pertinent fields. For more information, see Additional considerations in the AWS Single Sign-On User Guide.
5. Choose Continue to Next Step three times and then choose Finish.

Now continue to step 4 of the solution.

Steps 2 and 3 for Workforce360 via PingFederate

Here’s how to complete the solution if you’re using Workforce230 via PingFederate. Skip these steps if you completed steps 2 and 3 for Workforce 360 via PingOne.

Step 2: Set up your data store and complete the metadata exchange

2.a Set up your data store and create user accounts in PingFederate

1. In PingFederate, choose System.
2. In the navigation pane, choose Server.
3. On the Federation Info tab, for Protocol Settings, enter a SAML 2.0 entity ID.
4. On the Outbound Provisioning tab, create and maintain user accounts. For more information on setting up your data store, see Configure outbound provisioning in the PingFederate Server documentation.
5. Choose Save.

2.b Configure the metadata for PingFederate

1. Choose System.
2. In the navigation pane, choose Protocol Metadata.
3. In the new navigation pane, choose Metadata Export.
4. On the Metadata Role tab, choose I am the identity provider (IDP) and then choose
5. Under Metadata Mode, choose Select information to include in metadata manually and then choose Next.
6. Under Connection Metadata, choose a connection that contains the attribute and key that you want to include in the metadata and then choose Next.
7. Choose your signing certificate and then choose Next.

2.c Download the metadata file

1. On the Export & Summary page, choose Export.
2. In the browser window pop up choose Save file and then choose OK.
3. Choose Done.

2.d Upload the metadata for PingFederate to AWS SSO

1. Return to the AWS SSO console.
2. On the Change identity source page, next to IdP SAML metadata, browse and select the PingOne metadata file that you downloaded in PingFederate step 2.c.
3. Choose Next: Review.
4. In the Type “ACCEPT” to change your identity source field, enter ACCEPT into the field and choose Change identity Source.

PingFederate is now set up as your external identity provider in AWS SSO.

Step 3: Set up the connection to AWS SSO and enable automatic provisioning of users

3.a Get the SCIM endpoint and access token from AWS SSO

You need them to configure provisioning in PingFederate.

1. On the AWS SSO console, in the navigation pane, choose Settings.
2. On the Settings page, under Identity source, for Provisioning, choose Enable automatic provisioning.
3. In the Inbound automatic provisioning dialog box, copy the SCIM endpoint and access token.
4. Choose Close.

3.b Create a PingFederate service provider (SP) connection

1. In PingFederate, choose Applications, choose Integration, and then choose SP Connections.
2. Choose Create Connection. On the Connection Template page, choose Use a template for this connection. Choose AWS SSO Cloud Connector as the connection template.
3. For Metadata File, choose Choose File and select the AWS SSO metadata file that you downloaded in PingFederate step 2.d. Choose Next three times.
4. On the General Info tab, for Connection Name, enter a name and then choose Next.
5. On the Browser SSO tab, configure the settings. For more information, see Configure IdP Browser SSO in the PingFederate Server documentation.
6. On the Outbound Provisioning tab, configure the settings. For more information, see Configuring outbound provisioning in the PingFederate Server documentation. Choose Save.

Step 4: Test the automatic provisioning

You have configured AWS SSO to use Ping Identity Workforce360 as your external provider with automatic provisioning of users.

To test the provisioning, create a user in your PingOne identity repository or your configured PingFederate identity provider. You should see the new user automatically provisioned in AWS SSO within minutes.

Cleanup

If you would like to return to using AWS SSO as your identity source, you can go back to AWS SSO’s Settings and change your identity source to be AWS SSO.

Conclusion

In this blog post, I showed you how to centralize the management of authentication and authorization of your users using either PingOne or PingFederate to integrate with AWS SSO. For more information about Ping Identity’s Workforce360 solutions for central authentication, see Solutions for AWS Control Tower in AWS Marketplace.

About the author

	Devi Paulvannan Chapman is a Solutions Architect with Amazon Web Services. She enjoys working with customers to provide architectural and technical guidance on their cloud journey. Outside of work, she loves spending time outdoors rock climbing, hiking, and traveling to new places.
	Peter Holko is a Senior Solutions Architect with Ping Identity in the Technology Alliances team.  He has been solving complex Identity & Access Management problems for the Global 2000 over the last 12 years.  In his spare time, he enjoys skiing and exploring the Pacific Northwest with his family.