Quick Connection Guide

Similar documents
Quick Connection Guide

Dropbox Connector. Version 2.0. User Guide

Zendesk Connector. Version 2.0. User Guide

WebEx Connector. Version 2.0. User Guide

Slack Connector. Version 2.0. User Guide

Box Connector. Version 2.0. User Guide

CoreBlox Token Translator. Version 1.0. User Guide

Quick Connection Guide

CoreBlox Integration Kit. Version 2.2. User Guide

Web Access Management Token Translator. Version 2.0. User Guide

SSO Integration Overview

OAM Integration Kit. Version 3.0. User Guide

OpenID Cloud Identity Connector. Version 1.3.x. User Guide

Quick Connection Guide

WebSphere Integration Kit. Version User Guide

Version 7.x. Quick-Start Guide

.NET Integration Kit. Version User Guide

Google Apps Connector. Version User Guide

Upgrade Utility. Version 7.3. User Guide

IWA Integration Kit. Version 3.1. User Guide

PingOne. How to Set Up a PingFederate Connection to the PingOne Dock. Quick Start Guides. Version 1.1 December Created by: Ping Identity Support

PingFederate 6.6. Upgrade Utility. User Guide

Office 365 Connector 2.1

Google Apps Connector

PingFederate Upgrade Utility. User Guide

SDK Developer s Guide

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

PingFederate 6.3. Upgrade Utility. User Guide

X.509 Certificate Integration Kit 1.2

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

PingFederate 6. Getting Started

Server 8.3. PingFederate CORS Support

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

Polycom RealPresence Access Director System, Virtual Edition

SDK Developer s Guide

Release 3.0. Delegated Admin Application Guide

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Partner Center: Secure application model

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

SAML SSO Okta Identity Provider 2

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

SafeNet Authentication Service

Quick Start Guide for SAML SSO Access

April Understanding Federated Single Sign-On (SSO) Process

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

SafeNet Authentication Service

SAML-Based SSO Configuration

Server Clustering Guide

Videoscape Distribution Suite Software Installation Guide

CSP PARTNER APPLICATION OVERVIEW Multi-tenant application model

Novell Access Manager

SAML-Based SSO Configuration

SafeNet Authentication Manager

PingFederate 5.0. Release Notes

Cisco TEO Adapter Guide for SAP Java

Paging and Loud Ringing with VVX600 and Algo 8180

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

McAfee Cloud Identity Manager

RealPresence Platform Director

McAfee Cloud Identity Manager

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

SafeNet Authentication Manager

EAM Portal User's Guide

SafeNet Authentication Service

Setting Up Resources in VMware Identity Manager

McAfee Cloud Identity Manager

One Identity Active Roles 7.2

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

Copyright. Copyright Ping Identity Corporation. All rights reserved. PingAccess Server documentation Version 4.

Cisco TEO Adapter Guide for Microsoft System Center Operations Manager 2007

Cisco TEO Adapter Guide for

Access Manager Applications Configuration Guide. October 2016

Polycom RealPresence Resource Manager System

Security Provider Integration SAML Single Sign-On

Dell Secure Mobile Access Connect Tunnel Service User Guide

Quick Start Guide for SAML SSO Access

Configuration Guide - Single-Sign On for OneDesk

McAfee Cloud Identity Manager

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

Security Provider Integration: SAML Single Sign-On

Quest ChangeAuditor 5.1 FOR LDAP. User Guide

Installation and Configuration Guide for Visual Voic Release 8.5

MyWorkDrive SAML v2.0 Azure AD Integration Guide

Oracle Access Manager Configuration Guide

Oracle Cloud. Using the Google Calendar Adapter Release 16.3 E

Integration Guide. BlackBerry Workspaces. Version 1.0

October 14, SAML 2 Quick Start Guide

Cisco Jabber for Android 10.5 Quick Start Guide

CA SiteMinder Federation

Setting Up Resources in VMware Identity Manager 3.1 (On Premises) Modified JUL 2018 VMware Identity Manager 3.1

October J. Polycom Cloud Services Portal

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

McAfee Cloud Identity Manager

One Identity Active Roles 7.2. Azure AD and Office 365 Management Administrator Guide

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

SafeNet Authentication Service

Transcription:

Amazon Web Services Connector Version 1.0 Quick Connection Guide

2004-2013 Ping Identity Corporation. All rights reserved. PingFederate Amazon Web Services Connector Quick Connection Guide Version 1.0 January, 2014 Ping Identity Corporation 1001 17th Street, Suite 100 Denver, CO 80202 U.S.A. Phone: 877.898.2905 (+1 303.468.2882 outside North America) Fax: 303.468.2909 Web Site: www.pingidentity.com Trademarks Ping Identity, the Ping Identity logo, PingFederate, PingOne, PingConnect, and PingEnable are registered trademarks of Ping Identity Corporation ( Ping Identity ). All other trademarks or registered trademarks are the property of their respective owners. Disclaimer The information provided in this document is provided as is without warranty of any kind. Ping Identity disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Ping Identity or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Ping Identity or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Document Lifetime Ping Identity may occasionally update online documentation between releases of the related software. Consequently, if this PDF was not downloaded recently, it may not contain the most up-to-date information. Please refer to the online documentation at documentation.pingidentity.com for the most current information. From the Web site, you may also download and refresh this PDF if it has been updated, as indicated by a change in this date: January 10, 2014.

Contents Preface............................................................... 1 About This Manual........................................................... 1 Intended Audience.......................................................... 1 Summary.................................................................. 1 Text Conventions........................................................... 2 Other Documentation......................................................... 2 Chapter 1 Introduction........................................................... 3 Connector Overview.......................................................... 3 Setup Summary............................................................. 4 System Requirements........................................................ 4 ZIP Manifest............................................................... 4 Chapter 2 Installation and Setup.................................................... 5 Connector Installation......................................................... 5 Configuring Server Settings..................................................... 6 Downloading AWS SAML Metadata............................................. 7 Obtaining AWS Access Keys.................................................... 7 Creating a SAML Identity Provider and Role in AWS............................... 8 Chapter 3 Connecting to Amazon Web Services......................................... 9 Configuring a Connection...................................................... 9 Assigning Groups.......................................................... 14 To assign users to a provisioning group at AWS:................................ 14 Exporting Metadata.......................................................... 15 Workday Quick Connection Guide iii

Preface About This Manual Intended Audience Summary This Guide provides procedures for configuring a PingFederate server to enable secure Internet single sign-on (SSO) for an organization s user accounts with Amazon Web Services (AWS). The Guide also provides Outbound Provisioning (formerly Saas Provisioning) configuration information relevant to Amazon Web Services. This Guide is intended for security and network administrators and other IT professionals responsible for identity management among both internal and external business entities. For installation and configuration, some familiarity with PingFederate operations and the administrative console, as well as Amazon administration, is highly recommended. If you are not familiar with cross-domain Internet SSO or identity federation, it might be helpful to browse through the first few sections of Getting Started and the Administrator s Manual in your PingFederate installation before continuing. The Guide consists of the following chapters: Chapter 1, Introduction An overview of Connector features, system requirements, and use cases. Chapter 2, Installation and Setup Installation and preliminary configuration instructions. Amazon Quick Setup Guide 1

Chapter Preface Chapter 3, Connecting to Amazon Web Services How to set up PingFederate to connect to Amazon Web Services. Text Conventions This document uses the text conventions identified below. Table 1: Text Conventions Convention Fixed Width Blue text Italic Description Indicates text that must be typed exactly as shown in the instructions. Also used to represent program code, file names, and directory paths. Indicates hypertext links. Used for emphasis and document titles. [text] Used for procedures where only one step is required. Sans serif Sans serif bold Identifies descriptive text on a user-interface screen. Example: Print Document dialog Identifies menu items, navigational links, or buttons. For example: Click Save. Other Documentation This Guide refers frequently to information contained in manuals that are part of the core PingFederate distribution. The documents listed below are available under Product Documentation at pingidentity.com. Tip: PingFederate provides context-sensitive Help. Click Help in the upper-right portion of the administrative console for immediate, relevant guidance and links to related information. Getting Started Provides an introduction to secure Internet SSO and PingFederate, including background information about federated identity management and standards, product installation instructions, and a primer on using the PingFederate administrative console. Administrator s Manual Provides key concepts as well as detailed instructions for using the PingFederate administrative console also connectionendpoint and other Web-application developer information, a glossary, and a list of common acronyms. 2 PingFederate

Chapter 1 Introduction Connector Overview The PingFederate Amazon Web Services (AWS) Connector extends PingFederate capabilities, enabling enterprises to provision its users and groups to Amazon Web Services. This AWS Connector includes a quick connection template to easily set up a single sign-on (SSO) connection requiring AWS provisioning. The connector makes use of the Amazon Web Services API v1.5 to communicate with Amazon Web Services. The PingFederate administrative console uses a quick-connection template to configure most of the settings needed to connect to Amazon Web Services (AWS) for SSO and provisioning. Choose the AWS template on the initial Connection Template screen during configuration of a Service Provider (SP) connection. This document provides instructions for filling in site-specific connection settings. Once the settings are complete, you can configure provisioning settings according to your deployment needs. Before configuring an SSO connection to AWS, you must configure (or verify) several system settings in PingFederate. You must also download SAML 2.0 metadata from the AWS administrative site. Tip: This Guide is intended to provide only configuration instructions associated with using the quick-connection template for SSO to AWS. After completing the SSO configuration, if you are including provisioning for the connection, please refer to Configuring Outbound Provisioning in the "Identity Provider SSO Configuration" chapter of the PingFederate Administrator s Guide (or see the associated Help pages during the configuration). Amazon Quick Setup Guide 3

Chapter 1 Introduction Setup Summary System Requirements ZIP Manifest The general steps involved in this process are outlined below, including references to applicable sections of this Guide and other PingFederate documents: 1. Install the Connector see Connector Installation on page 5. 2. Configure Server Settings in PingFederate to enable SSO quick connections see Configuring Server Settings on page 6. 3. Download AWS SAML Metadata to configure SSO endpoints and other information see Downloading AWS SAML Metadata on page 7. 4. Obtain AWS Access Keys to authenticate provisioning requests see Obtaining AWS Access Keys on page 7. 5. Create an AWS SAML Identity Provider and Role to configure an SSO connection to Amazon see Creating a SAML Identity Provider and Role in AWS on page 8. 6. Use the quick-connection template to configure an SSO and provisioning connection to AWS see Configuring a Connection on page 9. The AWS Connector requires the installation of PingFederate 7.0.1 or higher. The distribution ZIP file for the AWS Connector contains the following: ReadMeFirst.pdf contains links to this online documentation. /legal contains this document: Legal.pdf copyright and license information. /dist contains libraries needed for the Connector: pf-aws-quickconnection-1.0.jar PingFederate Amazon Web Services (AWS) Connector. aws-java-sdk-1.5.0.jar Amazon API JAR file. 4 PingFederate

Chapter 2 Installation and Setup Connector Installation These sections provide instructions for setting up PingFederate to use the AWS Connector. To install the AWS Connector: 1. Stop the PingFederate server if it is running. 2. Unzip the AWS Connector distribution ZIP file into a holding directory. 3. From the dist directory, copy the files: pf-aws-quickconnection-1.0.jar aws-java-sdk-1.5.0.jar into the directory: <pf_install>/pingfederate/server/default/deploy 4. Edit the run.properties file located in <pf_install>/ pingfederate/bin, changing the property pf.provisioner.mode to STANDALONE, for example: pf.provisioner.mode=standalone The property is located near the end of the file. Note: For information about using the FAILOVER setting for runtime deployment, see the PingFederate Server Clustering Guide. 5. Start the PingFederate server. Amazon Quick Setup Guide 5

Chapter 2 Installation and Setup Configuring Server Settings If you have not yet used PingFederate, follow the instructions under Running PingFederate for the First Time in the "Installation" chapter of Getting Started. To enable quick connections to AWS, several selections (described in the following procedure) are required when you reach Roles and Protocols in the Configuring My Server screen sequence. If you have already run and configured the PingFederate server, you may need to verify or change settings on the Roles and Protocols screen, including enabling Outbound Provisioning, as described in the following procedure. To enable SSO quick connections to AWS: 1. On the Roles and Protocols screen, ensure that the IdP role is enabled and SAML 2.0 and Outbound Provisioning are selected for that role. (Click Server Settings on the Main Menu to locate this screen after initial installation.) Tip: This setting enables provisioning globally for all connections to supported providers. However, you have a choice of including provisioning or not during the configuration of specific connections. 6 PingFederate

Downloading AWS SAML Metadata 2. Click Next to continue the Configuring My Server task (or Save for an existing configuration). Note: Enabling Outbound Provisioning adds a new screen to the task flow, requiring selection of a database used to monitor provisioning status. For more information, see Configuring Outbound Provisioning Settings in the "System Settings" chapter of the PingFederate Administrator s Guide (or click Help from the configuration screen). Downloading AWS SAML Metadata The AWS quick-connection template uses SAML 2.0 metadata from AWS to configure SSO endpoints and other information. Download the AWS metadata XML file before creating the AWS connection in PingFederate. To download SAML 2.0 Metadata for AWS 1. Access the following URL: https://signin.aws.amazon.com/static/saml-metadata.xml 2. Save the XML file to a desired location. Obtaining AWS Access Keys You need to specify a token and secret while configuring AWS provisioning in PingFederate. These credentials are used to authenticate provisioning requests. Amazon Quick Setup Guide 7

Chapter 2 Installation and Setup To obtain AWS access keys 1. Using your AWS administration account, access the AWS Management Console. 2. Copy the Access Key ID and the Access Key Secret. For information on getting your access key ID and secret access key, see the AWS documentation (http://docs.aws.amazon.com/ AWSSimpleQueueService/latest/SQSGettingStartedGuide/ AWSCredentials.html). Note: Complete the AWS SSO configuration by configuring the SP connection (see the section Connecting to Amazon Web Services ). Creating a SAML Identity Provider and Role in AWS You need to create a SAML Identity Provider and Role using your AWS Administrative account to use when configuring an SSO connection. The Identity Provider setup requires the SAML 2.0 Metadata file from the SP connection that SSO is initiated from. For more information on creating SAML Identity Providers on AWS, see the following AWS Documentation: For more information on creating Roles in AWS, see the following AWS Documentation: http://docs.aws.amazon.com/iam/latest/userguide/idpmanaging-identityproviders.html http://docs.aws.amazon.com/iam/latest/userguide/createrole-saml.html 8 PingFederate

Chapter 3 Connecting to Amazon Web Services Configuring a Connection To complete this configuration, use this section to configure a secure SSO connection for SSO and provisioning to Amazon Web Services (AWS). Use the following procedure to configure a quick connection for SSO and provisioning to Amazon Web Services. Tip: This procedure provides instructions for configuring minimum required connection settings; the instructions skip setup screens in which all necessary information is automatically configured (or in which standard defaults are used). The administrative console guides you to required configuration steps automatically by displaying prompts at entry points for the task flows. In general, you may add or change settings on all screens to suit any special requirements. To configure a connection to AWS 1. If you have not already done so, follow the instructions under Configuring Server Settings on page 6. 2. If you have not already done so, use PingFederate to configure the IdP adapter you want to use. For information and instructions, see Configuring IdP Adapters in the "Identity Provider SSO Configuration" chapter of the PingFederate Administrator s Guide. 3. On the Main Menu, click Create New under SP Connections in the IdP Configuration section. Amazon Quick Setup Guide 9

Chapter 3 Connecting to Amazon Web Services 4. On the Connection Template screen, select AWS in the Connection Template drop-down list. If this selection is not available, verify the Connector installation and restart PingFederate. 5. Click Browse to locate and select the AWS metadata file that you downloaded in the Downloading AWS SAML Metadata section and click Next. 6. On the Connection Type screen, ensure you select both Browser SSO Profiles and Outbound Provisioning and click Next. 7. (Optional) On the Connection Options screen, ensure you select the Browser SSO option. 8. Click Next. 9. On the General Info screen, ensure the Partner s Entity ID (Connection ID) and Connection Name are accurate. Change details if required and click Next. 10. Click Configure Browser SSO on the Browser SSO screen. 10 PingFederate

Configuring a Connection 11. On the Assertion Creation screen, click Configure Assertion Creation. 12. On the IdP Adapter Mapping screen, click Map New Adapter Instance and map the IdP Adapter Instance you defined earlier in this procedure. When you return to the IdP Adapter Mapping screen, click Done. This configuration is site-dependent and cannot be pre-configured. For detailed information and instructions, see IdP Adapter Mapping in the "Identity Provider SSO Configuration" chapter of the PingFederate Administrator s Guide (or refer to the Help pages). 13. On the Assertion Creation screen, click Next. Amazon Quick Setup Guide 11

Chapter 3 Connecting to Amazon Web Services 14. On the Protocols Settings screen, click Done. Tip: This task is completely configured for you, but click Configure Protocol Settings if you want to review the setup or make changes to any special AWS requirements. For configuration information, see sections under Configuring Protocol Settings in the "Identity Provider SSO Configuration" chapter of the PingFederate Administrator s Guide (or use the context-sensitive Help). 15. On the Browser SSO screen, click Next. 16. On the Credentials screen, click Configure Credentials. 17. On the Digital Signature Settings screen, select a signing certificate. For more information, see Configuring Digital Signature Settings in the "Identity Provider SSO Configuration" chapter of the PingFederate Administrator s Guide (or click Help). If you have not yet created or imported a signing certificate, click Manage Certificates and do so now (see Digital Signing and Decryption Keys and Certificates in the "Security Management" chapter of the PingFederate Administrator s Guide). 18. Click Done and then Next on the Credentials screen. 19. On the Outbound Provisioning screen, click Configure Provisioning. 20. On the Target screen, enter the AWS credentials from the Obtaining AWS Access Keys section by entering the Access Key ID into the accesskey field and entering the Secret Access Key into the accesskeysecret field. 21. Click Next to continue the provisioning configuration. For more information see the sections under Configuring Outbound Provisioning in the "Identity Provider SSO Configuration" chapter of the PingFederate Administrator s Guide (or refer to the Help pages). Tip: If you are not ready to complete the provisioning configuration, you can click Save and return to the configuration screen later (from the Manage Connections screen--click Manage All SP on the Main Menu). 12 PingFederate

Configuring a Connection 22. When you return to the Outbound Provisioning screen, click Next. 23. On the Activation and Summary screen, click Save. For information about how to map users into groups, see Assigning Groups next. For important information about using this screen, see Editing and Activating a Connection in the "Identity Provider SSO Configuration" chapter of the PingFederate Administrator s Guide (or click Help). 24. Export the metadata for the SP connection you just created to use when creating your SAML Identity Provider in AWS. For more information, see Exporting Metadata in the "System Administration" chapter of the PingFederate Administrator s Guide (or click Help). 25. Create a SAML Identity Provider and Role in AWS. For information on creating a SAML Identity Provider and Roles in AWS, see Creating a SAML Identity Provider and Role in AWS on page 8. 26. On the Main Menu, select your SP Connection. 27. On the Activation and Summary page, select Attribute Contract in the Assertion Creation section. 28. On the Attribute Contract screen, in addition to SAML_SUBJECT, the following attributes are required: https://aws.amazon.com/saml/attributes/role https://aws.amazon.com/saml/attributes/rolesessionname 29. Enter each attribute and click Add. 30. Once the attributes are added, click Done. 31. On the IdP Adapter Mapping page, select the adapter you updated the attribute contract for. 32. On the Attribute Contract Fulfillment page, complete the configuration for the new contract attributes and click Done. Amazon Quick Setup Guide 13

Chapter 3 Connecting to Amazon Web Services Assigning Groups 33. On the IdP Adapter Mapping page, click Done. 34. On the Assertion Creation page, click Done. 35. On the Browser SSO page, click Save. On the Attribute Mapping screen in the provisioning configuration flow, one provisioning field for AWS requires special mapping: Groups Used to assign users in the provisioning channel to one or more groups. The following procedure provides details on mapping this field to accomplish the associated provisioning feature where needed. To assign users to a provisioning group at AWS: 1. On the Attribute Mapping screen, click Edit for the Groups field. 2. On the Specify Attribute Mapping screen, select the Root Object Class and add the attribute containing the group(s) to which the user belongs and corresponding to groups to be assigned at AWS. 3. In the Options section of the screen, select Extract CN from DN in the Parsing drop-down list. 4. For more information on Mapping Attributes, see Mapping Attributes in the "Identity Provider SSO Configuration" chapter of the PingFederate Administrator s Guide 14 PingFederate

Exporting Metadata Exporting Metadata For SAML deployments PingFederate supports the export and import of metadata files, which federation partners can use to expedite their configuration. Once your AWS Quick Connection is configured, the metadata needs to be exported. For more information, see Exporting Metadata in the "System Administration" chapter of the PingFederate Administrator s Guide (or click Help). Amazon Quick Setup Guide 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback