# PingOne
<a name="pingone-idp"></a>

IAM Identity Center supports automatic provisioning (synchronization) of user information from the PingOne product by Ping Identity (hereafter “Ping”) into IAM Identity Center. This provisioning uses the System for Cross-domain Identity Management (SCIM) v2.0 protocol. You configure this connection in PingOne using your IAM Identity Center SCIM endpoint and access token. When you configure SCIM synchronization, you create a mapping of your user attributes in PingOne to the named attributes in IAM Identity Center. This causes the expected attributes to match between IAM Identity Center and PingOne.

The following steps walk you through how to enable automatic provisioning of users from PingOne to IAM Identity Center using the SCIM protocol.

**Note**  
Before you begin deploying SCIM, we recommend that you first review the [Considerations for using automatic provisioning](provision-automatically.md#auto-provisioning-considerations). Then continue reviewing additional considerations in the next section.

**Topics**
+ [Prerequisites](#pingone-prereqs)
+ [Considerations](#pingone-considerations)
+ [Step 1: Enable provisioning in IAM Identity Center](#pingone-step1)
+ [Step 2: Configure provisioning in PingOne](#pingone-step2)
+ [(Optional) Step 3: Configure user attributes in PingOne for access control in IAM Identity Center](#pingone-step3)
+ [(Optional) Passing attributes for access control](#pingone-passing-abac)
+ [Troubleshooting](#pingone-troubleshooting)

## Prerequisites
<a name="pingone-prereqs"></a>

You'll need the following before you can get started:
+ A PingOne subscription or free trial, with both federated authentication and provisioning capabilities. For more information about how to obtain a free trial, see the [https://www.pingidentity.com/en/trials.html](https://www.pingidentity.com/en/trials.html) website.
+ An IAM Identity Center-enabled account ([free](https://aws.amazon.com/single-sign-on/)). For more information, see [Enable IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/setup-enable-idc.html).
+ The PingOne IAM Identity Center application added to your PingOne admin portal. You can obtain the PingOne IAM Identity Center application from the PingOne Application Catalog. For general information, see [Add an application from the Application Catalog](https://docs.pingidentity.com/pingone/applications/p1_applicationcatalog.html) on the Ping Identity website.
+ A SAML connection from your PingOne instance to IAM Identity Center. After the PingOne IAM Identity Center application has been added to your PingOne admin portal, you must use it to configure a SAML connection from your PingOne instance to IAM Identity Center. Use the “download” and “import" metadata feature on both ends to exchange SAML metadata between PingOne and IAM Identity Center. For instructions on how to configure this connection, see the PingOne documentation.
+ If you replicated IAM Identity Center to additional Regions, you must update your identity provider configuration to enable access to AWS managed applications and AWS accounts from those Regions. For more details, see [Step 3: Update external IdP setup](replicate-to-additional-region.md#update-external-idp-setup). See the PingOne documentation for additional details.

## Considerations
<a name="pingone-considerations"></a>

The following are important considerations about PingOne that can affect how you implement provisioning with IAM Identity Center.
+ PingOne does not support provisioning of groups through SCIM. Contact Ping for the latest information on group support in SCIM for PingOne.
+ Users may continue to be provisioned from PingOne after disabling provisioning in the PingOne admin portal. If you need to terminate provisioning immediately, delete the relevant SCIM bearer token, and/or disable [Provision users and groups from an external identity provider using SCIM](provision-automatically.md) in IAM Identity Center.
+ If an attribute for a user is removed from the data store configured in PingOne, that attribute will not be removed from the corresponding user in IAM Identity Center. This is a known limitation in PingOne’s provisioner implementation. If an attribute is modified, the change will be synchronized to IAM Identity Center.
+ The following are important notes regarding your SAML configuration in PingOne:
  + IAM Identity Center supports only `emailaddress` as a `NameId` format. This means you need to choose a user attribute that is unique within your directory in PingOne, non-null, and formatted as an email/UPN (for example, user@domain.com) for your **SAML\$1SUBJECT** mapping in PingOne. **Email (Work)** is a reasonable value to use for test configurations with the PingOne built-in directory.
  + Users in PingOne with an email address containing a **\$1** character may be unable to sign in to IAM Identity Center, with errors such as `'SAML_215'` or `'Invalid input'`. To fix this, in PingOne, choose the **Advanced** option for the **SAML\$1SUBJECT** mapping in **Attribute Mappings**. Then set **Name ID Format to send to SP:** to **urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress** in the drop-down menu.

## Step 1: Enable provisioning in IAM Identity Center
<a name="pingone-step1"></a>

In this first step, you use the IAM Identity Center console to enable automatic provisioning.

**To enable automatic provisioning in IAM Identity Center**

1. After you have completed the prerequisites, open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).

1. Choose **Settings** in the left navigation pane.

1. On the **Settings** page, locate the **Automatic provisioning** information box, and then choose **Enable**. This immediately enables automatic provisioning in IAM Identity Center and displays the necessary SCIM endpoint and access token information.

1. In the **Inbound automatic provisioning** dialog box, copy the SCIM endpoint and access token. You'll need to paste these in later when you configure provisioning in your IdP.

   1. **SCIM endpoint** - For example, https://scim.*us-east-2*.amazonaws.com/*11111111111-2222-3333-4444-555555555555*/scim/v2

   1. **Access token** - Choose **Show token** to copy the value.
**Warning**  
This is the only time where you can obtain the SCIM endpoint and access token. Ensure you copy these values before moving forward. You will enter these values to configure automatic provisioning in your IdP later in this tutorial. 

1. Choose **Close**.

Now that you have set up provisioning in the IAM Identity Center console, you need to complete the remaining tasks using the PingOne IAM Identity Center application. These steps are described in the following procedure. 

## Step 2: Configure provisioning in PingOne
<a name="pingone-step2"></a>

Use the following procedure in the PingOne IAM Identity Center application to enable provisioning with IAM Identity Center. This procedure assumes that you have already added the PingOne IAM Identity Center application to your PingOne admin portal. If you have not yet done so, refer to [Prerequisites](#pingone-prereqs), and then complete this procedure to configure SCIM provisioning. 

**To configure provisioning in PingOne**

1. Open the PingOne IAM Identity Center application that you installed as part of configuring SAML for PingOne (**Applications** > **My Applications**). See [Prerequisites](#pingone-prereqs).

1. Scroll to the bottom of the page. Under **User Provisioning**, choose the **complete** link to navigate to the user provisioning configuration of your connection.

1. On the **Provisioning Instructions** page, choose **Continue to Next Step**.

1. In the previous procedure, you copied the **SCIM endpoint** value in IAM Identity Center. Paste that value into the **SCIM URL** field in the PingOne IAM Identity Center application. Also, in the previous procedure you copied the **Access token** value in IAM Identity Center. Paste that value into the **ACCESS\$1TOKEN** field in the PingOne IAM Identity Center application.

1. For **REMOVE\$1ACTION**, choose either **Disabled** or **Deleted** (see the description text on the page for more details).

1. On the **Attribute Mapping** page, choose a value to use for the **SAML\$1SUBJECT** (`NameId`) assertion, following guidance from [Considerations](#pingone-considerations) earlier on this page. Then choose **Continue to Next Step**.

1. On the **PingOne App Customization - IAM Identity Center** page, make any desired customization changes (optional), and click **Continue to Next Step**.

1. On the **Group Access** page, choose the groups containing the users you would like to enable for provisioning and single sign-on to IAM Identity Center. Choose **Continue to Next Step**.

1. Scroll to the bottom of the page, and choose **Finish** to start provisioning.

1. To verify that users have been successfully synchronized to IAM Identity Center, return to the IAM Identity Center console and choose **Users**. Synchronized users from PingOne will appear on the **Users** page. These users can now be assigned to accounts and applications within IAM Identity Center.

   Remember that PingOne does not support provisioning of groups or group memberships through SCIM. Contact Ping for more information.

## (Optional) Step 3: Configure user attributes in PingOne for access control in IAM Identity Center
<a name="pingone-step3"></a>

This is an optional procedure for PingOne if you choose to configure attributes for IAM Identity Center to manage access to your AWS resources. The attributes that you define in PingOne is passed in a SAML assertion to IAM Identity Center. You then create a permission set in IAM Identity Center to manage access based on the attributes you passed from PingOne.

Before you begin this procedure, you must first enable the [Attributes for access control](attributesforaccesscontrol.md) feature. For more information about how to do this, see [Enable and configure attributes for access control](configure-abac.md).

**To configure user attributes in PingOne for access control in IAM Identity Center**

1. Open the PingOne IAM Identity Center application that you installed as part of configuring SAML for PingOne (**Applications > My Applications**).

1. Choose **Edit**, and then choose **Continue to Next Step** until you get to the **Attribute Mappings** page. 

1. On the **Attribute Mappings** page, choose **Add new attribute**, and then do the following. You must perform these steps for each attribute you will add for use in IAM Identity Center for access control.

   1. In the **Application Attribute** field, enter `https://aws.amazon.com/SAML/Attributes/AccessControl:AttributeName`. Replace *AttributeName* with the name of the attribute you are expecting in IAM Identity Center. For example, `https://aws.amazon.com/SAML/Attributes/AccessControl:Email`.

   1. In the **Identity Bridge Attribute or Literal Value** field, choose user attributes from your PingOne directory. For example, **Email (Work)**.

1. Choose **Next** a few times, and then choose **Finish**.

## (Optional) Passing attributes for access control
<a name="pingone-passing-abac"></a>

You can optionally use the [Attributes for access control](attributesforaccesscontrol.md) feature in IAM Identity Center to pass an `Attribute` element with the `Name` attribute set to `https://aws.amazon.com/SAML/Attributes/AccessControl:{TagKey}`. This element allows you to pass attributes as session tags in the SAML assertion. For more information about session tags, see [Passing session tags in AWS STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the *IAM User Guide*.

To pass attributes as session tags, include the `AttributeValue` element that specifies the value of the tag. For example, to pass the tag key-value pair `CostCenter = blue`, use the following attribute.

```
<saml:AttributeStatement>
<saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/AccessControl:CostCenter">
<saml:AttributeValue>blue
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
```

If you need to add multiple attributes, include a separate `Attribute` element for each tag. 

## Troubleshooting
<a name="pingone-troubleshooting"></a>

For general SCIM and SAML troubleshooting with PingOne, see the following sections:
+ [Specific users fail to synchronize into IAM Identity Center from an external SCIM provider](troubleshooting.md#issue2)
+ [Issues regarding contents of SAML assertions created by IAM Identity Center](troubleshooting.md#issue1)
+ [Duplicate user or group error when provisioning users or groups with an external identity provider](troubleshooting.md#duplicate-user-group-idp)
+ For more information on PingOne, see [PingOne documentation](https://docs.pingidentity.com/pingone/p1_cloud__platform_main_landing_page.html).

The following resources can help you troubleshoot as you work with AWS:
+ [AWS re:Post](https://repost.aws/) - Find FAQs and links to other resources to help you troubleshoot issues.
+ [AWS Support](https://aws.amazon.com/premiumsupport/) - Get technical support