PingOne

Adding an identity provider - Amazon

Adding Amazon as an external identity provider (IdP) gives your users the option to sign on with Amazon when accessing your application.

Before you begin

Ensure that you have:

Creating a security profile with Amazon

Before you can set up Amazon as an external IdP, you must create a security profile for your application. Learn more in Register for Login with Amazon.

Before you begin

Ensure that you have the following information for your application:

  • Name

  • Description

  • Privacy notice URL

  • Logo (optional)

Steps

  1. Go to the Amazon Developer Console and sign on to your account.

    If you don’t have an account you can create one now.

  2. Click Create a New Security Profile.

  3. Enter the following:

    • Security Profile Name: A unique identifier for the application, which will appear on the consent page when users agree to sign on with Amazon.

    • Security Profile Description: A brief description of the application.

    • Privacy Notice URL: The location of the privacy notice for your application.

    • Consent Logo Image (optional): The image that appears on the consent page to represent your application.

  4. Click Save.

Enabling Login with Amazon

If you created a new security profile, Login with Amazon should be enabled by default. If you are adding an application to an existing security profile, enable Login with Amazon.

Steps

  1. Go to the Amazon Developer Console.

    Result:

    You are asked to sign on to the Developer Console.

  2. Click Select a security profile, then choose your security profile in the menu.

  3. Click Confirm.

  4. In the form that opens, enter a Consent Privacy Notice URL.

    This is the location of your application’s privacy policy.

  5. Click Save.

Getting the client ID and client secret

Copy the client ID and client secret from the Amazon Developer Console. You’ll need these values when you add the application to PingOne.

Steps

  1. Go to the Amazon Developer Console and locate the appropriate security profile.

  2. Click Web Settings.

  3. Copy the Client ID and Client secret to a secure location.

    You can always access these values on the Amazon Developer Console.

Adding Amazon as an identity provider in PingOne

Configure the IdP connection in PingOne.

Before you begin

You should have the following information ready:

  • Client ID

  • Client secret

Ensure that registration is enabled in the authentication policy. Learn more in Editing an authentication policy.

Steps

  1. In the PingOne admin console, go to Integrations > External IdPs and click .

  2. Click Amazon.

  3. Click Next.

  4. On the Add External Identity Provider page, enter the following information:

    • Name: A unique identifier for the IdP.

    • Description (optional): A brief description of the IdP.

    • Population: A population that overrides the authentication policy’s registration population and enables just-in-time registration from the IdP.

      You can’t change the Icon and Sign-on Button, in accordance with the provider’s brand standards.

  5. Click Next.

  6. Configure the connection and enter the following information:

    • Client ID: The application ID that you copied earlier from the IdP. You can find this information on the Amazon Developer Console.

    • Client secret: The application secret that you copied earlier from the IdP. You can find this information on the Amazon Developer Console.

    • Callback URL: Copy the Callback URL to a secure location. You’ll provide this value to the IdP later.

  7. Click Next.

  8. Define how the PingOne user attributes are mapped to IdP attributes. Learn more in Mapping attributes.

    • Enter the PingOne user profile attribute and the external IdP attribute. Learn more about attribute syntax in Identity provider attributes.

    • To add an attribute, click Add.

    • To use the advanced expression builder, click the Gear icon. Learn more in Using the expression builder.

    • Select the update condition, which determines how PingOne updates its user directory with the values from the IdP. The options are:

      • Empty only: Update the PingOne attribute only if the existing attribute is empty.

      • Always: Always update the PingOne directory attribute.

        You can map the following attributes provided by Amazon:

        • email

        • name

        • user_id

        • postal_code

  9. Click Save.

Adding the callback URL to the Amazon Developer Console

Copy the callback URL from the PingOne admin console and paste it in the Amazon Developer Console.

Steps

  1. In the PingOne admin console, go to Integrations > External IdPs and browse or search for the appropriate IdP.

  2. Click the IdP to open the details panel.

  3. On the Connection tab, copy the Callback URL to a secure location.

  4. Go to the Amazon Developer Console.

  5. Select the appropriate profile.

  6. Go to the Web Settings section.

  7. For Allowed Return URLs, paste the value that you copied from the the PingOne admin console.

  8. Click Save.

Next steps