1.0 Introduction
The purpose of this article is to outline the necessary steps for configuring the connection between Fortanix Key Insight Amazon Web Services (AWS) and PingOne as an OpenID Connect (OIDC) identity provider (IdP) using the Authorization Code Flow.
Federated authentication in AWS refers to the process of enabling users to access AWS resources using their existing credentials from an external IdP, such as PingOne, Microsoft Entra ID, and so on.
Configuring PingOne as an Open ID Connect IdP in AWS involves the following steps:
Register a client application with your identity provider.
Configure the redirect Uniform Resource Locator (URL) on the client application.
Gather the Client ID, a unique identifier for your registered application.
Gather the OpenID configuration document (well-known) URL specific to your IdP tenant or account.
Set up IdP on your cloud account.
Set up the necessary permissions for AWS single account onboarding.
Set up the necessary permissions for AWS organization onboarding.
2.0 Register a Client Application with PingOne
Perform the following steps to register a client application with PingOne:
Perform the following steps to set up an OIDC web application in PingOne:
Navigate to the Applications section in the PingOne console and click the '+' icon next to the Applications title.
Enter the Application Name, Description, and Icon fields as required.
Select OIDC Web App as the Application Type.
Save the application.
For more information, refer to Adding an Application.
Edit the Configuration section of the OIDC application created in the previous step to include the following:
Response Type:
Code, Token, ID TokenGrant Type:
Authorization Code, Implicit, Refresh TokenRedirect URL:
https://armor.fortanix.com/system/discovery/oauth/callbackToken Endpoint Authentication Method:
None
Figure 1: Application configuration
Edit the Resource section of the OIDC application created in Step 1 to include the following:
Allowed Scopes:
openid(default),profile, email
Figure 2: Configure Resource section
For more information, refer to Editing an application - OIDC.
3.0 Configure the Redirect URL on the Client Application
The redirect URL is the address to which PingOne forwards the OIDC response after authentication.
You can retrieve the redirect URL after registering your application with PingOne, as explained in Step 2 of Section 2.0: Register a Client Application with PingOne.
4.0 Gather the Client ID
A client ID is a unique identifier for the registered client application. It allows you to validate the security tokens you receive from the IdP.
To retrieve the Client ID, copy the Client ID from the Configuration section of the OIDC application created in Step 1 of Section 2.0: Register a Client Application with PingOne.
NOTE
Ensure to record the
Client IDvalue as it is necessary for the identity provider configuration when setting up the AWS cloud connection in the Fortanix Key Insight user interface (UI).
5.0 Gather the OpenID Configuration Document (Well-Known) URL
An OpenID Connect (OIDC) provider provides a standard well-known URL that your client application can use to discover information about the provider's configuration dynamically.
This URL is specific to your IdP tenant or account.
To retrieve this value, copy the OIDC Discovery Endpoint from the Configuration → URLs section of the OIDC application created in Step 1 of Section 2.0: Register a Client Application with PingOne.
NOTE
Ensure to record the well-known URL value as it is necessary for the identity provider configuration when setting up the AWS cloud connection in the Fortanix Key Insight user interface (UI).
6.0 Set Up an IdP on Your Cloud Account
Perform the following steps to set up an IdP on your cloud account:
Configure the PingOne (OIDC IdP) in AWS using the issuer and client ID:
Sign in to the AWS Management Console and open the IAM console.
In the left navigation panel, select Identity providers.
Click Add provider to add a new IdP.
On the Configure Provider page, for Provider type, select OpenID Connect.
For Provider URL, enter
https://auth.pingone.com/{environment_id}/as/authorize. Ensure{environment_id}is replaced with your actual Environment ID from the Configuration section, as explained in Step 2 of Section 2.0: Register a Client Application with PingOne.For the Audience, enter the Application ID (
Client ID) from a PingOne registered application.Click Add provider to complete the setup.
Figure 3: Add an identity provider in AWS
Verify the details of the identity provider created in AWS using the following steps:
Navigate to the IAM console in AWS.
Click your OIDC identity provider.
Ensure the Provider URL is correctly set to
https://auth.pingone.com/{environment_id}/as/authorize.Ensure the Audience matches the Application (client) ID from PingOne.
(Optional) Ensure the thumbprint in the Thumbprints section is correct and matches the one you obtained.
Figure 4: Verify the IdP in AWS
For more information, refer to Create an OpenID Connect (OIDC) identity provider in IAM.
7.0 AWS Single Account - Onboarding Setup
This section describes the steps to onboard a single AWS account in Fortanix Key Insight.
For a comprehensive list of AWS permissions required to onboard an AWS connection, refer to AWS Connection Permissions.
7.1 Create an IAM Role for the Web Identity Federation
Perform the following steps to create an IAM role:
On the IAM page, select Roles.
Select Create role.
On the Select trusted Identity page,
Select Web Identity as the trusted entity type.
Select the identity provider created in Section 6.0: Set Up an IdP on your Cloud Account.
Enter the Audience value as the Application (Client) ID from PingOne registered application.
Click Next.
On the Add permissions page,
Attach the necessary policies to the role as explained in Section 7.2: Access Control Permissions.
Click Next.
On the Name, review and create page, verify the details, and complete the role creation.
Figure 5: Create an IAM role
7.2 Access Control Permissions
This section describes the general requirements for AWS access permissions.
For single-account onboarding, the policies are attached directly to the IAM user in that account.
For AWS Organization onboarding, these permissions are provisioned automatically using the CloudFormation Template (CFT) deployed using AWS CloudFormation StackSets, as explained in Section 8.2: Deploy the CFT.
7.2.1 Scan AWS Services
The following read-only permissions are required for scanning the AWS KMS, S3, EBS, EKS, EFS, DynamoDB, Redshift, and RDS services:
KMS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:ListKeys", "tag:GetResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:GetKeyRotationStatus", "kms:GetKeyPolicy", "kms:DescribeKey", "kms:ListGrants", "kms:ListResourceTags", "kms:ListKeyRotations" ], "Resource": "arn:aws:kms:*:*:key/*" } ] }Additionally, to list AWS KMS aliases, the IAM policy must include the
kms:ListAliasesaction with theResourceset to "*".Fortanix Key Insight recommends creating a separate policy for this permission, as shown below, to meet AWS requirements and prevent permission errors:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:ListAliases" ], "Resource": "*" } ] }RDS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" } ] }EBS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DescribeVolumes", "Resource": "*" } ] }S3
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetEncryptionConfiguration", "s3:GetBucketLocation" ], "Resource": "*" } ] }
DynamoDB
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:ListTables", "dynamodb:DescribeTable", "dynamodb:ListStreams", "dynamodb:DescribeStream" ], "Resource": "*" } ] }
EKS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:ListClusters" ], "Resource": "*" } ] }
EFS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "elasticfilesystem:DescribeFileSystems", "Resource": "*" } ] }
Redshift
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "redshift:DescribeClusters" ], "Resource": "*" } ] }
7.2.2 Scan AWS Certificates
The following read-only permissions are required for scanning the AWS certificates:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"acm:ListCertificates",
"acm:DescribeCertificate"
],
"Resource": "*"
}
]
}8.0 AWS Organization - Onboarding Setup
8.1 Create an IAM Role for the Web Identity Federation
For steps to set up an IAM role for the Web Identity Federation with the necessary permissions for an AWS organization, refer to Section 9.1: Set up an IAM Role with the Necessary Permissions – AWS Organization.
8.2 Deploy the CFT
This section outlines the steps for deploying the CloudFormation Template (CFT) through StackSets to create roles that the IAM role, created in Section 8.1: Create an IAM Role for the Web Identity Federation, can assume in member accounts.
To deploy the CFT for role creation from a root or user account, the account must have the following permissions policy (if no other attached policies already cover these permissions).
NOTE
To attach the following permission policy, the IAM role needs the corresponding IAM service read or write permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FortanixCFTPermissions",
"Effect": "Allow",
"Action": [
"cloudformation:*",
"organizations:*",
"s3:*"
],
"Resource": "*"
}
]
}
NOTE
Refer to Activate trusted access with AWS organizations - AWS CloudFormation for more information about enabling trusted access for StackSets.
Enabling trusted access creates the following service-linked roles:
AWSServiceRoleForCloudFormationStackSetsOrgAdmin(management account)
AWSServiceRoleForCloudFormationStackSetsOrgMember(member accounts)These roles allow AWS CloudFormation StackSets to perform supported operations within accounts in your AWS Organization.
Perform the following steps:
Create the JSON file for the CFT. For example,
fortanix-key-insight-AWS-CFT-template.json.Refer to Section 9.2: Download the JSON file for CFT to create the CFT.
Go to your AWS account from which the CFT will be deployed. Activate trusted access with AWS Organization as described above, if it is not already enabled.
In the AWS Management Console, navigate to CloudFormation → StackSets page.
.png?sv=2022-11-02&spr=https&st=2025-12-10T20%3A58%3A59Z&se=2025-12-10T21%3A19%3A59Z&sr=c&sp=r&sig=9u79bgQT0z0X1OsfnO0rAKHSnHw3avrHU0dRkAwOmQU%3D)
Figure 6: CloudFormation StackSets page
Click Create StackSets.
On the Choose a template page, select Upload a template file and upload the JSON file that you created in Step 1.
Figure 7: Choose the CTF template
Figure 8: JSON file uploaded
After you upload the CFT template, you will see the JSON file uploaded in the template field.
On the Specify StackSet details page,
Enter the StackSet name.
Enter StackSet description (optional).
Enter the AWSAccountID and AWSUserName of the user who initiates the scan.
Click Next.
NOTE
The AWSAccountID and AWSUserName must be created in advance as described in Section 9.1: Set Up an IAM User With the Necessary Permissions - AWS Organization.
Figure 9: StackSet details
On the Set deployment options page, specify the required deployment targets and regions.
Click Next.
On the Review section, review the details and create a StackSet.
9.0 Appendix
9.1 Set up an IAM Role with the Necessary Permissions - AWS Organization
Create an IAM role as described in Section 7.1: Create an IAM Role for the Web Identity Federation in AWS, and attach the following permissions policy to list accounts and assume roles:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FortanixFkiScannerPermissions",
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListChildren",
"organizations:ListOrganizationalUnitsForParent"
],
"Resource": "*"
},
{
"Sid": "FortanixFkiScannerPermissionsRole",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::*:role/FortanixOrganizationAccessRoleForOIDC"
}
]
}
NOTE
The above IAM role must be created using one of the two options:
From the AWS Organizations management account.
From an AWS member account, where the IAM role is then assigned as a delegated administrator for AWS organizations. Refer to Delegated Administrator for AWS Organizations for more information.
When creating an IAM role as a delegated organization administrator, use the delegation policy listed below in the organization management account to register the IAM role as a delegated administrator. This IAM role also needs sts:AssumeRole permission in their account to assume the Fortanix access role in member accounts.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{REPLACE_WITH_ACCOUNT_NUMBER_OF_CREATED_IAM_ROLE}:role/FortanixKeyInsightScanner"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListChildren",
"organizations:ListOrganizationalUnitsForParent"
],
"Resource": "*"
}
]
}
9.2 Download the JSON File for CFT
Download the following CFT JSON file (fortanix-key-insight-AWS-CFT-template.json), which should be deployed using StackSets across the entire AWS Organization.
Enter the Account ID and IAM username created in Section 9.1: Set Up an IAM Role with the Necessary Permissions - AWS Organization in the AwsAccountId and AwsUserName fields, respectively.