---
title: "AWS Configuration For PingOne as OpenID Connect Identity Provider"
slug: "fortanix-key-insight-aws-configuration-for-pingone-as-open-id-connect-identity-provider"
updated: 2026-06-16T13:06:57Z
published: 2026-06-16T13:06:57Z
canonical: "support.fortanix.com/fortanix-key-insight-aws-configuration-for-pingone-as-open-id-connect-identity-provider"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS Configuration For PingOne as OpenID Connect Identity Provider

## 1.0 Introduction

The purpose of this article is to outline the necessary steps for configuring the connection between Fortanix Key Insight Amazon Web Services (**AWS**) and **PingOne** as an OpenID Connect (OIDC) identity provider (IdP) using the **Authorization Code Flow.**

Federated authentication in AWS refers to the process of enabling users to access AWS resources using their existing credentials from an external IdP, such as PingOne, Microsoft Entra ID, and so on.

Configuring PingOne as an OpenID Connect IdP in AWS involves the following steps:

1. Register a client application with your identity provider.
2. Configure the redirect Uniform Resource Locator (URL) on the client application.
3. Gather the Client ID, a unique identifier for your registered application.
4. Gather the OpenID configuration document (well-known) URL specific to your IdP tenant or account.
5. Set up IdP on your cloud account.
6. Set up the necessary permissions for AWS single account onboarding.
7. Set up the necessary permissions for AWS organization onboarding.

## 2.0 Register a Client Application with PingOne

Perform the following steps to register a client application with PingOne:

1. Set up an OIDC web application in PingOne:

*For more information, refer to the*[*PingOne official documentation*](https://docs.pingidentity.com/pingone/applications/p1_applications_add_applications.html)*.*
  1. Navigate to the **Applications** section in the **PingOne** console and click the '**+**' icon next to the **Applications** title.
  2. **Application Name**: Enter the application name.
  3. **Description**: Enter your app description.
  4. **Icon**: Add your app icon.
  5. **Application Type:**Select **OIDC Web App**.
  6. Click**Save**.
2. Edit the **Configuration** section of the OIDC application created in the previous step to include the following:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Configure an App.png)

**Figure 1: Application configuration**
  1. Response Type: `Code, Token, ID Token`
  2. Grant Type: `Authorization Code, Implicit, Refresh Token`
  3. Redirect URL:

```bash
https://armor.fortanix.com/system/discovery/{region}/oauth/callback
```

Here, replace `{region}` with your appropriate region. For example, `eu` or `na`.
  4. Token Endpoint Authentication Method: `None`
3. Edit the **Resource** section of the OIDC application created in *Step 1* to include the following:
  1. **Allowed Scopes**: `openid` (default), `profile, email`

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Resource Section.png)

**Figure 2: Configure Resource section**

*For more information, refer to the*[*PingOne official documentation*](https://docs.pingidentity.com/pingone/applications/p1_edit_application_oidc.html)*.*

## 3.0 Configure the Redirect URL on the Client Application

The redirect URL is the address to which PingOne forwards the OIDC response after authentication.

You can retrieve the redirect URL after registering your application with PingOne, as explained in *Step 2* of [*Section 2.0: Register a Client Application with PingOne*](/v1/docs/fortanix-key-insight-aws-configuration-for-pingone-as-open-id-connect-identity-provider#h_01J2900MH9Y6MV6QP2C2H3609A)*.*

## 4.0 Gather the Client ID

A client ID is a unique identifier for the registered client application. It allows you to validate the security tokens you receive from the IdP.

To retrieve the Client ID, copy the `Client ID` from the **Configuration** section of the OIDC application created in *Step 1* of [*Section 2.0: Register a Client Application with PingOne*](/v1/docs/fortanix-key-insight-aws-configuration-for-pingone-as-open-id-connect-identity-provider#20-register-a-client-application-with-pingone)*.*

> [!NOTE]
> NOTE
> 
> Ensure to record the `Client ID` value as it is necessary for the identity provider configuration when setting up the AWS cloud connection in the Fortanix Key Insight user interface (UI).

## 5.0 Gather the OpenID Configuration Document (Well-Known) URL

An OpenID Connect (OIDC) provider provides a standard well-known URL that your client application can use to discover information about the provider's configuration dynamically.

This URL is specific to your IdP tenant or account.

To retrieve this value, copy the `OIDC Discovery Endpoint` from the **Configuration****→****URLs**section of the OIDC application created in *Step 1* of [*Section 2.0: Register a Client Application with PingOne*](/v1/docs/fortanix-key-insight-aws-configuration-for-pingone-as-open-id-connect-identity-provider#20-register-a-client-application-with-pingone)*.*

> [!NOTE]
> NOTE
> 
> Ensure to record the well-known URL value as it is necessary for the identity provider configuration when setting up the AWS cloud connection in the Fortanix Key Insight user interface (UI).

## 6.0 Set Up an IdP on Your Cloud Account

Perform the following steps to set up an IdP on your cloud account:

1. Configure the PingOne (OIDC IdP) in AWS using the issuer and client ID:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/AWS Configuration.png)

**Figure 3: Add an identity provider in AWS**
  1. Sign in to the **AWS Management Console** and open the **IAM** console.
  2. In the left navigation panel, select **Identity providers**.
  3. Click **Add provider** to add a new IdP.
  4. On the **Configure Provider** page:
    1. **Provider type:**Select **OpenID Connect**.
    2. **Provider URL:** Enter `https://auth.pingone.com/{environment_id}/as/authorize`. Ensure `{environment_id}` is replaced with your actual Environment ID from the **Configuration** section, as explained in *Step 2* of [*Section 2.0: Register a Client Application with PingOne.*](/v1/docs/fortanix-key-insight-aws-configuration-for-pingone-as-open-id-connect-identity-provider#20-register-a-client-application-with-pingone)
    3. **Audience:** Enter the Application ID (`Client ID`) from a PingOne registered application.
    4. Click **Add provider** to complete the setup.
2. Verify the details of the identity provider created in AWS using the following steps:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Verify the AWS Configuration.png)

**Figure 4: Verify the IdP in AWS**

*For more information, refer to the*[*PingOne official documentation*](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)*.*
  1. Navigate to the **IAM** console in AWS.
  2. Click your OIDC identity provider.
  3. Ensure the **Provider**URL is correctly set to `https://auth.pingone.com/{environment_id}/as/authorize`.
  4. Ensure the **Audience** matches the application (client) ID from PingOne.
  5. (Optional) Ensure the thumbprint in the **Thumbprints** section is correct and matches the one you obtained.

## 7.0 AWS Single Account - Onboarding Setup

This section describes the steps to onboard a single AWS account in Fortanix Key Insight.

*For a comprehensive list of AWS permissions required to onboard an AWS connection, refer to*[*AWS Connection Permissions*](https://support.fortanix.com/docs/fortanix-key-insight-aws-connection-permissions).

### 7.1 Create an IAM Role for the Web Identity Federation

Perform the following steps to create an IAM role:

1. On the **IAM** page, select **Roles**.
2. Select **Create role**.
3. On the **Select trusted Identity** page:
  1. **Trusted entity type**: Select **Web Identity**.
  2. **Identity Provider**: Select the IdP created in [*Section 6.0: Set Up an IdP on your Cloud Account*](/v1/docs/fortanix-key-insight-aws-configuration-for-pingone-as-open-id-connect-identity-provider#60-set-up-an-idp-on-your-cloud-account).
  3. **Audience:**Enter****the Application (Client) ID value from PingOne registered application.
  4. Click **Next.**
4. On the **Add permissions** page:
  1. Attach the necessary policies to the role as explained in [*Section 7.2: Access Control Permissions*](/v1/docs/fortanix-key-insight-aws-configuration-for-pingone-as-open-id-connect-identity-provider#72-access-control-permissions)*.*
  2. Click **Next***.*
5. On the **Name, review and create** page, verify the details, and complete the role creation.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Create an IAM Role.png)

**Figure 5: Create an IAM role**

### 7.2 Access Control Permissions

This section describes the general requirements for AWS access permissions.

- For **single-account**onboarding, the policies are attached directly to the IAM user in that account.
- For AWS **Organization** onboarding, these permissions are provisioned automatically using the CloudFormation Template (CFT) deployed using AWS CloudFormation StackSets, as explained in [*Section 8.2: Deploy the CFT*](/v1/docs/fortanix-key-insight-aws-configuration-for-pingone-as-open-id-connect-identity-provider#82-deploy-the-cft).

#### 7.2.1 Scan AWS Services

The following **read-only** permissions are required for scanning the AWS KMS, S3, EBS, EKS, EFS, DynamoDB, Redshift, and RDS services:

- **KMS**

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListKeys",
        "tag:GetResources"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:GetKeyRotationStatus",
        "kms:GetKeyPolicy",
        "kms:DescribeKey",
        "kms:ListGrants",
        "kms:ListResourceTags",
        "kms:ListKeyRotations"
      ],
      "Resource": "arn:aws:kms:*:*:key/*"
    }
  ]
}
```

Additionally, to list AWS KMS aliases, the IAM policy must include the `kms:ListAliases` action with the `Resource` set to "`*`".

Fortanix Key Insight recommends creating a separate policy for this permission, as shown below, to meet AWS requirements and prevent permission errors:

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListAliases"
      ],
      "Resource": "*"
    }
  ]
}
```
- **RDS**

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "rds:DescribeDBInstances",
      "Resource": "*"
    }
  ]
}
```
- **EBS**

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:DescribeVolumes",
      "Resource": "*"
    }
  ]
}
```
- **S3**

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetEncryptionConfiguration",
        "s3:GetBucketLocation"
      ],
      "Resource": "*"
    }
  ]
}
```

- **DynamoDB**

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:ListTables",
        "dynamodb:DescribeTable",
        "dynamodb:ListStreams",
        "dynamodb:DescribeStream"
      ],
      "Resource": "*"
    }
  ]
}
```

- **EKS**

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "eks:DescribeCluster",
        "eks:ListClusters"
      ],
      "Resource": "*"
    }
  ]
}
```

- **EFS**

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "elasticfilesystem:DescribeFileSystems",
      "Resource": "*"
    }
  ]
}
```

- **Redshift**

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
         "redshift:DescribeClusters"
       ],
      "Resource": "*"
    }
  ]
}
```

#### 7.2.2 Scan AWS Certificates

The following **read-only** permissions are required for scanning the AWS certificates:

```bash
{
	"Version": "2012-10-17",
	"Statement": [
	    {
		"Effect": "Allow",
		"Action": [
		    "acm:ListCertificates",
			"acm:DescribeCertificate"
		],
		"Resource": "*"
	   }
    ]
}
```

## 8.0 AWS Organization - Onboarding Setup

### 8.1 Create an IAM Role for the Web Identity Federation

For steps to set up an IAM role for the Web Identity Federation with the necessary permissions for an AWS organization, *refer to*[*Section 9.1: Set up an IAM Role with the Necessary Permissions – AWS Organization.*](/v1/docs/fortanix-key-insight-aws-configuration-for-pingone-as-open-id-connect-identity-provider#91-set-up-an-iam-role-with-the-necessary-permissions-aws-organization)

### 8.2 Deploy the CFT

This section outlines the steps for deploying the CloudFormation Template (CFT) through StackSets to create roles that the IAM role, created in [*Section 8.1: Create an IAM Role for the Web Identity Federation*](/v1/docs/fortanix-key-insight-aws-configuration-for-pingone-as-open-id-connect-identity-provider#81-create-an-iam-role-for-the-web-identity-federation), can assume in member accounts.

To deploy the CFT for role creation from a root or user account, the account must have the following permissions policy (if no other attached policies already cover these permissions).

> [!NOTE]
> NOTE
> 
> To attach the following permission policy, the IAM role needs the corresponding IAM service read or write permissions.

```bash
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FortanixCFTPermissions",
            "Effect": "Allow",
            "Action": [
                "cloudformation:*",
                "organizations:*",
                "s3:*"
            ],
            "Resource": "*"
        }
    ]
}
```

> [!NOTE]
> NOTE
> 
> *Refer to the*[*AWS official documentation*](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-activate-trusted-access.html)*for more information about enabling trusted access for StackSets.*
> 
> Enabling trusted access creates the following service-linked roles:
> 
> - `AWSServiceRoleForCloudFormationStackSetsOrgAdmin` (management account)
> - `AWSServiceRoleForCloudFormationStackSetsOrgMember` (member accounts)
> 
> These roles allow AWS CloudFormation StackSets to perform supported operations within accounts in your AWS Organization.

Perform the following steps:

1. Create the JSON file for the CFT. For example, `fortanix-key-insight-AWS-CFT-template.json`.

*Refer to*[*Section 9.2: Download the JSON file for CFT*](/v1/docs/fortanix-key-insight-aws-configuration-for-pingone-as-open-id-connect-identity-provider#92-download-the-json-file-for-cft)*to create the CFT.*
2. Go to your AWS account from which the CFT will be deployed. Activate trusted access with AWS Organization as described above, if it is not already enabled.
3. In the AWS Management Console, navigate to **CloudFormation → StackSets** page.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Scanning_Stackset(1).png)

**Figure 6: CloudFormation StackSets page**
4. Click **Create StackSets.**
5. On the **Choose a template** page, select **Upload a template file** and upload the JSON file that you created in *Step 1*.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Scanning_Choose Template.png)

**Figure 7: Choose the CTF template**

![4.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/25761299251988.png)

**Figure 8: JSON file uploaded**
6. After you upload the CFT template, you will see the JSON file uploaded in the template field.
7. On the **Specify StackSet details** page:

> [!NOTE]
> NOTE
> 
> The **AWSAccountID** and **AWSUserName** must be created in advance as described in [*Section 9.1: Set Up an IAM User With the Necessary Permissions - AWS Organization*](/v1/docs/fortanix-key-insight-aws-configuration-for-pingone-as-open-id-connect-identity-provider#91-set-up-an-iam-role-with-the-necessary-permissions-aws-organization).

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Scanning_Stackset Details.png)

**Figure 9: StackSet details**
  1. **StackSet name:**Enter a stack set name.
  2. **StackSet description** (optional): Enter a description.
  3. **AWSAccountID:**Enter the AWS account ID of the user who initiates the scan**.**
  4. **AWSUserName:** Enter the AWS user name of the user who initiates the scan.
  5. Click **Next**.
8. On the **Set deployment options** page, specify the required deployment targets and regions.
9. Click **Next**.
10. On the **Review** section, review the details and create a StackSet.

## 9.0 Appendix

### 9.1 Set up an IAM Role with the Necessary Permissions - AWS Organization

Create an IAM role as described in [*Section 7.1: Create an IAM Role for the Web Identity Federation*](/v1/docs/fortanix-key-insight-aws-configuration-for-pingone-as-open-id-connect-identity-provider#71-create-an-iam-role-for-the-web-identity-federation)in AWS, and attach the following permissions policy to list accounts and assume roles:

```bash
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FortanixFkiScannerPermissions",
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent",
                "organizations:ListChildren",
                "organizations:ListOrganizationalUnitsForParent"
            ],
            "Resource": "*"
        },
        {
            "Sid": "FortanixFkiScannerPermissionsRole",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::*:role/FortanixOrganizationAccessRoleForOIDC"
        }
    ]
}
```

> [!NOTE]
> NOTE
> 
> The above IAM role must be created using one of the two options:
> 
> - From the AWS Organizations management account.
> - From an AWS member account, where the IAM role is then assigned as a delegated administrator for AWS organizations. *For more information, refer to the*[*AWS official documentation*](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html?icmpid=docs_orgs_console)*.*

When creating an IAM role as a delegated organization administrator, use the delegation policy listed below in the organization management account to register the IAM role as a delegated administrator. This IAM role also needs `sts:AssumeRole` permission in their account to assume the Fortanix access role in member accounts.

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::{REPLACE_WITH_ACCOUNT_NUMBER_OF_CREATED_IAM_ROLE}:role/FortanixKeyInsightScanner"
      },
      "Action": [
        "organizations:DescribeOrganization",
        "organizations:ListAccounts",
        "organizations:ListAccountsForParent",
        "organizations:ListChildren",
        "organizations:ListOrganizationalUnitsForParent"
      ],
      "Resource": "*"
    }
  ]
}
```

### 9.2 Download the JSON File for CFT

Download the following CFT JSON file (`fortanix-key-insight-AWS-CFT-template.json`), which should be deployed using StackSets across the entire AWS Organization.

Enter the Account ID and IAM username created in [*Section 9.1: Set Up an IAM Role with the Necessary Permissions - AWS Organization*](/v1/docs/fortanix-key-insight-aws-configuration-for-pingone-as-open-id-connect-identity-provider#91-set-up-an-iam-role-with-the-necessary-permissions-aws-organization) in the `AwsAccountId` and `AwsUserName` fields, respectively.

[](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-key-insight-AWS-CFT-template(1).json)fortanix-key-insight-AWS-CFT-template9.47 KB[**](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-key-insight-AWS-CFT-template(1).json)

Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era.