Federate entry to Amazon SageMaker Unified Studio with AWS IAM Identification Middle and Ping Identification

With an id supplier (IdP), you’ll be able to handle your consumer identities exterior of AWS and provides these exterior consumer identities permissions to make use of AWS assets in your AWS accounts. Exterior IdPs, resembling Ping Identification, can combine with AWS IAM Identification Middle to be the supply of fact for Amazon SageMaker Unified Studio. SageMaker Unified Studio additionally helps trusted id propagation for SQL analytics, together with Amazon Athena and Amazon Redshift.

SageMaker Unified Studio offers an built-in expertise to make use of your information and instruments for analytics and AI. You need to use SageMaker Unified Studio to find your information and put it to work utilizing acquainted AWS analytics and machine studying (ML) providers for mannequin improvement, generative AI, large information processing, and SQL analytics, assisted by Amazon Q Developer. By default, SageMaker domains help AWS Identification and Entry Administration (IAM) consumer credentials. You can too allow entry to SageMaker domains in SageMaker Unified Studio for customers with single sign-on (SSO) with IAM Identification Middle and direct SAML integration with SageMaker Unified Studio.

Customers can entry SageMaker Unified Studio with their current company credentials. With IAM Identification Middle, directors can join their current exterior IdPs and proceed to handle customers and teams in these current id methods, which might then be synchronized with IAM Identification Middle utilizing System for Cross-domain Identification Administration (SCIM).On this put up, we present how one can arrange workforce entry with SageMaker Unified Studio utilizing Ping Identification as an exterior IdP with IAM Identification Middle.

On this put up, we present how one can arrange workforce entry with SageMaker Unified Studio utilizing Ping Identification as an exterior IdP with IAM Identification Middle.

Resolution overview

We stroll by means of the next high-level steps to implement this answer:

1. Allow IAM Identification Middle.
2. Create a SageMaker Unified Studio area.
3. Arrange your IdP (for this instance, Ping Identification).
4. Join Ping Identification and IAM Identification Middle.
5. Arrange computerized provisioning of customers and teams in IAM Identification Middle.
6. Configure SageMaker Unified Studio SSO consumer entry.

Stipulations

For this walkthrough, you need to have the next conditions:

• An AWS account with IAM Identification Middle enabled. It’s endorsed to make use of an organization-level IAM Identification Middle occasion for finest practices and centralized id administration throughout your AWS group.
• A Ping Identification account.
• A browser with community connectivity to Ping Identification and SageMaker Unified Studio.

Allow IAM Identification Middle

To allow IAM Identification Middle, observe the directions in Allow IAM Identification Middle.

Create a SageMaker Unified Studio area

To create a SageMaker Unified Studio area, check with the directions in Create a Amazon SageMaker Unified Studio area – guide setup.

On the SageMaker console, go to the area particulars and duplicate the Amazon Useful resource Title (ARN) beneath Area ARN. You’ll use this worth if you add your belief coverage and if you join your IAM IdP to your Ping Identification occasion.

Arrange your IdP (Ping Identification)

On this part, we stroll by means of the process to arrange your IdP (for this instance, Ping Identification).

Create an surroundings in Ping Identification

Full the next steps to create an surroundings for Ping Identification:

1. Log in to your Ping Identification account.
2. Select Create Surroundings.
3. Select Create a Buyer Resolution.
4. Within the Tailor your experiences pop-up, select Skip.
   
   

Create a gaggle in Ping Identification

Full the next steps to create a group in Ping Identification:

1. On the Environments web page, select Handle Environments.
2. Within the navigation pane, select Listing, then select Teams.
3. Select the plus signal so as to add a gaggle.
4. For Group Title, enter sagemaker
5. For Description, enter an elective description (for instance, Amazon SageMaker Unified Studio).
6. For Inhabitants, select Default.
7. Select Save.
   
   
8. On the Roles tab for the sagemaker group, assign the Surroundings Admin position to the group.
   
   

Create a consumer in Ping Identification

Full the next steps to create a consumer:

1. Within the navigation pane, select Listing, then select Customers.
2. Select the plus signal to create a consumer.
3. Present values for Given title, Household title, Username, and Electronic mail.
4. For Password, select First time password.
5. Select Save.

You’ll be able to add extra customers as wanted.

Assign group to consumer

Full the next steps to assign your group to your consumer:

1. Within the navigation pane, select Listing, then select Teams.
2. Select the sagemaker group you created.
3. On the Customers tab, select the plus signal so as to add a consumer.
4. Add the consumer you created.

Join Ping Identification and IAM Identification Middle

To configure the combination between Ping Identification and IAM Identification Middle, you want entry to each administration consoles. Though Ping Identification’s software catalog contains IAM Identification Middle, we advocate configuring a normal SAML software for higher management over settings and attribute mappings.

Full the next steps:

1. Go to the Ping Identification surroundings you created and select Functions within the navigation pane.
2. Select the plus signal so as to add an software:
   1. For Utility title, enter a reputation (for this instance, we use unifiedstudio).
   2. For Description, enter an elective description.
   3. For Utility Sort, select SAML Utility.
   4. Select Configure.

   

3. Register to the IAM Identification Middle console as a consumer with administrative privileges.
4. Within the navigation pane, select Settings to replace your settings:
   1. On the Identification supply tab, select Change id supply on the Actions dropdown menu.
      
      
   2. For Select id supply, choose Exterior id supplier, then select Subsequent.

      

   3. Within the Service supplier metadata part, select Obtain metadata file to obtain the IAM Identification Middle metadata file.

      You’ll use this service supplier metadata file within the subsequent step if you join Ping Identification with IAM Identification Middle.

   

5. Return to the Ping Identification console and the SAML software web page.
6. Within the SAML Configuration part, choose Import Metadata, add the metadata file you downloaded, then select Save.

   

7. On the Overview tab of the applying web page, select Obtain Metadata beneath Connection particulars to obtain the Ping Identification IdP metadata.
   
   You’ll use this for the SAML configuration in IAM Identification Middle to arrange Ping Identification as an IdP within the subsequent step.

   

8. Return to the IAM Identification Middle console and proceed configuring your id supply:
   1. Within the Identification supplier metadata part, select Select file beneath IdP SAML metadata, add the metadata file you downloaded from Ping Identification, then select Subsequent.

      

   2. Select Settle for to just accept the disclaimer.
   3. Select Change id supply.
9. Return to the Ping Identification console to finish the SAML configuration.
10. On the Configuration tab, select the edit icon to replace the configuration:
    1. For Signal, select Signal Assertion & Response.
    2. For Topic Title ID, enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    3. For Assertion Validity Period, enter 300.
    4. Go away the remaining values as default.

    

11. On the Attributes tab, select the edit icon.
12. Select +Add so as to add two attribute mappings:
    1. Map the attribute saml-subject to Username, and depart Title format as default.
    2. Map the attribute https://aws.amazon.com/SAML/Attributes/PrincipalTag:Electronic mail to Electronic mail Deal with, and set Title format to Unspecified.
    3. Select Save.

    

13. On the PingOne Insurance policies tab, choose Single Issue, then select Save.
    
    This put up makes use of single-factor authentication for demonstration functions solely. In your environments, observe your group’s safety requirements and governance framework.

    

14. On the Entry tab, seek for the sagemaker group beneath Group Membership Coverage, and assign the unifiedstudio SAML software to the group.
15. Allow the applying.
    
    

Arrange computerized provisioning of customers and teams from Ping Identification into IAM Identification Middle

To configure the automated provisioning of customers and teams between Ping Identification and IAM Identification Middle by means of SCIM, you will need to have entry to each administration consoles. Full the next steps:

1. On the IAM Identification Middle console, select Settings within the navigation pane.
2. Within the Computerized provisioning part, select Allow.
   
   

   This allows computerized provisioning in IAM Identification Middle and shows the required SCIM endpoint and entry token data.

3. Within the Inbound computerized provisioning dialog field, copy the values for SCIM endpoint and Entry token, then select Shut.
   
   You’ll use these values to configure provisioning in Ping Identification within the subsequent step.

   

   This completes the setup course of in IAM Identification Middle.

4. Log in to the Ping Identification console.
5. Within the navigation pane, select Integrations, then select Provisioning.
6. Select the plus signal so as to add a brand new connection.
   
   
7. For Select a connection sort, select Choose subsequent to Identification Retailer.
   
   
8. Present a reputation (for this instance, we use Identitycenter) and an elective description, then select Subsequent.
   
   
9. Below Configuration Authentication, present the next configuration:
   1. For SCIM BASE URL, enter the SCIM endpoint from IAM Identification Middle.
   2. For Authentication Methodology, select OAuth 2 Bearer Token.
   3. For Oauth Entry Token, enter the entry token from IAM Identification Middle.
   4. For Auth Sort Header, select Bearer (default possibility).
   5. Select Check Connection to validate the connection between Ping Identification and IAM Identification Middle, then select Subsequent.

   

10. Below Configuration Desire, present the next configuration:
    1. For Person Filter Expression, enter userName Eq “%s”.
    2. For Group Membership Dealing with, choose Merge.
    3. Go away the remaining settings as default and select Save.

    

11. On the Provisioning tab, select the plus signal, then select New Rule to create a rule for the SCIM connection.
    
    
12. Enter a reputation (for this instance, unifiedstudio) and an elective description, then select Create Rule.
13. Below the newly created rule, select the plus signal subsequent to Accessible Connections so as to add the connection identitycenter, then select Save.
14. Edit the consumer filter:
    1. For Attribute, select Enabled.
    2. For Operator, select Equals.
    3. For Worth, select true.
    4. Select Save.

    

15. Select the edit icon subsequent to Attribute Mapping and set the attribute mappings as proven within the following screenshot:
    1. Delete the Major Telephone attribute mapping as a result of it’s elective in AWS. Leaving this discipline clean may cause Ping Identification’s SCIM connector to generate errors throughout consumer provisioning.
    2. Add a brand new attribute referred to as Username beneath PingOne Listing after which map to displayName beneath Identitycenter.

    

16. Below Group Provisioning, select the sagemaker group if you wish to sync all sagemaker group customers with auto provisioning.
    1. Within the pop-up, choose I perceive and wish to proceed, then select Save.

    

    

17. On the Provisioning web page, select the Connections tab.
18. Allow the SCIM connection Identitycenter and rule unifiedstudio.

    

    

This completes the SCIM setup course of between Ping Identification and IAM Identification Middle.

Configure SageMaker Unified Studio SSO consumer entry

Full the next steps to configure SSO consumer entry to SageMaker Unified Studio in your SageMaker area:

1. On the SageMaker console, select Domains within the navigation pane.
2. Select the area for which you wish to configure SAML consumer entry.
3. On the area particulars web page, you will discover the SSO configuration in two places:
   1. From the primary area view, select Configure subsequent to Configure SSO consumer entry.
   2. Alternatively, scroll all the way down to the Person administration tab and select Configure SSO consumer entry.

   

4. On the Select consumer authentication technique web page, choose IAM Identification Middle, then select Subsequent.
   
   
5. For Select consumer and group project technique, select from the next choices, then select Subsequent:
   1. Require assignments: Customers and teams should be explicitly added to the area to achieve entry. This offers extra granular management over who can entry the area.
   2. Don’t require assignments: All approved Ping Identification customers and teams can entry this area if they’ve been assigned to the SAML software in Ping Identification.

   For both possibility, customers or teams should have entry to the Ping Identification SAML software (unifiedstudio on this instance) to authenticate efficiently.

   

6. On the Evaluate and save web page, overview your decisions and select Save. These settings can’t be modified after you save them.
   
   
7. For those who’ve chosen to require assignments, use the Add customers and teams part so as to add SAML customers and teams to your area.
   
   

Now, customers will be capable to entry SageMaker Unified Studio utilizing the area URL with their SSO credentials.

You’ll be able to discover totally different initiatives in your customers and assign these initiatives based mostly in your IdP consumer teams for fine-grained entry controls. For instance, you’ll be able to create totally different SAML consumer teams based mostly on their job perform in Ping Identification, then assign these Ping Identification teams to the unifiedstudio SAML software in Ping Identification, after which assign these Ping Identification SAML teams to their respective undertaking profiles in SageMaker Unified Studio. To assign undertaking profiles for his or her respective teams, select the Venture profiles tab and select your undertaking profile. On the Approved customers and teams web page, select Add, then select SSO teams. Select Add customers and teams button to finish the undertaking profile project.

Validate entry with Ping Identification customers

Full the next steps to validate entry:

1. On the SageMaker area particulars web page, select the hyperlink for the SageMaker Unified Studio URL.
   
   
2. Log in together with your consumer credentials.
   
   After profitable login, you’ll be redirected to the SageMaker Unified Studio dwelling web page. Right here, you’ll be able to discover totally different initiatives to your customers and assign these initiatives based mostly in your SAML consumer teams for fine-grained entry management.

   

3. To assign an authorization coverage, these Govern after which Area items.
4. Select your SageMaker area, then select an appropriate authorization coverage. For this instance, we select Venture creation coverage.
   
   
5. Select Add coverage grant to assign consumer teams or customers to their respective undertaking profiles.
   
   

You might have efficiently federated SageMaker Unified Studio with Ping Identification as an IdP with IAM Identification Middle. You’ll be able to hook up with SageMaker Unified Studio through the use of your Ping Identification credentials.

Clear up

After you check out this answer, bear in mind to delete the assets you created to keep away from incurring future costs. For directions to delete your SageMaker Unified Studio area, check with Delete domains. If you wish to delete your Ping Identification account, attain out to Ping Identification for help.

Conclusion

On this put up, we demonstrated how one can arrange Ping Identification as an IdP over SAML authentication for SageMaker Unified Studio entry by means of IAM Identification Middle federation. To be taught extra, check with the Amazon SageMaker Unified Studio Person Information, which offers steering on how one can construct information and AI purposes utilizing SageMaker.

In regards to the authors