Federate entry to Amazon SageMaker Unified Studio with AWS IAM Id Middle and Ping Id

With an id supplier (IdP), you may handle your person identities outdoors of AWS and provides these exterior person identities permissions to make use of AWS sources in your AWS accounts. Exterior IdPs, resembling Ping Id, can combine with AWS IAM Id Middle to be the supply of fact for Amazon SageMaker Unified Studio. SageMaker Unified Studio additionally helps trusted id propagation for SQL analytics, together with Amazon Athena and Amazon Redshift.

SageMaker Unified Studio supplies an built-in expertise to make use of your knowledge and instruments for analytics and AI. You should utilize SageMaker Unified Studio to find your knowledge and put it to work utilizing acquainted AWS analytics and machine studying (ML) companies for mannequin growth, generative AI, massive knowledge processing, and SQL analytics, assisted by Amazon Q Developer. By default, SageMaker domains help AWS Id and Entry Administration (IAM) person credentials. You can even allow entry to SageMaker domains in SageMaker Unified Studio for customers with single sign-on (SSO) with IAM Id Middle and direct SAML integration with SageMaker Unified Studio.

Customers can entry SageMaker Unified Studio with their present company credentials. With IAM Id Middle, directors can join their present exterior IdPs and proceed to handle customers and teams in these present id programs, which may then be synchronized with IAM Id Middle utilizing System for Cross-domain Id Administration (SCIM).On this submit, we present arrange workforce entry with SageMaker Unified Studio utilizing Ping Id as an exterior IdP with IAM Id Middle.

On this submit, we present arrange workforce entry with SageMaker Unified Studio utilizing Ping Id as an exterior IdP with IAM Id Middle.

Resolution overview

We stroll by way of the next high-level steps to implement this resolution:

1. Allow IAM Id Middle.
2. Create a SageMaker Unified Studio area.
3. Arrange your IdP (for this instance, Ping Id).
4. Join Ping Id and IAM Id Middle.
5. Arrange computerized provisioning of customers and teams in IAM Id Middle.
6. Configure SageMaker Unified Studio SSO person entry.

Conditions

For this walkthrough, you need to have the next conditions:

• An AWS account with IAM Id Middle enabled. It is strongly recommended to make use of an organization-level IAM Id Middle occasion for greatest practices and centralized id administration throughout your AWS group.
• A Ping Id account.
• A browser with community connectivity to Ping Id and SageMaker Unified Studio.

Allow IAM Id Middle

To allow IAM Id Middle, observe the directions in Allow IAM Id Middle.

Create a SageMaker Unified Studio area

To create a SageMaker Unified Studio area, check with the directions in Create a Amazon SageMaker Unified Studio area – handbook setup.

On the SageMaker console, go to the area particulars and replica the Amazon Useful resource Identify (ARN) beneath Area ARN. You’ll use this worth whenever you add your belief coverage and whenever you join your IAM IdP to your Ping Id occasion.

Arrange your IdP (Ping Id)

On this part, we stroll by way of the process to arrange your IdP (for this instance, Ping Id).

Create an setting in Ping Id

Full the next steps to create an setting for Ping Id:

1. Log in to your Ping Id account.
2. Select Create Atmosphere.
3. Select Create a Buyer Resolution.
4. Within the Tailor your experiences pop-up, select Skip.
   
   

Create a gaggle in Ping Id

Full the next steps to create a group in Ping Id:

1. On the Environments web page, select Handle Environments.
2. Within the navigation pane, select Listing, then select Teams.
3. Select the plus signal so as to add a gaggle.
4. For Group Identify, enter sagemaker
5. For Description, enter an non-obligatory description (for instance, Amazon SageMaker Unified Studio).
6. For Inhabitants, select Default.
7. Select Save.
   
   
8. On the Roles tab for the sagemaker group, assign the Atmosphere Admin function to the group.
   
   

Create a person in Ping Id

Full the next steps to create a person:

1. Within the navigation pane, select Listing, then select Customers.
2. Select the plus signal to create a person.
3. Present values for Given identify, Household identify, Username, and E-mail.
4. For Password, select First time password.
5. Select Save.

You’ll be able to add extra customers as wanted.

Assign group to person

Full the next steps to assign your group to your person:

1. Within the navigation pane, select Listing, then select Teams.
2. Select the sagemaker group you created.
3. On the Customers tab, select the plus signal so as to add a person.
4. Add the person you created.

Join Ping Id and IAM Id Middle

To configure the mixing between Ping Id and IAM Id Middle, you want entry to each administration consoles. Though Ping Id’s utility catalog contains IAM Id Middle, we suggest configuring a normal SAML utility for higher management over settings and attribute mappings.

Full the next steps:

1. Go to the Ping Id setting you created and select Purposes within the navigation pane.
2. Select the plus signal so as to add an utility:
   1. For Utility identify, enter a reputation (for this instance, we use unifiedstudio).
   2. For Description, enter an non-obligatory description.
   3. For Utility Kind, select SAML Utility.
   4. Select Configure.

   

3. Register to the IAM Id Middle console as a person with administrative privileges.
4. Within the navigation pane, select Settings to replace your settings:
   1. On the Id supply tab, select Change id supply on the Actions dropdown menu.
      
      
   2. For Select id supply, choose Exterior id supplier, then select Subsequent.

      

   3. Within the Service supplier metadata part, select Obtain metadata file to obtain the IAM Id Middle metadata file.

      You’ll use this service supplier metadata file within the subsequent step whenever you join Ping Id with IAM Id Middle.

   

5. Return to the Ping Id console and the SAML utility web page.
6. Within the SAML Configuration part, choose Import Metadata, add the metadata file you downloaded, then select Save.

   

7. On the Overview tab of the appliance web page, select Obtain Metadata beneath Connection particulars to obtain the Ping Id IdP metadata.
   
   You’ll use this for the SAML configuration in IAM Id Middle to arrange Ping Id as an IdP within the subsequent step.

   

8. Return to the IAM Id Middle console and proceed configuring your id supply:
   1. Within the Id supplier metadata part, select Select file beneath IdP SAML metadata, add the metadata file you downloaded from Ping Id, then select Subsequent.

      

   2. Select Settle for to just accept the disclaimer.
   3. Select Change id supply.
9. Return to the Ping Id console to finish the SAML configuration.
10. On the Configuration tab, select the edit icon to replace the configuration:
    1. For Signal, select Signal Assertion & Response.
    2. For Topic Identify ID, enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    3. For Assertion Validity Length, enter 300.
    4. Depart the remaining values as default.

    

11. On the Attributes tab, select the edit icon.
12. Select +Add so as to add two attribute mappings:
    1. Map the attribute saml-subject to Username, and depart Identify format as default.
    2. Map the attribute https://aws.amazon.com/SAML/Attributes/PrincipalTag:E-mail to E-mail Deal with, and set Identify format to Unspecified.
    3. Select Save.

    

13. On the PingOne Insurance policies tab, choose Single Issue, then select Save.
    
    This submit makes use of single-factor authentication for demonstration functions solely. In your environments, observe your group’s safety requirements and governance framework.

    

14. On the Entry tab, seek for the sagemaker group beneath Group Membership Coverage, and assign the unifiedstudio SAML utility to the group.
15. Allow the appliance.
    
    

Arrange computerized provisioning of customers and teams from Ping Id into IAM Id Middle

To configure the automated provisioning of customers and teams between Ping Id and IAM Id Middle by way of SCIM, you will need to have entry to each administration consoles. Full the next steps:

1. On the IAM Id Middle console, select Settings within the navigation pane.
2. Within the Computerized provisioning part, select Allow.
   
   

   This allows computerized provisioning in IAM Id Middle and shows the required SCIM endpoint and entry token data.

3. Within the Inbound computerized provisioning dialog field, copy the values for SCIM endpoint and Entry token, then select Shut.
   
   You’ll use these values to configure provisioning in Ping Id within the subsequent step.

   

   This completes the setup course of in IAM Id Middle.

4. Log in to the Ping Id console.
5. Within the navigation pane, select Integrations, then select Provisioning.
6. Select the plus signal so as to add a brand new connection.
   
   
7. For Select a connection sort, select Choose subsequent to Id Retailer.
   
   
8. Present a reputation (for this instance, we use Identitycenter) and an non-obligatory description, then select Subsequent.
   
   
9. Below Configuration Authentication, present the next configuration:
   1. For SCIM BASE URL, enter the SCIM endpoint from IAM Id Middle.
   2. For Authentication Methodology, select OAuth 2 Bearer Token.
   3. For Oauth Entry Token, enter the entry token from IAM Id Middle.
   4. For Auth Kind Header, select Bearer (default possibility).
   5. Select Take a look at Connection to validate the connection between Ping Id and IAM Id Middle, then select Subsequent.

   

10. Below Configuration Choice, present the next configuration:
    1. For Consumer Filter Expression, enter userName Eq “%s”.
    2. For Group Membership Dealing with, choose Merge.
    3. Depart the remaining settings as default and select Save.

    

11. On the Provisioning tab, select the plus signal, then select New Rule to create a rule for the SCIM connection.
    
    
12. Enter a reputation (for this instance, unifiedstudio) and an non-obligatory description, then select Create Rule.
13. Below the newly created rule, select the plus signal subsequent to Out there Connections so as to add the connection identitycenter, then select Save.
14. Edit the person filter:
    1. For Attribute, select Enabled.
    2. For Operator, select Equals.
    3. For Worth, select true.
    4. Select Save.

    

15. Select the edit icon subsequent to Attribute Mapping and set the attribute mappings as proven within the following screenshot:
    1. Delete the Main Telephone attribute mapping as a result of it’s non-obligatory in AWS. Leaving this area clean could cause Ping Id’s SCIM connector to generate errors throughout person provisioning.
    2. Add a brand new attribute known as Username beneath PingOne Listing after which map to displayName beneath Identitycenter.

    

16. Below Group Provisioning, select the sagemaker group if you wish to sync all sagemaker group customers with auto provisioning.
    1. Within the pop-up, choose I perceive and need to proceed, then select Save.

    

    

17. On the Provisioning web page, select the Connections tab.
18. Allow the SCIM connection Identitycenter and rule unifiedstudio.

    

    

This completes the SCIM setup course of between Ping Id and IAM Id Middle.

Configure SageMaker Unified Studio SSO person entry

Full the next steps to configure SSO person entry to SageMaker Unified Studio to your SageMaker area:

1. On the SageMaker console, select Domains within the navigation pane.
2. Select the area for which you need to configure SAML person entry.
3. On the area particulars web page, you will discover the SSO configuration in two places:
   1. From the principle area view, select Configure subsequent to Configure SSO person entry.
   2. Alternatively, scroll all the way down to the Consumer administration tab and select Configure SSO person entry.

   

4. On the Select person authentication technique web page, choose IAM Id Middle, then select Subsequent.
   
   
5. For Select person and group task technique, select from the next choices, then select Subsequent:
   1. Require assignments: Customers and teams should be explicitly added to the area to realize entry. This supplies extra granular management over who can entry the area.
   2. Don’t require assignments: All licensed Ping Id customers and teams can entry this area if they’ve been assigned to the SAML utility in Ping Id.

   For both possibility, customers or teams will need to have entry to the Ping Id SAML utility (unifiedstudio on this instance) to authenticate efficiently.

   

6. On the Assessment and save web page, evaluate your selections and select Save. These settings can’t be modified after you save them.
   
   
7. When you’ve chosen to require assignments, use the Add customers and teams part so as to add SAML customers and teams to your area.
   
   

Now, customers will be capable of entry SageMaker Unified Studio utilizing the area URL with their SSO credentials.

You’ll be able to discover totally different tasks to your customers and assign these tasks based mostly in your IdP person teams for fine-grained entry controls. For instance, you may create totally different SAML person teams based mostly on their job operate in Ping Id, then assign these Ping Id teams to the unifiedstudio SAML utility in Ping Id, after which assign these Ping Id SAML teams to their respective mission profiles in SageMaker Unified Studio. To assign mission profiles for his or her respective teams, select the Undertaking profiles tab and select your mission profile. On the Licensed customers and teams web page, select Add, then select SSO teams. Select Add customers and teams button to finish the mission profile task.

Validate entry with Ping Id customers

Full the next steps to validate entry:

1. On the SageMaker area particulars web page, select the hyperlink for the SageMaker Unified Studio URL.
   
   
2. Log in along with your person credentials.
   
   After profitable login, you can be redirected to the SageMaker Unified Studio house web page. Right here, you may discover totally different tasks to your customers and assign these tasks based mostly in your SAML person teams for fine-grained entry management.

   

3. To assign an authorization coverage, these Govern after which Area models.
4. Select your SageMaker area, then select an appropriate authorization coverage. For this instance, we select Undertaking creation coverage.
   
   
5. Select Add coverage grant to assign person teams or customers to their respective mission profiles.
   
   

You will have efficiently federated SageMaker Unified Studio with Ping Id as an IdP with IAM Id Middle. You’ll be able to hook up with SageMaker Unified Studio through the use of your Ping Id credentials.

Clear up

After you check out this resolution, bear in mind to delete the sources you created to keep away from incurring future prices. For directions to delete your SageMaker Unified Studio area, check with Delete domains. If you wish to delete your Ping Id account, attain out to Ping Id for help.

Conclusion

On this submit, we demonstrated arrange Ping Id as an IdP over SAML authentication for SageMaker Unified Studio entry by way of IAM Id Middle federation. To be taught extra, check with the Amazon SageMaker Unified Studio Consumer Information, which supplies steering on construct knowledge and AI functions utilizing SageMaker.

Concerning the authors