AWS Big Data Blog

Federate access to Amazon SageMaker Unified Studio with AWS IAM Identity Center and Ping Identity

With an identity provider (IdP), you can manage your user identities outside of AWS and give these external user identities permissions to use AWS resources in your AWS accounts. External IdPs, such as Ping Identity, can integrate with AWS IAM Identity Center to be the source of truth for Amazon SageMaker Unified Studio. SageMaker Unified Studio also supports trusted identity propagation for SQL analytics, including Amazon Athena and Amazon Redshift.

SageMaker Unified Studio provides an integrated experience to use your data and tools for analytics and AI. You can use SageMaker Unified Studio to discover your data and put it to work using familiar AWS analytics and machine learning (ML) services for model development, generative AI, big data processing, and SQL analytics, assisted by Amazon Q Developer. By default, SageMaker domains support AWS Identity and Access Management (IAM) user credentials. You can also enable access to SageMaker domains in SageMaker Unified Studio for users with single sign-on (SSO) with IAM Identity Center and direct SAML integration with SageMaker Unified Studio.

Users can access SageMaker Unified Studio with their existing corporate credentials. With IAM Identity Center, administrators can connect their existing external IdPs and continue to manage users and groups in those existing identity systems, which can then be synchronized with IAM Identity Center using System for Cross-domain Identity Management (SCIM).In this post, we show how to set up workforce access with SageMaker Unified Studio using Ping Identity as an external IdP with IAM Identity Center.

In this post, we show how to set up workforce access with SageMaker Unified Studio using Ping Identity as an external IdP with IAM Identity Center.

Solution overview

We walk through the following high-level steps to implement this solution:

  1. Enable IAM Identity Center.
  2. Create a SageMaker Unified Studio domain.
  3. Set up your IdP (for this example, Ping Identity).
  4. Connect Ping Identity and IAM Identity Center.
  5. Set up automatic provisioning of users and groups in IAM Identity Center.
  6. Configure SageMaker Unified Studio SSO user access.

Prerequisites

For this walkthrough, you should have the following prerequisites:

  • An AWS account with IAM Identity Center enabled. It is recommended to use an organization-level IAM Identity Center instance for best practices and centralized identity management across your AWS organization.
  • A Ping Identity account.
  • A browser with network connectivity to Ping Identity and SageMaker Unified Studio.

Enable IAM Identity Center

To enable IAM Identity Center, follow the instructions in Enable IAM Identity Center.

Create a SageMaker Unified Studio domain

To create a SageMaker Unified Studio domain, refer to the instructions in Create a Amazon SageMaker Unified Studio domain – manual setup.

On the SageMaker console, go to the domain details and copy the Amazon Resource Name (ARN) under Domain ARN. You will use this value when you add your trust policy and when you connect your IAM IdP to your Ping Identity instance.

Create a SageMaker Unified Studio domain

Set up your IdP (Ping Identity)

In this section, we walk through the procedure to set up your IdP (for this example, Ping Identity).

Create an environment in Ping Identity

Complete the following steps to create an environment for Ping Identity:

  1. Log in to your Ping Identity account.
  2. Choose Create Environment.
  3. Choose Create a Customer Solution.
  4. In the Tailor your experiences pop-up, choose Skip.
    Create an environment in Ping Identity

Create a group in Ping Identity

Complete the following steps to create a group in Ping Identity:

  1. On the Environments page, choose Manage Environments.
  2. In the navigation pane, choose Directory, then choose Groups.
  3. Choose the plus sign to add a group.
  4. For Group Name, enter sagemaker
  5. For Description, enter an optional description (for example, Amazon SageMaker Unified Studio).
  6. For Population, choose Default.
  7. Choose Save.
    Create a group in Ping Identity
  8. On the Roles tab for the sagemaker group, assign the Environment Admin role to the group.
    Assigning roles for the sagemaker group

Create a user in Ping Identity

Complete the following steps to create a user:

  1. In the navigation pane, choose Directory, then choose Users.
  2. Choose the plus sign to create a user.
  3. Provide values for Given name, Family name, Username, and Email.
  4. For Password, choose First time password.
  5. Choose Save.

You can add more users as needed.

Assign group to user

Complete the following steps to assign your group to your user:

  1. In the navigation pane, choose Directory, then choose Groups.
  2. Choose the sagemaker group you created.
  3. On the Users tab, choose the plus sign to add a user.
  4. Add the user you created.

Connect Ping Identity and IAM Identity Center

To configure the integration between Ping Identity and IAM Identity Center, you need access to both management consoles. Although Ping Identity’s application catalog includes IAM Identity Center, we recommend configuring a standard SAML application for greater control over settings and attribute mappings.

Complete the following steps:

  1. Go to the Ping Identity environment you created and choose Applications in the navigation pane.
  2. Choose the plus sign to add an application:
    1. For Application name, enter a name (for this example, we use unifiedstudio).
    2. For Description, enter an optional description.
    3. For Application Type, choose SAML Application.
    4. Choose Configure.

    Creating a SAML app integration in Ping Identity

  3. Sign in to the IAM Identity Center console as a user with administrative privileges.
  4. In the navigation pane, choose Settings to update your settings:
    1. On the Identity source tab, choose Change identity source on the Actions dropdown menu.
      Selecting identity source in AWS IAM Identity Center
    2. For Choose identity source, select External identity provider, then choose Next.

      Choosing External Identity provider in AWS IAM Identity Center

    3. In the Service provider metadata section, choose Download metadata file to download the IAM Identity Center metadata file.

      You will use this service provider metadata file in the next step when you connect Ping Identity with IAM Identity Center.

    Downloading service provider metadata from AWS IAM Identity Center

  5. Return to the Ping Identity console and the SAML application page.
  6. In the SAML Configuration section, select Import Metadata, upload the metadata file you downloaded, then choose Save.

    Importing service provider metadata into Ping Identity

  7. On the Overview tab of the application page, choose Download Metadata under Connection details to download the Ping Identity IdP metadata.
    You will use this for the SAML configuration in IAM Identity Center to set up Ping Identity as an IdP in the next step.

    Downloading Identity provider metadata from Ping Identity

  8. Return to the IAM Identity Center console and continue configuring your identity source:
    1. In the Identity provider metadata section, choose Choose file under IdP SAML metadata, upload the metadata file you downloaded from Ping Identity, then choose Next.

      Configuring Ping Identity as Identity Provider in AWS IAM Identity Center

    2. Choose Accept to accept the disclaimer.
    3. Choose Change identity source.
  9. Return to the Ping Identity console to complete the SAML configuration.
  10. On the Configuration tab, choose the edit icon to update the configuration:
    1. For Sign, choose Sign Assertion & Response.
    2. For Subject Name ID, enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    3. For Assertion Validity Duration, enter 300.
    4. Leave the remaining values as default.

    Ping Identity SAML Configurations

  11. On the Attributes tab, choose the edit icon.
  12. Choose +Add to add two attribute mappings:
    1. Map the attribute saml-subject to Username, and leave Name format as default.
    2. Map the attribute https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email to Email Address, and set Name format to Unspecified.
    3. Choose Save.

    Ping Identity SAML attributes mapping

  13. On the PingOne Policies tab, select Single Factor, then choose Save.
    This post uses single-factor authentication for demonstration purposes only. In your environments, follow your organization’s security standards and governance framework.

    Ping Identity policy configuration

  14. On the Access tab, search for the sagemaker group under Group Membership Policy, and assign the unifiedstudio SAML application to the group.
  15. Enable the application.
    Enabling Ping Identity SMAL application

Set up automatic provisioning of users and groups from Ping Identity into IAM Identity Center

To configure the automatic provisioning of users and groups between Ping Identity and IAM Identity Center through SCIM, you must have access to both management consoles. Complete the following steps:

  1. On the IAM Identity Center console, choose Settings in the navigation pane.
  2. In the Automatic provisioning section, choose Enable.
    Enabling automatic provisioning in AWS IAM Identity Center

    This enables automatic provisioning in IAM Identity Center and displays the necessary SCIM endpoint and access token information.

  3. In the Inbound automatic provisioning dialog box, copy the values for SCIM endpoint and Access token, then choose Close.
    You will use these values to configure provisioning in Ping Identity in the next step.

    Automatic provisioning configuration parameters in IAM Identity Center

    This completes the setup process in IAM Identity Center.

  4. Log in to the Ping Identity console.
  5. In the navigation pane, choose Integrations, then choose Provisioning.
  6. Choose the plus sign to add a new connection.
    Creating a new SCIM connection
  7. For Choose a connection type, choose Select next to Identity Store.
    Choosing connection type
  8. Provide a name (for this example, we use Identitycenter) and an optional description, then choose Next.
    Creating new connection
  9. Under Configuration Authentication, provide the following configuration:
    1. For SCIM BASE URL, enter the SCIM endpoint from IAM Identity Center.
    2. For Authentication Method, choose OAuth 2 Bearer Token.
    3. For Oauth Access Token, enter the access token from IAM Identity Center.
    4. For Auth Type Header, choose Bearer (default option).
    5. Choose Test Connection to validate the connection between Ping Identity and IAM Identity Center, then choose Next.

    Configuring authentication between Ping Identity and IAM Identity Center

  10. Under Configuration Preference, provide the following configuration:
    1. For User Filter Expression, enter userName Eq “%s”.
    2. For Group Membership Handling, select Merge.
    3. Leave the remaining settings as default and choose Save.

    SCIM connection preferences

  11. On the Provisioning tab, choose the plus sign, then choose New Rule to create a rule for the SCIM connection.
    Creating a new SCIM rule
  12. Enter a name (for this example, unifiedstudio) and an optional description, then choose Create Rule.
  13. Under the newly created rule, choose the plus sign next to Available Connections to add the connection identitycenter, then choose Save.
  14. Edit the user filter:
    1. For Attribute, choose Enabled.
    2. For Operator, choose Equals.
    3. For Value, choose true.
    4. Choose Save.

    User Filter attributes mapping

  15. Choose the edit icon next to Attribute Mapping and set the attribute mappings as shown in the following screenshot:
    1. Delete the Primary Phone attribute mapping because it’s optional in AWS. Leaving this field blank can cause Ping Identity’s SCIM connector to generate errors during user provisioning.
    2. Add a new attribute called Username under PingOne Directory and then map to displayName under Identitycenter.

    Attributes mapping between Ping Identity SCIM and AWS IAM Identity Center

  16. Under Group Provisioning, choose the sagemaker group if you want to sync all sagemaker group users with auto provisioning.
    1. In the pop-up, select I understand and want to continue, then choose Save.

    Assigning groups to SCIM rule

    Assigning groups to SCIM rule

  17. On the Provisioning page, choose the Connections tab.
  18. Enable the SCIM connection Identitycenter and rule unifiedstudio.

    Enabling the SCIM connection

    Enabling the SCIM rule

This completes the SCIM setup process between Ping Identity and IAM Identity Center.

Configure SageMaker Unified Studio SSO user access

Complete the following steps to configure SSO user access to SageMaker Unified Studio for your SageMaker domain:

  1. On the SageMaker console, choose Domains in the navigation pane.
  2. Choose the domain for which you want to configure SAML user access.
  3. On the domain details page, you can find the SSO configuration in two locations:
    1. From the main domain view, choose Configure next to Configure SSO user access.
    2. Alternatively, scroll down to the User management tab and choose Configure SSO user access.

    SageMaker Unified Studio SSO configuration

  4. On the Choose user authentication method page, select IAM Identity Center, then choose Next.
    Choosing authentication
  5. For Choose user and group assignment method, choose from the following options, then choose Next:
    1. Require assignments: Users and groups must be explicitly added to the domain to gain access. This provides more granular control over who can access the domain.
    2. Do not require assignments: All authorized Ping Identity users and groups can access this domain if they have been assigned to the SAML application in Ping Identity.

    For either option, users or groups must have access to the Ping Identity SAML application (unifiedstudio in this example) to authenticate successfully.

    SageMaker Unified Studio SAML configuration

  6. On the Review and save page, review your choices and choose Save. These settings can’t be changed after you save them.
    Review and confirm SAML configuration
  7. If you’ve chosen to require assignments, use the Add users and groups section to add SAML users and groups to your domain.
    Add users and groups to SageMaker Unified Studio domain

Now, users will be able to access SageMaker Unified Studio using the domain URL with their SSO credentials.

You can explore different projects for your users and assign those projects based on your IdP user groups for fine-grained access controls. For example, you can create different SAML user groups based on their job function in Ping Identity, then assign those Ping Identity groups to the unifiedstudio SAML application in Ping Identity, and then assign those Ping Identity SAML groups to their respective project profiles in SageMaker Unified Studio. To assign project profiles for their respective groups, choose the Project profiles tab and choose your project profile. On the Authorized users and groups page, choose Add, then choose SSO groups. Choose Add users and groups button to complete the project profile assignment.

Assigning a project profile to Ping Identity group

Validate access with Ping Identity users

Complete the following steps to validate access:

  1. On the SageMaker domain details page, choose the link for the SageMaker Unified Studio URL.
    Validating Ping Identity user access with Amazon SageMaker Unified Studio
  2. Log in with your user credentials.
    After successful login, you will be redirected to the SageMaker Unified Studio home page. Here, you can explore different projects to your users and assign those projects based on your SAML user groups for fine-grained access control.

    SAML authenticated Amazon SageMaker Unified Studio

  3. To assign an authorization policy, those Govern and then Domain units.
  4. Choose your SageMaker domain, then choose a suitable authorization policy. For this example, we choose Project creation policy.
    Amazon SageMaker unified studio authorization policies
  5. Choose Add policy grant to assign user groups or users to their respective project profiles.
    Amazon SageMaker unified studio authorization policies assignment

You have successfully federated SageMaker Unified Studio with Ping Identity as an IdP with IAM Identity Center. You can connect to SageMaker Unified Studio by using your Ping Identity credentials.

Clean up

After you test out this solution, remember to delete the resources you created to avoid incurring future charges. For instructions to delete your SageMaker Unified Studio domain, refer to Delete domains. If you want to delete your Ping Identity account, reach out to Ping Identity for assistance.

Conclusion

In this post, we demonstrated how to set up Ping Identity as an IdP over SAML authentication for SageMaker Unified Studio access through IAM Identity Center federation. To learn more, refer to the Amazon SageMaker Unified Studio User Guide, which provides guidance on how to build data and AI applications using SageMaker.

About the authors

Raghavarao Sodabathina

Raghavarao Sodabathina

Raghavarao is a Principal Solutions Architect at AWS, focusing on data analytics, AI/ML, and cloud security. He engages with customers to create innovative solutions that address customer business problems and accelerate the adoption of AWS services. In his spare time, Raghavarao enjoys spending time with his family, reading books, and watching movies.

Matt Nispel

Matt Nispel

Matt is an Enterprise Solutions Architect at AWS. He has more than 10 years of experience building cloud architectures for large enterprise companies. At AWS, Matt helps customers rearchitect their applications to take full advantage of the cloud. Matt lives in Minneapolis, Minnesota, and in his free time enjoys spending time with friends and family.

Himanshu Sarda

Himanshu Sarda

Himanshu is a Solutions Architect at AWS who specializes in generative AI and autonomous agent architectures, helping enterprise customers revolutionize their businesses through cutting-edge AI solutions. When not pioneering AI innovations, Himanshu recharges by exploring the outdoors and creating memories with family and friends.

Nicholaus Lawson

Nicholaus Lawson

Nicholaus is a Solutions Architect at AWS and part of the AI/ML specialty group. He has a background in software engineering and AI research. Outside of work, Nicholaus is often coding, learning something new, or woodworking.

Krupanidhi Jay

Krupanidhi Jay

Krupanidhi is a Boston-based Enterprise Solutions Architect at AWS. He is a seasoned architect with over 20 years of experience in helping customers with digital transformation and delivering seamless digital user experiences. He enjoys working with customers to help them build scalable, cost-effective solutions in AWS. Outside of work, Jay enjoys spending time with family and traveling.