Federate entry to Amazon SageMaker Unified Studio with AWS IAM Identification Middle and Ping Identification

With an id supplier (IdP), you may handle your person identities outdoors of AWS and provides these exterior person identities permissions to make use of AWS assets in your AWS accounts. Exterior IdPs, reminiscent of Ping Identification, can combine with AWS IAM Identification Middle to be the supply of reality for Amazon SageMaker Unified Studio. SageMaker Unified Studio additionally helps trusted id propagation for SQL analytics, together with Amazon Athena and Amazon Redshift.

SageMaker Unified Studio supplies an built-in expertise to make use of your information and instruments for analytics and AI. You should use SageMaker Unified Studio to find your information and put it to work utilizing acquainted AWS analytics and machine studying (ML) providers for mannequin improvement, generative AI, massive information processing, and SQL analytics, assisted by Amazon Q Developer. By default, SageMaker domains help AWS Identification and Entry Administration (IAM) person credentials. You may also allow entry to SageMaker domains in SageMaker Unified Studio for customers with single sign-on (SSO) with IAM Identification Middle and direct SAML integration with SageMaker Unified Studio.

Customers can entry SageMaker Unified Studio with their present company credentials. With IAM Identification Middle, directors can join their present exterior IdPs and proceed to handle customers and teams in these present id techniques, which might then be synchronized with IAM Identification Middle utilizing System for Cross-domain Identification Administration (SCIM).On this submit, we present how you can arrange workforce entry with SageMaker Unified Studio utilizing Ping Identification as an exterior IdP with IAM Identification Middle.

On this submit, we present how you can arrange workforce entry with SageMaker Unified Studio utilizing Ping Identification as an exterior IdP with IAM Identification Middle.

Resolution overview

We stroll by way of the next high-level steps to implement this resolution:

1. Allow IAM Identification Middle.
2. Create a SageMaker Unified Studio area.
3. Arrange your IdP (for this instance, Ping Identification).
4. Join Ping Identification and IAM Identification Middle.
5. Arrange computerized provisioning of customers and teams in IAM Identification Middle.
6. Configure SageMaker Unified Studio SSO person entry.

Stipulations

For this walkthrough, you must have the next conditions:

• An AWS account with IAM Identification Middle enabled. It’s endorsed to make use of an organization-level IAM Identification Middle occasion for greatest practices and centralized id administration throughout your AWS group.
• A Ping Identification account.
• A browser with community connectivity to Ping Identification and SageMaker Unified Studio.

Allow IAM Identification Middle

To allow IAM Identification Middle, comply with the directions in Allow IAM Identification Middle.

Create a SageMaker Unified Studio area

To create a SageMaker Unified Studio area, seek advice from the directions in Create a Amazon SageMaker Unified Studio area – guide setup.

On the SageMaker console, go to the area particulars and replica the Amazon Useful resource Title (ARN) underneath Area ARN. You’ll use this worth once you add your belief coverage and once you join your IAM IdP to your Ping Identification occasion.

Arrange your IdP (Ping Identification)

On this part, we stroll by way of the process to arrange your IdP (for this instance, Ping Identification).

Create an setting in Ping Identification

Full the next steps to create an setting for Ping Identification:

1. Log in to your Ping Identification account.
2. Select Create Atmosphere.
3. Select Create a Buyer Resolution.
4. Within the Tailor your experiences pop-up, select Skip.
   
   

Create a bunch in Ping Identification

Full the next steps to create a group in Ping Identification:

1. On the Environments web page, select Handle Environments.
2. Within the navigation pane, select Listing, then select Teams.
3. Select the plus signal so as to add a bunch.
4. For Group Title, enter sagemaker
5. For Description, enter an optionally available description (for instance, Amazon SageMaker Unified Studio).
6. For Inhabitants, select Default.
7. Select Save.
   
   
8. On the Roles tab for the sagemaker group, assign the Atmosphere Admin position to the group.
   
   

Create a person in Ping Identification

Full the next steps to create a person:

1. Within the navigation pane, select Listing, then select Customers.
2. Select the plus signal to create a person.
3. Present values for Given identify, Household identify, Username, and E-mail.
4. For Password, select First time password.
5. Select Save.

You possibly can add extra customers as wanted.

Assign group to person

Full the next steps to assign your group to your person:

1. Within the navigation pane, select Listing, then select Teams.
2. Select the sagemaker group you created.
3. On the Customers tab, select the plus signal so as to add a person.
4. Add the person you created.

Join Ping Identification and IAM Identification Middle

To configure the combination between Ping Identification and IAM Identification Middle, you want entry to each administration consoles. Though Ping Identification’s software catalog contains IAM Identification Middle, we suggest configuring a normal SAML software for better management over settings and attribute mappings.

Full the next steps:

1. Go to the Ping Identification setting you created and select Functions within the navigation pane.
2. Select the plus signal so as to add an software:
   1. For Software identify, enter a reputation (for this instance, we use unifiedstudio).
   2. For Description, enter an optionally available description.
   3. For Software Sort, select SAML Software.
   4. Select Configure.

   

3. Sign up to the IAM Identification Middle console as a person with administrative privileges.
4. Within the navigation pane, select Settings to replace your settings:
   1. On the Identification supply tab, select Change id supply on the Actions dropdown menu.
      
      
   2. For Select id supply, choose Exterior id supplier, then select Subsequent.

      

   3. Within the Service supplier metadata part, select Obtain metadata file to obtain the IAM Identification Middle metadata file.

      You’ll use this service supplier metadata file within the subsequent step once you join Ping Identification with IAM Identification Middle.

   

5. Return to the Ping Identification console and the SAML software web page.
6. Within the SAML Configuration part, choose Import Metadata, add the metadata file you downloaded, then select Save.

   

7. On the Overview tab of the applying web page, select Obtain Metadata underneath Connection particulars to obtain the Ping Identification IdP metadata.
   
   You’ll use this for the SAML configuration in IAM Identification Middle to arrange Ping Identification as an IdP within the subsequent step.

   

8. Return to the IAM Identification Middle console and proceed configuring your id supply:
   1. Within the Identification supplier metadata part, select Select file underneath IdP SAML metadata, add the metadata file you downloaded from Ping Identification, then select Subsequent.

      

   2. Select Settle for to just accept the disclaimer.
   3. Select Change id supply.
9. Return to the Ping Identification console to finish the SAML configuration.
10. On the Configuration tab, select the edit icon to replace the configuration:
    1. For Signal, select Signal Assertion & Response.
    2. For Topic Title ID, enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    3. For Assertion Validity Length, enter 300.
    4. Go away the remaining values as default.

    

11. On the Attributes tab, select the edit icon.
12. Select +Add so as to add two attribute mappings:
    1. Map the attribute saml-subject to Username, and depart Title format as default.
    2. Map the attribute https://aws.amazon.com/SAML/Attributes/PrincipalTag:E-mail to E-mail Deal with, and set Title format to Unspecified.
    3. Select Save.

    

13. On the PingOne Insurance policies tab, choose Single Issue, then select Save.
    
    This submit makes use of single-factor authentication for demonstration functions solely. In your environments, comply with your group’s safety requirements and governance framework.

    

14. On the Entry tab, seek for the sagemaker group underneath Group Membership Coverage, and assign the unifiedstudio SAML software to the group.
15. Allow the applying.
    
    

Arrange computerized provisioning of customers and teams from Ping Identification into IAM Identification Middle

To configure the automated provisioning of customers and teams between Ping Identification and IAM Identification Middle by way of SCIM, it’s essential to have entry to each administration consoles. Full the next steps:

1. On the IAM Identification Middle console, select Settings within the navigation pane.
2. Within the Automated provisioning part, select Allow.
   
   

   This permits computerized provisioning in IAM Identification Middle and shows the required SCIM endpoint and entry token info.

3. Within the Inbound computerized provisioning dialog field, copy the values for SCIM endpoint and Entry token, then select Shut.
   
   You’ll use these values to configure provisioning in Ping Identification within the subsequent step.

   

   This completes the setup course of in IAM Identification Middle.

4. Log in to the Ping Identification console.
5. Within the navigation pane, select Integrations, then select Provisioning.
6. Select the plus signal so as to add a brand new connection.
   
   
7. For Select a connection kind, select Choose subsequent to Identification Retailer.
   
   
8. Present a reputation (for this instance, we use Identitycenter) and an optionally available description, then select Subsequent.
   
   
9. Below Configuration Authentication, present the next configuration:
   1. For SCIM BASE URL, enter the SCIM endpoint from IAM Identification Middle.
   2. For Authentication Methodology, select OAuth 2 Bearer Token.
   3. For Oauth Entry Token, enter the entry token from IAM Identification Middle.
   4. For Auth Sort Header, select Bearer (default possibility).
   5. Select Take a look at Connection to validate the connection between Ping Identification and IAM Identification Middle, then select Subsequent.

   

10. Below Configuration Choice, present the next configuration:
    1. For Consumer Filter Expression, enter userName Eq “%s”.
    2. For Group Membership Dealing with, choose Merge.
    3. Go away the remaining settings as default and select Save.

    

11. On the Provisioning tab, select the plus signal, then select New Rule to create a rule for the SCIM connection.
    
    
12. Enter a reputation (for this instance, unifiedstudio) and an optionally available description, then select Create Rule.
13. Below the newly created rule, select the plus signal subsequent to Accessible Connections so as to add the connection identitycenter, then select Save.
14. Edit the person filter:
    1. For Attribute, select Enabled.
    2. For Operator, select Equals.
    3. For Worth, select true.
    4. Select Save.

    

15. Select the edit icon subsequent to Attribute Mapping and set the attribute mappings as proven within the following screenshot:
    1. Delete the Major Telephone attribute mapping as a result of it’s optionally available in AWS. Leaving this area clean could cause Ping Identification’s SCIM connector to generate errors throughout person provisioning.
    2. Add a brand new attribute known as Username underneath PingOne Listing after which map to displayName underneath Identitycenter.

    

16. Below Group Provisioning, select the sagemaker group if you wish to sync all sagemaker group customers with auto provisioning.
    1. Within the pop-up, choose I perceive and need to proceed, then select Save.

    

    

17. On the Provisioning web page, select the Connections tab.
18. Allow the SCIM connection Identitycenter and rule unifiedstudio.

    

    

This completes the SCIM setup course of between Ping Identification and IAM Identification Middle.

Configure SageMaker Unified Studio SSO person entry

Full the next steps to configure SSO person entry to SageMaker Unified Studio on your SageMaker area:

1. On the SageMaker console, select Domains within the navigation pane.
2. Select the area for which you need to configure SAML person entry.
3. On the area particulars web page, you’ll find the SSO configuration in two areas:
   1. From the primary area view, select Configure subsequent to Configure SSO person entry.
   2. Alternatively, scroll right down to the Consumer administration tab and select Configure SSO person entry.

   

4. On the Select person authentication methodology web page, choose IAM Identification Middle, then select Subsequent.
   
   
5. For Select person and group task methodology, select from the next choices, then select Subsequent:
   1. Require assignments: Customers and teams should be explicitly added to the area to realize entry. This supplies extra granular management over who can entry the area.
   2. Don’t require assignments: All approved Ping Identification customers and teams can entry this area if they’ve been assigned to the SAML software in Ping Identification.

   For both possibility, customers or teams will need to have entry to the Ping Identification SAML software (unifiedstudio on this instance) to authenticate efficiently.

   

6. On the Evaluation and save web page, overview your selections and select Save. These settings can’t be modified after you save them.
   
   
7. When you’ve chosen to require assignments, use the Add customers and teams part so as to add SAML customers and teams to your area.
   
   

Now, customers will have the ability to entry SageMaker Unified Studio utilizing the area URL with their SSO credentials.

You possibly can discover totally different tasks on your customers and assign these tasks based mostly in your IdP person teams for fine-grained entry controls. For instance, you may create totally different SAML person teams based mostly on their job perform in Ping Identification, then assign these Ping Identification teams to the unifiedstudio SAML software in Ping Identification, after which assign these Ping Identification SAML teams to their respective venture profiles in SageMaker Unified Studio. To assign venture profiles for his or her respective teams, select the Undertaking profiles tab and select your venture profile. On the Approved customers and teams web page, select Add, then select SSO teams. Select Add customers and teams button to finish the venture profile task.

Validate entry with Ping Identification customers

Full the next steps to validate entry:

1. On the SageMaker area particulars web page, select the hyperlink for the SageMaker Unified Studio URL.
   
   
2. Log in together with your person credentials.
   
   After profitable login, you may be redirected to the SageMaker Unified Studio house web page. Right here, you may discover totally different tasks to your customers and assign these tasks based mostly in your SAML person teams for fine-grained entry management.

   

3. To assign an authorization coverage, these Govern after which Area models.
4. Select your SageMaker area, then select an acceptable authorization coverage. For this instance, we select Undertaking creation coverage.
   
   
5. Select Add coverage grant to assign person teams or customers to their respective venture profiles.
   
   

You’ve efficiently federated SageMaker Unified Studio with Ping Identification as an IdP with IAM Identification Middle. You possibly can connect with SageMaker Unified Studio by utilizing your Ping Identification credentials.

Clear up

After you take a look at out this resolution, keep in mind to delete the assets you created to keep away from incurring future expenses. For directions to delete your SageMaker Unified Studio area, seek advice from Delete domains. If you wish to delete your Ping Identification account, attain out to Ping Identification for help.

Conclusion

On this submit, we demonstrated how you can arrange Ping Identification as an IdP over SAML authentication for SageMaker Unified Studio entry by way of IAM Identification Middle federation. To be taught extra, seek advice from the Amazon SageMaker Unified Studio Consumer Information, which supplies steering on how you can construct information and AI functions utilizing SageMaker.

In regards to the authors