Amazon SageMaker is a completely managed service that supplies every machine learning (ML) designer and information researcher the ability to construct, train, and release ML models at scale. Amazon SageMaker Studio is a web-based, integrated advancement environment (IDE) for ML. Amazon SageMaker Studio provides all the tools you require to take your designs from experimentation to production while increasing your efficiency. You can write code, track experiments, imagine data, and carry out debugging and tracking within a single, integrated visual interface.
OneLogin is an identity platform for safe and secure, scalable, and clever experiences that connects individuals to technology. OneLogins authentication and role-based user provisioning engine enables companies to carry out least privilege access controls and get rid of manual user management workflows for all AWS accounts and users.
In this post, we walk you through the steps to onboard existing users in OneLogin to Amazon SageMaker Studio. We likewise show the single sign-on (SSO) experience for system administrators and Amazon SageMaker Studio users.
The option contains the following crucial components:
OneLogins adapter for AWS SSO– The adapter sets up SAML 2.0 and System for Cross-domain Integration Management (SCIM) combination between OneLogin and AWS SSO.
User profile– The user profile (user) is a configuration for the user that exists in the SageMaker domain. The user profile specifies various configuration settings for the user, including the execution function and the default app requirements.
Execution function– The IAM execution role is the main function that is presumed by the users and the service on behalf of the user to permit them to carry out certain actions and provision resources in Studio.
AWS SSO– AWS Single Sign-On (AWS SSO) permits you to efficiently manage user identities at scale by establishing a single identity and gain access to strategy across your own applications, third-party applications (SaaS), and AWS environments.
The following architecture diagram reveals the flow of authentication and authorization from OneLogin to Amazon SageMaker Studio. Users visit through OneLogin, which authenticates them and passes a SAML authentication to AWS SSO. When logged in, they can choose the Amazon SageMaker Studio app, which assumes the SageMaker execution role connected to their user profile to develop a pre-signed domain URL. This pre-signed domain URL is utilized straight log in the users to their JupyterServer environment.
Domain– A main part of Amazon SageMaker Studio is a domain. The domain consists of a list of licensed users (called user profiles), and setups such as Amazon Virtual Private Cloud (Amazon VPC) configurations and the default AWS Identity and Access Management (IAM) execution function.
Groups and users– Individual users or users coming from particular groups like administrators, designers, or financing in OneLogin are instantly synced with AWS SSO by means of SCIM.
Make certain you have the following prerequisites:
Action 1: Set up the AWS application in OneLogin
On your OneLogin account, log in with administrator privileges and browse to Applications. In the upper-right, choose Add app. Next, look for and then pick AWS Single Sign-On.
On the AWS SSO console, select Settings in the navigation pane.
Next to Identity source, pick Change.
Select External identity provider.
For AWS SSO SAML metadata, upload the OneLogin metadata XML that you downloaded earlier.
Action 2: Download the Identity Provider Metadata
Next, we need to get the IdP metadata from OneLogin, which we utilize to register on AWS. Inside your OneLogin AWS Single Sign-On application, navigate to More Actions, then conserve the idp and download metadata as onelogin-aws. xml.
A OneLogin account, for which we use a free OneLogin designer account to develop our OneLogin circumstances and test users
An AWS account with administrator advantages to establish the AWS SSO integration and access to create policies for Amazon SageMaker Studio
Update the provisioning from Manual to SCIM by picking Enable automated provisioning.
Step 3: Enable AWS SSO and set up SCIM
Make certain that AWS SSO is enabled. If not, see Enable AWS SSO AWS SSO provides assistance for the SCIM v2.0 standard. SCIM keeps your AWS SSO identities in sync with identities from your IdP. This includes any provisioning, updates, and de-provisioning of users in between your IdP and AWS SSO. Using SCIM combination saves your IT and admin teams the time and effort of executing custom-made options to cross-replicate user names and email addresses between AWS SSO and your IdPs.
Step 4: Get integration info from AWS SSO.
To finish the integration on the OneLogin side, you need the following:
Step 7: Create your Amazon SageMaker Studio environment.
You can establish your Amazon SageMaker Studio environment by navigating to Amazon SageMaker Studio on your AWS account.
Make certain that AWS SSO is allowed in the exact same Region as your Amazon SageMaker Studio.
Users log in through OneLogin, which authenticates them and passes a SAML authentication to AWS SSO. AWS SSO provides support for the SCIM v2.0 requirement. Utilizing SCIM integration saves your IT and admin groups the time and effort of implementing custom solutions to cross-replicate user names and email addresses between AWS SSO and your IdPs.
About the Author.
Sam Palani is an AI/ML Specialist Solutions Architect at AWS. He enjoys working with consumers to assist them architect device finding out solutions at scale. When not assisting clients, he takes pleasure in reading and checking out the outdoors.
Sunil Ramachandra is a Senior Technical Account Manager at AWS. Sunil is enthusiastic about building AWS integrations that allow Independent Software Vendors (ISVs).
Gain access to token (also called a SCIM Bearer token).
AWS SSO ACS URL.
AWS SSO issuer URL.
Ensure to remove any trailing slashes (/).
Sign in to the OneLogin user portal.
Now that you have these 4 pieces of details, its time to go to OneLogin to complete the integration.
Step 5: Establish SAML authentication between OneLogin (your IdP) and AWS SSO.
To establish your SAML authentication, complete the following actions:.
Pick the tile which states Amazon SageMaker Studio to effortlessly log into your Amazon SageMaker Studio environment.
Action 10: Verify the integration and log in to your Amazon SageMaker Studio environment.
Under Studio Summary, you can notice the Execution Role that you created in the previous action. You can now visit to your Amazon SageMaker Studio environment.
If this user or group has actually synced into AWS SSO by means of SCIM by inspecting the Users page on the AWS SSO console, confirm.
SCIM endpoint (likewise called the SCIM Base URL).
On the SageMaker console, pick Amazon SageMaker Studio.
Pick Get started and choose Standard setup.
For Authentication approach, choose AWS Single Sign-On (SSO).
Log back in to your OneLogin website as admin into your formerly set up AWS SSO app.
Choose Configuration and enter the information that you gathered in the previous section (AWS SSO issuer URL, AWS SSO ACS URL, SCIM Base URL, and SCIM Bearer token) and pick Save.
Under Permission, develop a new IAM role with appropriate access to Amazon Simple Storage Service (Amazon S3) containers, or pick an existing IAM function.
You can assign users to Amazon SageMaker Studio environment by picking the check box beside Display name and Email.
Amazon SageMaker Studio sets and produces a domain up AWS SSO for the domain. For more details about using AWS SSO with Amazon SageMaker Studio, see Onboard to Amazon SageMaker Studio Using AWS SSO.
The details is readily available on the Settings page on the AWS SSO console. The endpoint and gain access to token are on the Automatic provisioning page, as revealed in the following screenshot.
In the Network and storage section, we utilize our customized VPC and subnets, which creates the Amazon Elastic File System (Amazon EFS) domain in the VPC we specify.
Select Public web Only to allow default web gain access to for SageMaker.
Action 6: Assign and sync users from OneLogin to AWS SSO, to gain access to Amazon SageMaker Studio.
In your OneLogin website, on the top ribbon browse to Users and assign the users in your company to your recently produced AWS Single Sign-On application to provide access to Amazon SageMaker Studio.
Select Provisioning in the navigation pane.
Select Enable provisioning.
You can pick Create user, Delete user, and Update user for admin approval on these actions.
Save your setup.
Utilize the default worths for Network sharing configuration and SageMaker Projects and JumpStart.
You can likewise confirm the user profiles in Amazon SageMaker Studio directly using the AWS Command Line Interface (AWS CLI):.
Youre logged in directly to your user profile inside Amazon SageMaker Studio.
Amazon SageMaker Studio produces a domain and sets up AWS SSO for the domain. This process must take around 10 minutes to finish. The domain status reveals as Ready when the provisioning is complete.
Step 9: Assign users to your newly produced Amazon SageMaker Studio Environment.
Select Assign Users and groups to assign users who were produced via OneLogin and are synced into AWS SSO.
aws sagemaker describe-user-profile– domain-id << yourdomainname> >– user-profile-name << username>>.
Select the AWS SSO app.
Step 8: Specify additional configurations for Amazon SageMaker Studio.
You also have the option to set extra configurations.
Pick View details for Authentication SAML 2.0 and copy the AWS SSO ACS URL and AWS SSO issuer URL.
In this post, we walked through the steps to onboard existing OneLogin SSO users to Amazon SageMaker Studio. We likewise took a look at a reference architecture and how to confirm the setup. To learn more about utilizing AWS SSO with Amazon SageMaker Studio, see Onboard to Amazon SageMaker Studio Using AWS SSO.