AWS Machine Learning Blog

Onboarding HAQM SageMaker Studio with AWS SSO and Okta Universal Directory

This blog was reviewed and updated June, 2022 to address latest changes to steps and User Interface on Studio and Okta.

In 2019, AWS announced HAQM SageMaker Studio, a unified integrated development environment (IDE) for machine learning (ML) development. You can write code, track experiments, visualize data, and perform debugging and monitoring within a single, integrated visual interface.

HAQM SageMaker Studio supports a single sign-on experience with AWS Single Sign-On (AWS SSO) authentication. External identity provider (IdP) such as Azure Active Directory and Okta Universal Directory can be integrated with AWS SSO to be the source of truth for HAQM SageMaker Studio. Users are given access to HAQM SageMaker Studio via a unique login URL that directly opens HAQM SageMaker Studio, and they can sign-in with their existing corporate credentials. Administrators can continue to manage users and groups in their existing identity systems which can then be synchronized with AWS SSO. For instance, AWS SSO enables administrators to connect their on-premises Active Directory (AD) or their AWS Managed Microsoft AD directory, as well as other Supported Identity Providers. For more information, see The Next Evolution in AWS Single Sign-On and Single Sign-On between Okta Universal Directory and AWS.

In this post, we walk you through setting up SSO with HAQM SageMaker Studio and enabling SSO with Okta Universal Directory. We also demonstrate the SSO experience for system administrators and HAQM SageMaker Studio users.

Prerequisites

To use the same Okta user login for HAQM SageMaker Studio, you need to set up AWS SSO and connect to Okta Universal Directory. The high-level steps are as follows:

  1. Enable AWS SSO on the AWS Management Console. Create this AWS SSO account in the same AWS Region as HAQM SageMaker Studio.
  2. Add AWS SSO as an application Okta users can connect to.
  3. Configure the mutual agreement between AWS SSO and Okta, download IdP metadata in Okta, and configure an external IdP in AWS SSO.
  4. Enable identity synchronization between Okta and AWS SSO.

For instructions, see Single Sign-On between Okta Universal Directory and AWS.

This setup makes sure that when a new account is added to Okta and connected to the AWS SSO, a corresponding AWS SSO user is created automatically.

After you complete these steps, you can see the users assigned on the Okta console.

You can also see the users on the AWS SSO console, on the Users page.

Creating HAQM SageMaker Studio with AWS SSO authentication

We now need to create HAQM SageMaker Studio with AWS SSO as the authentication method. Complete the following steps:

  1. On the HAQM SageMaker console, choose HAQM SageMaker Studio.
  2. Select Standard setup.
  3. For Authentication method, select AWS Single Sign-On (SSO).
  4. For Permission, choose the HAQM SageMaker execution role.

If you don’t have this role already, choose Create role. HAQM SageMaker creates a new AWS Identity and Access Management (IAM) role with the HAQMSageMakerFullAccess policy attached.

  1. Optionally, you can specify other settings such as notebook sharing configuration, networking and storage, and tags.
  2. Choose Next to select the notebook sharing configuration and Submit to create HAQM SageMaker Studio.

A few moments after initialization, the HAQM SageMaker Studio Control Panel appears.

  1. Choose Assign users.

The Assign users page contains a list of all the users from AWS SSO (synchronised from your Okta Universal Directory).

  1. Select the users that are authorized to access HAQM SageMaker Studio.
  2. Choose Assign users and groups.

You can now see these users listed on the HAQM SageMaker Studio Control Panel.

On the AWS SSO console, under Applications, you can see the detailed information about the newly created HAQM SageMaker Studio.

In addition, you can view the assigned users.

HAQM SageMaker Studio also automatically creates a user profile with the domain execution role for each SSO user. A user profile represents a single user within a domain, and is the main way to reference a user for the purposes of sharing, reporting, and other user-oriented features such as allowed instance types. You can use the UpdateUserProfile API to associate a different role for a user, allowing fine-grained permission control so the user can pass this associated IAM role when creating a training job, hyperparameter tuning job, or a model. For more information about available HAQM SageMaker SDK API references, see HAQM SageMaker API Reference.

Using HAQM SageMaker Studio via SSO

As a user, you can start in one of three ways:

  1. Start from the Okta user portal page, select AWS SSO application, and choose HAQM SageMaker Studio.
  2. Start from the AWS SSO user portal (the URL is on the AWS SSO Settings page), redirect to Okta login page, choose HAQM SageMaker Studio.
  3. Bookmark the HAQM SageMaker Studio address (the URL is on the HAQM SageMaker Studio page), the page redirects automatically to Okta login page.

For this post, we start in the AWS SSO user portal and are redirected to the Okta login page.

After you log in, you see an application named HAQM SageMaker Studio.

When you choose the application, the HAQM SageMaker Studio welcome page launches.

Now data scientists and ML builders can rely on this web-based IDE and use HAQM SageMaker to quickly and easily build and train ML models, and directly deploy them into a production-ready hosted environment. To learn more about the key features of HAQM SageMaker Studio, see HAQM SageMaker Studio Tour.

Conclusion

In this post, we showed how you can take advantage of the new AWS SSO capabilities to use Okta identities to open HAQM SageMaker Studio. Administrators can now use a single source of truth to manage their users, and users no longer need to manage an additional identity and password to sign in to their AWS accounts and applications.

AWS SSO with Okta is free to use and available in all Regions where AWS SSO is available. HAQM SageMaker Studio is now generally available in US East (Ohio), US East (N. Virginia), US West (Oregon), EU (Ireland) and China (Beijing and Ningxia), with additional Regions coming soon. Please read the product documentation to learn more.

About the Authors

Yanwei Cui, PhD, is a Machine Learning Specialist Solution Architect at AWS. He started machine learning research at IRISA (Research Institute of Computer Science and Random Systems), and has several years of experience building artificial intelligence powered industrial applications in computer vision, natural language processing and online user behavior prediction. At AWS, he shares the domain expertise and helps customers to unlock business potentials, and to drive actionable outcomes with machine learning at scale. Outside of work, he enjoys reading and traveling.

Raghu Ramesha is an ML Solutions Architect with the HAQM SageMaker Services SA team. He focuses on helping customers migrate ML production workloads to SageMaker at scale. He specializes in machine learning, AI, and computer vision domains, and holds a master’s degree in Computer Science from UT Dallas. In his free time, he enjoys traveling and photography.