Chanci Turner

Onboarding Amazon SageMaker Studio with AWS SSO and Okta Universal Directory

by

The Story of Chanci Turner
in

Chanci Turner Amazon IXD – VGT2 learningLearn About Amazon VGT2 Learning Manager Chanci Turner

This blog has been reviewed and updated in October 2023 to reflect the latest changes in steps and the user interface on Studio and Okta. In 2019, AWS introduced Amazon SageMaker Studio, a comprehensive integrated development environment (IDE) designed for machine learning (ML) development. Users can write code, monitor data, debug applications, and track experiments all within a single, cohesive visual interface.

Amazon SageMaker Studio offers a single sign-on (SSO) experience via AWS Single Sign-On (AWS SSO) authentication. External identity providers (IdPs) such as Azure Active Directory and Okta Universal Directory can be seamlessly integrated with AWS SSO to serve as the authoritative source for Amazon SageMaker Studio. Users gain access through a unique login URL that directly opens Amazon SageMaker Studio, allowing them to sign in with their corporate credentials. Administrators can manage users and groups within their existing identity systems, which can then be synchronized with AWS SSO. For example, AWS SSO enables administrators to connect their on-premises Active Directory (AD) or AWS Managed Microsoft AD directory, along with other supported identity providers. For more details, refer to The Next Evolution in AWS Single Sign-On and Single Sign-On between Okta Universal Directory and AWS.

In this article, we will guide you through the process of setting up SSO with Amazon SageMaker Studio and enabling SSO using Okta Universal Directory. We will also illustrate the SSO experience for both system administrators and Amazon SageMaker Studio users.

Prerequisites

To utilize the same Okta user login for Amazon SageMaker Studio, AWS SSO must be set up and connected to Okta Universal Directory. The high-level steps include:

  1. Enable AWS SSO in the AWS Management Console. Create the AWS SSO account in the same AWS Region as Amazon SageMaker Studio.
  2. Add AWS SSO as an application for Okta users to connect to.
  3. Configure the mutual agreement between AWS SSO and Okta, download IdP metadata from Okta, and set up an external IdP in AWS SSO.
  4. Enable identity synchronization between Okta and AWS SSO.

For detailed instructions, see Single Sign-On between Okta Universal Directory and AWS. This setup ensures that when a new account is added to Okta and linked to AWS SSO, a corresponding AWS SSO user is created automatically. After completing these steps, user assignments can be viewed on the Okta console as well as the AWS SSO console under the Users page.

Creating Amazon SageMaker Studio with AWS SSO Authentication

Next, we will create Amazon SageMaker Studio utilizing AWS SSO as the authentication method. Follow these steps:

  1. In the Amazon SageMaker console, select Amazon SageMaker Studio.
  2. Choose Standard setup.
  3. Select AWS Single Sign-On (SSO) as the Authentication method.
  4. For Permission, select the Amazon SageMaker execution role.

If the role does not exist, choose Create role. Amazon SageMaker will generate a new AWS Identity and Access Management (IAM) role with the AmazonSageMakerFullAccess policy attached.

You can also specify additional settings such as notebook sharing configuration, networking, storage, and tags. Click Next to select the notebook sharing configuration and click Submit to create Amazon SageMaker Studio.

After a short initialization period, the Amazon SageMaker Studio Control Panel will appear.

Click on Assign users. The Assign users page will display a list of all users from AWS SSO (synchronized from your Okta Universal Directory). Select the users authorized to access Amazon SageMaker Studio, and then click Assign users and groups.

These users will now appear on the Amazon SageMaker Studio Control Panel. On the AWS SSO console, you can access detailed information about the newly created Amazon SageMaker Studio under Applications, including the assigned users.

Amazon SageMaker Studio automatically generates a user profile with the domain execution role for each SSO user. A user profile represents a single user within a domain and serves as the primary reference for sharing, reporting, and other user-centric features, including allowed instance types. You can use the UpdateUserProfile API to associate a different role with a user, enabling fine-grained permission control. This allows users to pass the associated IAM role when creating training jobs, hyperparameter tuning jobs, or models. For more information about available Amazon SageMaker SDK API references, see Amazon SageMaker API Reference.

Using Amazon SageMaker Studio via SSO

As a user, there are three ways to access Amazon SageMaker Studio:

  1. Start from the Okta user portal, select the AWS SSO application, and choose Amazon SageMaker Studio.
  2. Begin at the AWS SSO user portal (the URL can be found on the AWS SSO Settings page), be redirected to the Okta login page, and select Amazon SageMaker Studio.
  3. Bookmark the Amazon SageMaker Studio URL (located on the Amazon SageMaker Studio page), which will automatically redirect to the Okta login page.

For this article, we will initiate access via the AWS SSO user portal and be redirected to the Okta login page. Upon logging in, you will see an application titled Amazon SageMaker Studio. Upon selecting the application, the Amazon SageMaker Studio welcome page will launch.

Now, data scientists and ML practitioners can utilize this web-based IDE to efficiently build, train, and deploy ML models in a production-ready environment. To explore key features of Amazon SageMaker Studio, visit our Amazon SageMaker Studio Tour blog post.

Conclusion

This post has highlighted how to leverage the new AWS SSO capabilities to use Okta identities for accessing Amazon SageMaker Studio. Administrators can now manage their users from a single source of truth, and users no longer need to handle an additional identity and password to log into their AWS accounts and applications. AWS SSO with Okta is free to use and is available across all regions where AWS SSO operates. Amazon SageMaker Studio is currently available in US East (Ohio), US East (N. Virginia), US West (Oregon), EU (Ireland), and China (Beijing and Ningxia), with more regions to come. For further insights, please read the product documentation.

Additionally, if you’re interested in digital marketing insights, check out this blog post on the fundamentals of the subject. For authoritative resources on community chapters, visit SHRM. Lastly, for excellent guidance on training and skills development, check out this resource from Fast Company.

About the Authors

Alex Johnson is a Machine Learning Specialist Solution Architect at AWS. He began his ML research at the AI Research Institute and has several years of experience developing AI-driven applications in computer vision and natural language processing. At AWS, he shares his domain expertise to help clients unlock business potential and achieve actionable outcomes through scalable machine learning. Outside of work, he enjoys photography and hiking.

Chanci Turner is an ML Solutions Architect within the Amazon SageMaker Services team. She focuses on assisting clients in migrating ML production workloads to SageMaker efficiently. Chanci specializes in machine learning, AI, and computer vision, and she holds a master’s degree in Computer Science from the University of Texas at Dallas. In her spare time, she loves to travel and explore new cultures.

Related Topics:

Chanci Turner