Add the SageMaker Canvas application to Okta Set up ID federation in IAM Configure SageMaker Canvas in Okta Add optional policies on access control in IAM

Set Up SageMaker Canvas for Your Users

To set up Amazon SageMaker Canvas, do the following:

Create an Amazon SageMaker domain.
Create user profiles for the domain
Set up Okta Single Sign On (Okta SSO) for your users.
Activate link sharing for models.

Use Okta Single-Sign On (Okta SSO) to grant your users access to Amazon SageMaker Canvas. SageMaker Canvas supports SAML 2.0 SSO methods. The following sections guide you through procedures to set up Okta SSO.

To set up a domain, see Use custom setup for Amazon SageMaker and follow the instructions for setting up your domain using IAM authentication. You can use the following information to help you complete the procedure in the section:

You can ignore the step about creating projects.
You don't need to provide access to additional Amazon S3 buckets. Your users can use the default bucket that we provide when we create a role.
To grant your users access to share their notebooks with data scientists, turn on Notebook Sharing Configuration.
Use Amazon SageMaker Studio Classic version 3.19.0 or later. For information about updating Amazon SageMaker Studio Classic, see Shut down and Update SageMaker Studio Classic.

Use the following procedure to set up Okta. For all of the following procedures, you specify the same IAM role for IAM-role .

Add the SageMaker Canvas application to Okta

Set up the sign-on method for Okta.

Sign in to the Okta Admin dashboard.
Choose Add application. Search for AWS Account Federation.
Choose Add.
Optional: Change the name to Amazon SageMaker Canvas.
Choose Next.
Choose SAML 2.0 as the Sign-On method.
Choose Identity Provider Metadata to open the metadata XML file. Save the file locally.
Choose Done.

Set up ID federation in IAM

AWS Identity and Access Management (IAM) is the AWS service that you use to gain access to your AWS account. You gain access to AWS through an IAM account.

Sign in to the AWS console.
Choose AWS Identity and Access Management (IAM).
Choose Identity Providers.
Choose Create Provider.
For Configure Provider, specify the following:
- Provider Type – From the dropdown list, choose SAML.
- Provider Name – Specify Okta.
- Metadata Document – Upload the XML document that you've saved locally from step 7 of Add the SageMaker Canvas application to Okta.
Find your identity provider under Identity Providers. Copy its Provider ARN value.
For Roles, choose the IAM role that you're using for Okta SSO access.
Under Trust Relationship for the IAM role, choose Edit Trust Relationship.

Modify the IAM trust relationship policy by specifying the Provider ARN value that you've copied and add the following policy:



{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789012:saml-provider/Okta"
      },
      "Action": [
        "sts:AssumeRoleWithSAML",
        "sts:SetSourceIdentity",
        "sts:TagSession"
      ],
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}

For Permissions, add the following policy:



{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "AmazonSageMakerPresignedUrlPolicy",
           "Effect": "Allow",
           "Action": [
                "sagemaker:CreatePresignedDomainUrl",
                "sagemaker:CreatePresignedDomainUrlWithPrincipalTag"
           ],
           "Resource": "*"
      }
  ]
}

Configure SageMaker Canvas in Okta

Configure Amazon SageMaker Canvas in Okta using the following procedure.

To configure Amazon SageMaker Canvas to use Okta, follow the steps in this section. You must specify unique user names for each SageMakerStudioProfileName field. For example, you can use user.login as a value. If the username is different from the SageMaker Canvas profile name, choose a different uniquely identifying attribute. For example, you can use an employee's ID number for the profile name.

For an example of values that you can set for Attributes, see the code following the procedure.

Under Directory, choose Groups.
Add a group with the following pattern: sagemaker#canvas#IAM-role#AWS-account-id.
In Okta, open the AWS Account Federation application integration configuration.
Select Sign On for the AWS Account Federation application.
Choose Edit and specify the following:
- SAML 2.0
- Default Relay State – https://Region.console.aws.amazon.com/sagemaker/home?region=Region#/studio/canvas/open/StudioId. You can find the Studio Classic ID in the console: https://console.aws.amazon.com/sagemaker/
Choose Attributes.

In the SageMakerStudioProfileName fields, specify unique values for each username. The usernames must match the usernames that you've created in the AWS console.



Attribute 1:
Name: https://aws.amazon.com/SAML/Attributes/PrincipalTag:SageMakerStudioUserProfileName 
Value: ${user.login}

Attribute 2:
Name: https://aws.amazon.com/SAML/Attributes/TransitiveTagKeys
Value: {"SageMakerStudioUserProfileName"}

Select Environment Type. Choose Regular AWS.
- If your environment type isn't listed, you can set your ACS URL in the ACS URL field. If your environment type is listed, you don't need to enter your ACS URL
For Identity Provider ARN, specify the ARN you used in step 6 of the preceding procedure.
Specify a Session Duration.
Choose Join all roles.
Turn on Use Group Mapping by specifying the following fields:
- App Filter – okta
- Group Filter – ^aws\#\S+\#(?IAM-role[\w\-]+)\#(?accountid\d+)$
- Role Value Pattern – arn:aws:iam::$accountid:saml-provider/Okta,arn:aws:iam::$accountid:role/IAM-role
Choose Save/Next.
Under Assignments, assign the application to the group that you've created.

Add optional policies on access control in IAM

In IAM, you can apply the following policy to the administrator user who creates the user profiles.



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateSageMakerStudioUserProfilePolicy",
            "Effect": "Allow",
            "Action": "sagemaker:CreateUserProfile",
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:TagKeys": [
                        "studiouserid"
                    ]
                }
            }
        }
    ]
}

If you choose to add the preceding policy to the admin user, you must use the following permissions from Set up ID federation in IAM.



{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "AmazonSageMakerPresignedUrlPolicy",
           "Effect": "Allow",
           "Action": [
                "sagemaker:CreatePresignedDomainUrl",
                "sagemaker:CreatePresignedDomainUrlWithPrincipalTag"
           ],
           "Resource": "*",
           "Condition": {
                  "StringEquals": {
                      "sagemaker:ResourceTag/studiouserid": "${aws:PrincipalTag/SageMakerStudioUserProfileName}"
                 }
            }
      }
  ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Grant Your Users Permissions to Upload Local Files

Configure your Amazon S3 storage