Enable single sign-on access of Amazon SageMaker Canvas using AWS IAM Identity Center: Part 2

Amazon SageMaker Canvas allows you to use machine learning (ML) to generate predictions without having to write any code. It does so by covering the end-to-end ML workflow: whether you’re looking for powerful data preparation and AutoML, managed endpoint deployment, simplified MLOps capabilities, or the ability to configure foundation models for generative AI, SageMaker Canvas can help you achieve your goals.

To enable agility for your users while ensuring secure environments, you can adopt single sign-on (SSO) using AWS IAM Identity Center, which is the recommended AWS service for managing user access to AWS resources. With IAM Identity Center, you can create or connect workforce users and centrally manage their access across all their AWS accounts and applications.

Part 1 of this series describes the necessary steps to configure SSO for SageMaker Canvas using IAM Identity Center for Amazon SageMaker Studio Classic.

In this post, we walk you through the necessary steps to configure SSO for SageMaker Canvas using IAM Identity Center for the updated Amazon SageMaker Studio. Your users can seamlessly access SageMaker Canvas with their credentials from IAM Identity Center without having to first go through the AWS Management Console. We also demonstrate how you can streamline user management with IAM Identity Center.

Solution overview

To configure SSO from IAM Identity Center, you need to complete the following steps:

  1. Enable IAM Identity Center using AWS Organizations
  2. Create a SageMaker Studio domain that uses IAM Identity Center for user authentication
  3. Create users or groups in IAM Identity Center
  4. Add users or groups to the SageMaker Studio domain

We will also show how to rename the SageMaker Studio application to clearly identify it as SageMaker Canvas, and how to access it using IAM Identity Center.

Enable IAM Identity Center

Follow these steps to connect SageMaker Canvas to IAM Identity Center:

  1. On the IAM Identity Center console, choose Enable.
  2. Choose Enable with AWS Organizations.
  3. Choose Edit to add an instance name.
  4. Enter a name for your instance (for this post, canvas-app).
  5. Choose Save changes.

Create the SageMaker Studio domain

In this section, we create SageMaker Studio domain and configure the authentication method as IAM Identity Center. Complete the following steps:

  1. On the SageMaker console, choose Domains.
  2. Choose Create domain.
  3. Choose Set up for organizations.
  4. Choose Set up.
  5. Enter a domain name of your choice (for this post, canvas-domain).
  6. Choose Next.
  7. Select AWS Identity Center.
  8. Choose Create a new role.
  9. Select the SageMaker Canvas permissions that you want to grant.

For more details about permissions, see Users and ML Activities.

  1. Specify one or more Amazon Simple Storage Service (Amazon S3) bucket.
  2. Choose Next.
  3. Select SageMaker Studio – New.
  4. Choose Next.

Next, you can provide VPC details for your network configuration.

  1. For this post, we select Public internet access.
  2. Choose your VPC, subnets, and security groups.
  3. Choose Next.
  4. Keep default storage configuration and choose Next.
  5. Choose Submit.

Wait for SageMaker domain status to change to InService.

Rename the SageMaker Studio application

Before we create a user, let’s rename the SageMaker Studio application name. This will allow users to quickly identify the SageMaker Canvas application when they log in through IAM Identity Center, where they may have access to multiple applications.

  1. On the IAM Identity Center console, choose Applications.
  2. Choose the SageMaker Studio application on the AWS managed tab.
  3. Choose Edit details on the Actions menu.
  4. For Display name, enter a name (for this post, Canvas).
  5. For Description, enter a description.
  6. Choose Save changes.

Create a user in IAM Identity Center

Now you can create users, and optionally, groups, that will be given access to SageMaker Canvas. For this post, we create a single user to demonstrate the process to provide access. However, groups are typically preferred for better user management, and to provision access in organizations.

A user group is a collection of users. Groups let you specify permissions for multiple users, which can make it more straightforward to manage the permissions for those users. For example, you could have a user group called business analysts and give that user group permission to SageMaker Canvas; all users in that group will have SageMaker Canvas access. If a new user joins your organization and needs access to SageMaker Canvas, you can add the user to the business analyst group. If a person changes jobs in your organization, instead of editing that user’s permissions, you can remove them from the old user groups and add them to the appropriate new user groups.

Complete the following steps to create a user in IAM Identity Center to test the SageMaker Canvas application access:

  1. On the IAM Identity Center console, choose Users in the navigation pane.
  2. Choose Add user.
  3. Provide required details such as the user name, email address, first name, and last name.
  4. Choose Next.
  5. Choose Add user.

You see a success message that the user has been added successfully.

Add users to the SageMaker Studio domain

You need to add this user to the SageMaker domain you created. If you’re using groups, then you add the group, not just a single user.

  1. On the SageMaker console, choose Domains in the navigation pane.
  2. Choose the domain you created.
  3. Choose Assign users and groups.
  4. On the Users tab, select the user you created.
  5. Choose Assign users and groups.

Access the SageMaker Canvas application from IAM Identity Center

The user will receive an email with a link to set up a password and instructions to connect to the AWS access portal. The link will be valid for up to 7 days.

When the user receives the email, they must complete the following steps to gain access to SageMaker Canvas:

  1. Choose Accept invitation from the email.

  1. Set a new password to access SageMaker Canvas in the specified account and domain.

After authentication has been performed, the user has three options to log in to SageMaker Canvas:

  • Option 1 – Access from SageMaker Studio through the IAM Identity Center portal
  • Option 2 – Access from SageMaker Canvas through the IAM Identity Center portal, bypassing SageMaker Studio
  • Option 3 – Use the IAM Identity Center portal link in IAM Identity Center to access SageMaker Canvas

We go through each of these options in this section.

Option 1

In the first option, the user first accesses SageMaker Studio to access SageMaker Canvas. This option is appropriate for users that should be able to access all relevant applications from SageMaker Studio, including SageMaker Canvas.

  1. Navigate to the AWS access portal URL from your email.

  1. Log in with the credentials you set for the user.

You will see the application name you configured earlier.

  1. Choose the SageMaker Canvas application.

You’re redirected to SageMaker Studio.

  1. Choose Run Canvas.
  2. Choose Open Canvas.

You’re redirected to SageMaker Canvas.

Option 2

In this option, the user still goes through the IAM Identity Center portal, but bypasses SageMaker Studio to go directly into SageMaker Canvas. This option should be used when access SageMaker Studio is not needed, since the user’s SageMaker login will always take them directly to SageMaker Canvas.

  1. On the SageMaker console, choose Domains in the navigation pane.
  2. Note down the SageMaker domain ID.
  3. Open AWS CloudShell or any other CLI and run the following command, providing your domain ID. This command updates the default landing application for the SageMaker domain from SageMaker Studio to SageMaker Canvas:
    aws sagemaker update-domain --domain-id <SAGEMAKER DOMAIN ID> --default-user-settings '{"DefaultLandingUri":"app:Canvas:models","StudioWebPortal":"DISABLED"}'

You will see the following response if the command runs successfully.

  1. Navigate to the AWS access portal URL from your email.
  2. Log in with the credentials you set for the user.
  3. Choose the SageMaker Canvas application.

This time you’re redirected to SageMaker Canvas, bypassing SageMaker Studio.

Option 3

If the default landing application for the SageMaker domain has been updated from SageMaker Studio to SageMaker Canvas in Option 2, a user can also use the IAM Identity Center portal link to access SageMaker Canvas. To do so, choose the AWS access portal URL shown in the identity source on the IAM Identity Center console. You can use this URL as a browser bookmark, or integrated with your custom application for direct SageMaker Canvas access.

Clean up

To avoid incurring future session charges, log out of SageMaker Canvas.

Conclusion

In this post, we discussed how users can securely access SageMaker Canvas using SSO. To do this, we configured IAM Identity Center and linked it to the SageMaker domain where SageMaker Canvas is used. Users are now one click away from using SageMaker Canvas and solving new challenges with no-code ML. This approach supports the secure environment requirements of cloud engineering and security teams, while allowing for the agility and independence of development teams.

To learn more about SageMaker Canvas, check out Announcing Amazon SageMaker Canvas – a Visual, No Code Machine Learning Capability for Business Analysts. SageMaker Canvas also enables collaboration with data science teams. To learn more, see Build, Share, Deploy: how business analysts and data scientists achieve faster time-to-market using no-code ML and Amazon SageMaker Canvas. For IT administrators, we suggest checking out Setting up and managing Amazon SageMaker Canvas (for IT administrators).


About the Authors

Dhiraj Thakur is a Solutions Architect with Amazon Web Services. He works with AWS customers and partners to provide guidance on enterprise cloud adoption, migration, and strategy. He is passionate about technology and enjoys building and experimenting in the analytics and AI/ML space.

Dan Sinnreich is a Senior Product Manager at AWS, helping democratize ML with low-code/no-code innovations. Previous to AWS, Dan built and commercialized SaaS platforms and time series risk models used by institutional investors to manage risk and optimize investment portfolios. Outside of work, he can be found playing hockey, scuba diving, and reading science fiction.

Read More