AWS SageMaker Unified Studio Microsoft Entra ID SAML SSO Integration Guide

Overview

This guide explains how to configure SAML-based Single Sign-On (SSO) between AWS SageMaker Unified Studio (SMUS) and Microsoft Entra ID (formerly Azure AD). This integration enables users to automatically log in to SMUS using their Microsoft Entra ID accounts.

Prerequisites

• Microsoft Entra ID subscription
• Cloud Application Administrator or Application Administrator privileges
• Administrator access to AWS account
• Permission to create SageMaker Unified Studio domains

Step 1: Create and Configure Enterprise Application in Microsoft Entra ID

1.1 Add Application

1. Sign in to the Microsoft Entra admin center with Cloud Application Administrator or higher privileges.
2. Navigate to Manage > Enterprise applications > New application.
3. Enter "AWS Single-Account Access" in the search box.
4. Select AWS Single-Account Access and add the app.

1.2 Configure SAML SSO

1. Click the application added in step 1.1 and select Single sign-on from the left menu.
2. Select SAML in the Single Sign-on method selection.

1.3 Basic SAML Configuration

• Identifier (Entity ID): Application unique ID (e.g., urn:amazon:webservices)
• Reply URL (Assertion Consumer Service URL): https://signin.aws.amazon.com/saml

1.4 Attributes and Claims Configuration

1. Click the Edit button in the Attributes & claims section.
2. Click the Add new claim button.
3. SageMaker Unified Studio requires an Email key as a Session Tag. Include this in the SAML Response. Configure as follows and click Save:
   • Name: PrincipalTag:Email
   • Namespace: https://aws.amazon.com/SAML/Attributes
   • Name format: Select name format
   • Source: Attribute
   • Source attribute: user.mail

1.5 Download Metadata XML

1. Locate Federation Metadata XML in the SAML signing certificate section.
2. Click Download to save the certificate to your computer.

Step 2: Create Identity Provider in AWS IAM

2.1 Add Identity Provider

1. Log in to the AWS Console and navigate to IAM.
2. Select Access management > Identity providers from the left navigation menu.
3. Click Add provider.
4. On the Add identity provider page, do the following:
   • Provider type: Select SAML
   • Provider name: Enter a name to identify the identity provider (e.g., azure-provider)
   • Metadata document: Upload the XML file downloaded in step 1.5
5. Click Add provider.
6. Copy and save the ARN of the created provider. (Format: arn:aws:iam::<aws-account-id>:saml-provider/<iam-idp-name>)

Step 3: Create IAM Role to Associate with Microsoft Entra ID Users

3.1 Create Role

1. In the IAM console, select Access management > Roles.
2. Click Create role.
3. Select Custom trust policy and add the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<account-id>:saml-provider/<iam-idp-name>"
            },
            "Action": "sts:AssumeRoleWithSAML",
            "Condition": {
                "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<account-id>:saml-provider/<iam-idp-name>"
            },
            "Action": "sts:TagSession",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/Email": "*"
                }
            }
        }
    ]
}

• Configure the trust policy to allow assumption with information passed from the identity provider.
• Additionally, add permission to tag sessions with a tag having the key name Email.

3.2 Add Inline Policy

1. After creating the role, click Add permissions > Create inline policy.
2. Add the following policy in the policy editor:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "datazone:GetIamPortalLoginUrl",
            "Resource": [
                "arn:aws:datazone:<region>:<aws-account-id>:domain/<domain-id>"
            ]
        }
    ]
}

Copy and save the role ARN from the role summary page.

Step 4: Associate Provisioned IAM Roles to Entra ID Users

4.1 Update Role Attribute

On the Single Sign-On settings page in Entra ID, update the Role attribute in Attributes & claims to the following format:

<Role ARN>,<Idp ARN>

• Role ARN: from 3.2
• Idp ARN: from 2.1

Step 5: Create SageMaker Unified Studio Domain

5.1 Domain Configuration

1. Select manual setup.
2. Provide a domain name.
3. Keep the default values for domain execution role and domain service role.

5.2 Configure SSO User Access

1. In the Microsoft Entra admin center, navigate to Manage > Properties. Copy the User access URL. Example:

https://launcher.myapps.microsoft.com/api/signin/<appid>?tenantId=<tenantid>

2. In the Configure SSO user access section, click the Configure button.

3. Select SAML as the user authentication method and proceed to next.

4. In SAML configuration, enter the URL copied in step 1 as the Identity Provider (IdP) SSO URL.

Step 6: Log in to SageMaker Unified Studio

6.1 Perform SSO Login

1. Navigate to the domain details section of the SageMaker Unified Studio domain created in the AWS Console.
2. Copy the SageMaker Unified Studio URL and access it in a new browser tab.
3. On the Studio login page, click the Sign in with SSO button.
4. When redirected to the Microsoft Entra ID login page, sign in with your organizational account.

6.2 Verify Login

1. Upon successful authentication, you will automatically be redirected to the SageMaker Unified Studio main screen.
2. You can verify the logged-in user information in the user profile area at the top right of the screen.

✅ Success: SSO integration has been completed successfully. Users can now seamlessly access SageMaker Unified Studio with their Microsoft Entra ID accounts.