Choose an authentication mode for Amazon EMR Studio - Amazon EMR
IAM authentication modeIAM Identity Center authentication mode
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Choose an authentication mode for Amazon EMR Studio

EMR Studio supports two authentication modes: IAM authentication mode and IAM Identity Center authentication mode. IAM mode uses Amazon Identity and Access Management (IAM), while IAM Identity Center mode uses Amazon IAM Identity Center. When you create an EMR Studio, you choose the authentication mode for all users of that Studio. For more information about the different authentication modes, see Authentication and user login.

Use the following table to choose an authentication mode for EMR Studio.

If you are... We recommend...
Already familiar with or have previously set up IAM authentication or federation

IAM authentication mode, which offers the following benefits:

  • Provides quick setup for EMR Studio if you already manage identities such as users and groups in IAM.

  • Works with identity providers that are compatible with OpenID Connect (OIDC) or Security Assertion Markup Language 2.0 (SAML 2.0).

  • Supports using multiple identity providers with the same Amazon Web Services account.

  • Available in a wide number of Amazon Web Services Regions.

  • Compliant with SOC 2.
New to Amazon or Amazon EMR

IAM Identity Center authentication mode, which provides the following features:

  • Supports easy user and group assignment to Amazon resources.

  • Works with Microsoft Active Directory and SAML 2.0 identity providers.

  • Facilitates multi-account federation setup so that you don't have to separately configure federation for each Amazon Web Services account in your organization.

Set up IAM authentication mode for Amazon EMR Studio

With IAM authentication mode, you can use either IAM authentication or IAM federation. IAM authentication lets you manage IAM identities such as users, groups, and roles in IAM. You grant users access to a Studio with IAM permissions policies and attribute-based access control (ABAC). IAM federation lets you establish trust between a third-party identity provider (IdP) and Amazon so that you can manage user identities through your IdP.

Note

If you already use IAM to control access to Amazon resources, or if you've already configured your identity provider (IdP) for IAM, see User permissions for IAM authentication mode to set user permissions when you use IAM authentication mode for EMR Studio.

Use IAM federation for Amazon EMR Studio

To use IAM federation for EMR Studio, you create a trust relationship between your Amazon Web Services account and your identity provider (IdP) and enable federated users to access the Amazon Web Services Management Console. The steps you take to create this trust relationship differ depending on your IdP's federation standard.

In general, you complete the following tasks to configure federation with an external IdP. For complete instructions, see Enabling SAML 2.0 federated users to access the Amazon Web Services Management Console and Enabling custom identity broker access to the Amazon Web Services Management Console in the Amazon Identity and Access Management User Guide.

  1. Gather information from your IdP. This usually means generating a metadata document to validate SAML authentication requests from your IdP.

  2. Create an identity provider IAM entity to store information about your IdP. For instructions, see Creating IAM identity providers.

  3. Create one or more IAM roles for your IdP. EMR Studio assigns a role to a federated user when the user logs in. The role permits your IdP to request temporary security credentials for access to Amazon. For instructions, see Creating a role for a third-party identity provider (federation). The permissions policies that you assign to the role determine what federated users can do in Amazon and in an EMR Studio. For more information, see User permissions for IAM authentication mode.

  4. (For SAML providers) Complete the SAML trust by configuring your IdP with information about Amazon and the roles that you want federated users to assume. This configuration process creates relying party trust between your IdP and Amazon. For more information, see Configuring your SAML 2.0 IdP with relying party trust and adding claims.

To configure an EMR Studio as a SAML application in your IdP portal

You can configure a particular EMR Studio as a SAML application using a deep link to the Studio. Doing so lets users log in to your IdP portal and launch a specific Studio instead of navigating through the Amazon EMR console.

  • Use the following format to configure a deep link to your EMR Studio as a landing URL after SAML assertion verification. 

    https://console.aws.amazon.com/emr/home?region=<aws-region>#studio/<your-studio-id>/start

Set up IAM Identity Center authentication mode for Amazon EMR Studio

To prepare Amazon IAM Identity Center for EMR Studio, you must configure your identity source and provision users and groups. Provisioning is the process of making user and group information available for use by IAM Identity Center and by applications that use IAM Identity Center. For more information, see User and group provisioning.

EMR Studio supports using the following identity providers for IAM Identity Center:

To set up IAM Identity Center for EMR Studio

  1. To set up IAM Identity Center for EMR Studio, you need the following:

    • A management account in your Amazon organization if you use multiple accounts in your organization.

      Note

      You should only use your management account to enable IAM Identity Center and provision users and groups. After you set up IAM Identity Center, use a member account to create an EMR Studio and assign users and groups. To learn more about Amazon terminology, see Amazon Organizations terminology and concepts.

    • If you enabled IAM Identity Center before November 25, 2019, you might have to enable applications that use IAM Identity Center for the accounts in your Amazon organization. For more information, see Enable IAM Identity Center-integrated applications in Amazon accounts.

    • Make sure that you have the prerequisites listed on the IAM Identity Center prerequisites page.

  2. Follow the instructions in Enable IAM Identity Center to enable IAM Identity Center in the Amazon Web Services Region where you want to create the EMR Studio.

  3. Connect IAM Identity Center to your identity provider and provision the users and groups that you want to assign to the Studio.

    If you use... Do this...
    A Microsoft AD Directory

    1. Follow the instructions in Connect to your Microsoft AD directory to connect your self-managed Active Directory or Amazon Managed Microsoft AD directory using Amazon Directory Service.

    2. To provision users and groups for IAM Identity Center, you can sync identity data from your source AD to IAM Identity Center. You can sync identities from your source AD in many ways. One way is to assign AD users or groups to an Amazon account in your organization. For instructions, see Single sign-on.

      Synchronization can take up to two hours. After you complete this step, synced users and groups appear in your Identity Store.

      Note

      Users and groups don't appear in your Identity Store until you synchronize user and group information or use just-in-time (JIT) user provisioning. For more information, see Provisioning when users come from Active Directory.

    3. (Optional) After you sync AD users and groups, you can remove their access to your Amazon account that you configured in the previous step. For instructions, see Remove user access.

    An external identity provider Follow the instructions in Connect to your external identity provider.
    The IAM Identity Center directory When you create users and groups in IAM Identity Center, provisioning is automatic. For more information, see Manage identities in IAM Identity Center.

You can now assign users and groups from your Identity Store to an EMR Studio. For instructions, see Assign a user or group to an EMR Studio.