Choose an authentication mode for Amazon EMR Studio - Amazon EMR

Choose an authentication mode for Amazon EMR Studio

Amazon EMR Studio supports two authentication modes: IAM authentication mode and SSO authentication mode. IAM mode uses AWS Identity and Access Management (IAM), while SSO mode uses AWS Single Sign-On (AWS SSO). When you create an EMR Studio, you choose the authentication mode for all users of that Studio. For more information about the different authentication modes, see Authentication and user login.

Use the following table to choose an authentication mode for EMR Studio.

If you are... We recommend...
Already familiar with or have previously set up IAM authentication or federation

IAM authentication mode, which offers the following benefits:

  • Provides quick setup for EMR Studio if you already manage identities such as users and groups in IAM.

  • Works with identity providers that are compatible with OpenID Connect (OIDC) or Security Assertion Markup Language 2.0 (SAML 2.0).

  • Supports using multiple identity providers with the same AWS account.

  • Available in a wide number of AWS Regions.

  • Compliant with SOC 2.

New to AWS or Amazon EMR

SSO authentication mode, which provides the following features:

  • Supports easy user and group assignment to AWS resources.

  • Works with Microsoft Active Directory and SAML 2.0 identity providers.

  • Facilitates multi-account federation setup so that you don't have to separately configure federation for each AWS account in your organization.

Set up IAM authentication mode for Amazon EMR Studio

With IAM authentication mode, you can use either IAM authentication or IAM federation. IAM authentication lets you manage IAM identities such as users, groups, and roles in IAM. You grant users access to a Studio with IAM permissions policies and attribute-based access control (ABAC). IAM federation lets you establish trust between a third-party identity provider (IdP) and AWS so that you can manage user identities through your IdP.


If you already use IAM to control access to AWS resources, or if you've already configured your identity provider (IdP) for IAM, see User permissions for IAM authentication mode to set user permissions when you use IAM authentication mode for EMR Studio.

Use IAM federation for Amazon EMR Studio

To use IAM federation for Amazon EMR Studio, you create a trust relationship between your AWS account and your identity provider (IdP) and enable federated users to access the AWS Management Console. The steps you take to create this trust relationship differ depending on your IdP's federation standard.

In general, you complete the following tasks to configure federation with an external IdP. For complete instructions, see Enabling SAML 2.0 federated users to access the AWS Management Console and Enabling custom identity broker access to the AWS Management Console in the AWS Identity and Access Management User Guide.

  1. Gather information from your IdP. This usually means generating a metadata document to validate SAML authentication requests from your IdP.

  2. Create an identity provider IAM entity to store information about your IdP. For instructions, see Creating IAM identity providers.

  3. Create one or more IAM roles for your IdP. EMR Studio assigns a role to a federated user when the user logs in. The role permits your IdP to request temporary security credentials for access to AWS. For instructions, see Creating a role for a third-party identity provider (federation). The permissions policies that you assign to the role determine what federated users can do in AWS and in an EMR Studio. For more information, see User permissions for IAM authentication mode.

  4. (For SAML providers) Complete the SAML trust by configuring your IdP with information about AWS and the roles that you want federated users to assume. This configuration process creates relying party trust between your IdP and AWS. For more information, see Configuring your SAML 2.0 IdP with relying party trust and adding claims.

To configure an EMR Studio as a SAML application in your IdP portal

You can configure a particular EMR Studio as a SAML application using a deep link to the Studio. Doing so lets users log in to your IdP portal and launch a specific Studio instead of navigating through the Amazon EMR console.

  • Use the following format to configure a deep link to your EMR Studio as a landing URL after SAML assertion verification.<aws-region>#studio/<your-studio-id>/start

Set up SSO authentication mode for Amazon EMR Studio

To prepare AWS Single Sign-On (AWS SSO) for EMR Studio, you must configure your identity source and provision users and groups. Provisioning is the process of making user and group information available for use by AWS SSO and by applications that use AWS SSO. For more information, see User and group provisioning.

EMR Studio supports using the following identity providers for AWS SSO:

To set up AWS SSO for EMR Studio

  1. To set up AWS SSO for EMR Studio, you need the following:

    • A management account in your AWS organization if you use multiple accounts in your organization.


      You should only use your management account to enable AWS SSO and provision users and groups. After you set up AWS SSO, use a member account to create an EMR Studio and assign users and groups. To learn more about AWS terminology, see AWS Organizations terminology and concepts.

    • If you enabled AWS SSO before November 25, 2019, you might have to enable applications that use AWS SSO for the accounts in your AWS organization. For more information, see Enable AWS SSO-integrated applications in AWS accounts.

    • Make sure that you have the prerequisites listed on the AWS SSO prerequisites page.

  2. Follow the instructions in Enable AWS SSO to enable AWS SSO in the AWS Region where you want to create the EMR Studio.

  3. Connect AWS SSO to your identity provider and provision the users and groups that you want to assign to the Studio.

    If you use... Do this...
    A Microsoft AD Directory
    1. Follow the instructions in Connect to your Microsoft AD directory to connect your self-managed Active Directory or AWS Managed Microsoft AD directory using AWS Directory Service.

    2. To provision users and groups for AWS SSO, you can sync identity data from your source AD to AWS SSO. You can sync identities from your source AD in many ways. One way is to assign AD users or groups to an AWS account in your organization. For instructions, see Single sign-on.

      Synchronization can take up to two hours. After you complete this step, synced users and groups appear in your AWS identity store.


      Users and groups don't appear in your AWS identity store until you synchronize user and group information or use just-in-time (JIT) user provisioning. For more information, see Provisioning when users come from Active Directory.

    3. (Optional) After you sync AD users and groups, you can remove their access to your AWS account that you configured in the previous step. For instructions, see Remove user access.

    An external identity provider Follow the instructions in Connect to your external identity provider.
    The AWS Single Sign-On store When you create users and groups in AWS SSO, provisioning is automatic. For more information, see Manage identities in AWS SSO.

You can now assign users and groups from your AWS identity store to an EMR Studio. For instructions, see Assign a user or group to an EMR Studio.