Enable AWS Single Sign-On for Amazon EMR Studio - Amazon EMR

Enable AWS Single Sign-On for Amazon EMR Studio

About AWS SSO for EMR Studio

EMR Studio uses AWS Single Sign-On (AWS SSO) to provide access to a Studio with a unique sign-in URL. You must enable AWS SSO, configure your identity source, and provision users and groups. Provisioning is the process of making user and group information available for use by AWS SSO and by applications that use AWS SSO. For more information, see User and group provisioning.

You do not use the AWS SSO console to assign users or groups to your EMR Studio. After you complete the instructions on this page, you can create a Studio and assign users and groups from your AWS SSO store to the Studio using the Amazon EMR console or the AWS CLI.


EMR Studio uses IAM session policies to manage Studio permissions at the user and group level. EMR Studio maps a session policy to a user or group when you assign the user or group to your Studio. For more information, see Create an EMR Studio user role with session policies.

EMR Studio currently supports using the following identity providers:


Before you set up AWS SSO for EMR Studio, you need the following:

  • A management account in your AWS organization if you use multiple accounts in your organization.


    Enabling AWS SSO and provisioning users and groups are the only steps you should take using your management account. After you set up AWS SSO, you use a member account to create an EMR Studio and assign users and groups. To learn more about AWS terminology, see AWS Organizations terminology and concepts.

  • If you enabled AWS SSO prior to November 25, 2019, you might need to enable applications that use AWS SSO for the accounts in your AWS organization. For more information, see Enable AWS SSO-integrated applications in AWS accounts.

  • Make sure you have the prerequisites listed on the AWS SSO prerequisites page.


To set up AWS SSO for EMR Studio

  1. Follow the instructions in Enable AWS SSO to enable AWS SSO in the AWS Region where you want to create your EMR Studio.

  2. Connect AWS SSO to your identity provider and provision the users and groups that you want to assign to your Studio.

    If you use... Do this...
    A Microsoft AD Directory
    1. Follow the instructions in Connect to your Microsoft AD directory to connect your self-managed Active Directory or AWS Managed Microsoft AD directory using AWS Directory Service.

    2. To provision users and groups for AWS SSO, you can sync identity data from your source AD to AWS SSO. There are multiple ways to sync identities from your source AD. One option is to assign AD users or groups to an AWS account in your organization. For instructions, see Single sign-on.

      Synchronization can take up to two hours. After you complete this step, you should see all synced users and groups appear in your AWS identity store.


      Users and groups do not appear in your AWS identity store until you synchronize user and group information or use just-in-time (JIT) user provisioning. For more information, see Provisioning when users come from Active Directory.

    3. (Optional) After you sync AD users and groups, you can remove their access to your AWS Account that you configured in the previous step. For instructions, see Remove user access.

    An external identity provider Follow the instructions in Connect to your external identity provider.
    The AWS Single Sign-On store When you use the AWS SSO store, all you need to do is manage your users and groups. When you create users and groups directly in AWS SSO, provisioning is automatic. For more information, see Manage identities in AWS SSO.

You can now assign users and groups from your AWS identity store to your EMR Studio. For more information about how to assign users and groups to a Studio, see Assign a user or group to your EMR Studio.