# OIDC IdP Workforces Create a private workforce using an OpenID Connect (OIDC) Identity Provider (IdP) when you want to manage and authenticate your workers using your own OIDC IdP. Individual worker credentials and other data will be kept private. Ground Truth and Amazon A2I will only have visibility into worker information you provide through the claims that you send to these services. To create a workforce using an OIDC IdP, your IdP must support *groups* because Ground Truth and Amazon A2I map one or more groups in your IdP to a work team. To learn more, see [Send Required and Optional Claims to Ground Truth and Amazon A2I](sms-workforce-create-private-oidc.md#sms-workforce-create-private-oidc-configure-idp). If you are a new user of Ground Truth or Amazon A2I, you can test your worker UI and job workflow by creating a private work team and adding yourself as a worker. Use this work team when you create a labeling job or human review workflow. First, create a private OIDC IdP workforce using the instructions in [Create a Private Workforce (OIDC IdP)](sms-workforce-create-private-oidc.md). Next, refer to [Manage a Private Workforce (OIDC IdP)](sms-workforce-manage-private-oidc.md) to learn how to create a work team. **Topics** + [ # Create a Private Workforce (OIDC IdP) ](sms-workforce-create-private-oidc.md) + [ # Manage a Private Workforce (OIDC IdP) ](sms-workforce-manage-private-oidc.md) # Create a Private Workforce (OIDC IdP) Create a private workforce using an OpenID Connect (OIDC) Identity Provider (IdP) when you want to authenticate and manage workers using your own identity provider. Use this page to learn how to configure your IdP to communicate with Amazon SageMaker Ground Truth (Ground Truth) or Amazon Augmented AI (Amazon A2I) and to learn how to create a workforce using your own IdP. To create a workforce using an OIDC IdP, your IdP must support *groups* because Ground Truth and Amazon A2I use one or more groups that you specify to create work teams. You use work teams to specify workers for your labeling jobs and human review tasks. Because groups are not a [standard claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims), your IdP may have a different naming convention for a group of users (workers). Therefore, you must identify one or more user groups to which a worker belongs using the custom claim `sagemaker:groups` that is sent to Ground Truth or Amazon A2I from your IdP. To learn more, see [Send Required and Optional Claims to Ground Truth and Amazon A2I](#sms-workforce-create-private-oidc-configure-idp). You create an OIDC IdP workforce using the SageMaker API operation [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateWorkforce.html](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateWorkforce.html). Once you create a private workforce, that workforce and all work teams and workers associated with it are available to use for all Ground Truth labeling job tasks and Amazon A2I human review workflows tasks. To learn more, see [Create an OIDC IdP Workforce](#sms-workforce-create-private-oidc-createworkforce). ## Send Required and Optional Claims to Ground Truth and Amazon A2I When you use your own IdP, Ground Truth and Amazon A2I use your `Issuer`, `ClientId`, and `ClientSecret` to authenticate workers by obtaining an authentication CODE from your `AuthorizationEndpoint`. Ground Truth and Amazon A2I will use this CODE to obtain a custom claim from either your IdP's `TokenEndpoint` or `UserInfoEndpoint`. You can either configure `TokenEndpoint` to return a JSON web token (JWT) or `UserInfoEndpoint` to return a JSON object. The JWT or JSON object must contain required and optional claims that you specify. A [claim](https://openid.net/specs/openid-connect-core-1_0.html#Terminology) is a key-value pair that contains information about a worker or metadata about the OIDC service. The following table lists the claims that must be included, and that can optionally be included in the JWT or JSON object that your IdP returns. **Note** Some of the parameters in the following table can be specified using a `:` or a `-`. For example, you can specify the groups a worker belongs to using `sagemaker:groups` or `sagemaker-groups` in your claim. | Name | Required | Accepted Format and Values | Description | Example | | --- | --- | --- | --- | --- | | `sagemaker:groups` or `sagemaker-groups` | Yes | **Data type**: If a worker belongs to a single group, identify the group using a string. If a worker belongs to multiple groups, use a list of up to 10 strings. **Allowable characters**: Regex: [\$1p\$1L\$1\$1p\$1M\$1\$1p\$1S\$1\$1p\$1N\$1\$1p\$1P\$1]\$1 **Quotas**: 10 groups per worker 63 characters per group name | Assigns a worker to one or more groups. Groups are used to map the worker into work teams. | Example of worker that belongs to a single group: `"work_team1"` Example of a worker that belongs to more than one groups: `["work_team1", "work_team2"]` | | `sagemaker:sub` or `sagemaker-sub` | Yes | **Data type**: String | This is mandatory to track a worker identity inside the Ground Truth platform for auditing and to identify tasks worked on by that worker. For ADFS: Customers must use the Primary Security Identifier (SID). | `"111011101-123456789-3687056437-1111"` | | `sagemaker:client_id` or `sagemaker-client_id` | Yes | **Data type**: String **Allowable characters**: Regex: [\$1w\$1-]\$1 **Quotes**: 128 characters | A client ID. All tokens must be issued for this client ID. | `"00b600bb-1f00-05d0-bd00-00be00fbd0e0"` | | `sagemaker:name` or `sagemaker-name` | Yes | **Data type**: String | The worker name to be displayed in the worker portal. | `"Jane Doe"` | | `email` | No | **Data type**: String | The worker email. Ground Truth uses this email to notify workers that they have been invited to work on labeling tasks. Ground Truth will also use this email to notify your workers when labeling tasks become available if you set up an Amazon SNS topic for a work team that this worker is on. | `"example-email@domain.com"` | | `email_verified` | No | **Data type**: Bool **Accepted Values:** `True`, `False` | Indicates if the user email was verified or not. | `True` | The following an example of the JSON object syntax your `UserInfoEndpoint` can return. ``` { "sub":"122", "exp":"10000", "sagemaker-groups":["group1","group2"] "sagemaker-name":"name", "sagemaker-sub":"122", "sagemaker-client_id":"123456" } ``` Ground Truth or Amazon A2I compares the groups listed in `sagemaker:groups` or `sagemaker-groups` to verify that your worker belongs to the work team specified in the labeling job or human review task. After the work team has been verified, labeling or human review tasks are sent to that worker. ## Create an OIDC IdP Workforce You can create a workforce using the SageMaker API operation `CreateWorkforce` and associated language-specific SDKs. Specify a `WorkforceName` and information about your OIDC IDP in the parameter `OidcConfig`. It is recommended that you configure your OIDC with a place-holder redirect URI, and then update the URI with the worker portal URL after you create the workforce. To learn more, see [Configure your OIDC IdP](#sms-workforce-create-private-oidc-configure-url). The following shows an example of the request. See [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateWorkforce.html](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateWorkforce.html) to learn more about each parameter in this request. ``` CreateWorkforceRequest: { #required fields WorkforceName: "example-oidc-workforce", OidcConfig: { ClientId: "clientId", ClientSecret: "secret", Issuer: "https://example-oidc-idp.com/adfs", AuthorizationEndpoint: "https://example-oidc-idp.com/adfs/oauth2/authorize", TokenEndpoint: "https://example-oidc-idp.com/adfs/oauth2/token", UserInfoEndpoint: "https://example-oidc-idp.com/adfs/oauth2/userInfo", LogoutEndpoint: "https://example-oidc-idp.com/adfs/oauth2/log-out", JwksUri: "https://example-oidc-idp.com/adfs/discovery/keys" }, SourceIpConfig: { Cidrs: ["string", "string"] } } ``` ### Configure your OIDC IdP How you configure your OIDC IdP depends on the IdP you use, and your business requirements. When you configure your IdP, you must to specify a callback or redirect URI. After Ground Truth or Amazon A2I authenticates a worker, this URI will redirect the worker to the worker portal where the workers can access labeling or human review tasks. To create a worker portal URL, you need to create a workforce with your OIDC IdP details using the [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateWorkforce.html](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateWorkforce.html) API operation. Specifically, you must configure your OIDC IdP with required custom sagemaker claims (see the next section for more details). Therefore, it is recommended that you configure your OIDC with a place-holder redirect URI, and then update the URI after you create the workforce. See [Create an OIDC IdP Workforce](#sms-workforce-create-private-oidc-createworkforce) to learn how to create a workforce using this API. You can view your worker portal URL in the SageMaker Ground Truth console, or using the SageMaker API operation, `DescribeWorkforce`. The worker portal URL is in the [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_Workforce.html#sagemaker-Type-Workforce-SubDomain](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_Workforce.html#sagemaker-Type-Workforce-SubDomain) parameter in the response. **Important** Make sure you add the workforce subdomain to your OIDC IdP allow list. When you add the subdomain to your allow list, it must end with `/oauth2/idpresponse`. **To view your worker portal URL after creating a private workforce (Console):** 1. Open the SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. In the navigation pane, choose **Labeling workforces**. 1. Select the **Private** tab. 1. In **Private workforce summary** you will see **Labeling portal sign-in URL**. This is your worker portal URL. **To view your worker portal URL after creating a private workforce (API):** When you create a private workforce using `[CreateWorkforce](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateWorkforce.html)`, you specify a `WorkforceName`. Use this name to call [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_DescribeWorkforce.html](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_DescribeWorkforce.html). The following table includes examples of requests using the AWS CLI and AWS SDK for Python (Boto3). ------ #### [ SDK for Python (Boto3) ] ``` response = client.describe_workforce(WorkforceName='string') print(f'The workforce subdomain is: {response['SubDomain']}') ``` ------ #### [ AWS CLI ] ``` $ C:\> describe-workforce --workforce-name 'string' ``` ------ ## Validate Your OIDC IdP Workforce Authentication Response After you have created your OIDC IdP workforce, you can use the following procedure to validate its authentication workflow using cURL. This procedure assumes you have access to a terminal, and that you have cURL installed. **To validate your OIDC IdP authorization response:** 1. Get an authorization code using a URI configured as follows: ``` {AUTHORIZE ENDPOINT}?client_id={CLIENT ID}&redirect_uri={REDIRECT URI}&scope={SCOPE}&response_type=code ``` 1. Replace *`{AUTHORIZE ENDPOINT}`* with the authorize endpoint for your OIDC IdP. 1. Replace `{CLIENT ID}` with the Client ID from your OAuth client. 1. Replace *`{REDIRECT URI}`* with the worker portal URL. If it is not already present, you must add `/oauth2/idpresponse` to the end of the URL. 1. If you have a custom scope, use it to replace `{SCOPE}`. If you do not have a custom scope, replace `{SCOPE}` with `openid`. The following is an example of a URI after the modifications above are made: ``` https://example.com/authorize?client_id=f490a907-9bf1-4471-97aa-6bfd159f81ac&redirect_uri=https%3A%2F%2F%2Fexample.labeling.sagemaker.aws%2Foauth2%2Fidpresponse&response_type=code&scope=openid ``` 1. Copy and paste the modified URI from step 1 into your browser and press Enter on your keyboard. 1. Authenticate using your IdP. 1. Copy the authentication code query parameter in the URI. This parameter beings with `code=`. The following is an example of what the response might look like. In this example, copy `code=MCNYDB...` and everything thereafter. ``` https://example.labeling.sagemaker.aws/oauth2/idpresponse?code=MCNYDB.... ``` 1. Open a terminal and enter the following command after making required modifications listed below: ``` curl --request POST \ --url '{TOKEN ENDPOINT}' \ --header 'content-type: application/x-www-form-urlencoded' \ --data grant_type=authorization_code \ --data 'client_id={CLIENT ID}' \ --data client_secret={CLIENT SECRET} \ --data code={CODE} \ --data 'redirect_uri={REDIRECT URI}' ``` 1. Replace `{TOKEN ENDPOINT}` with the token endpoint for your OIDC IdP. 1. Replace `{CLIENT ID}` with the Client ID from your OAuth client. 1. Replace `{CLIENT SECRET}` with the Client Secret from your OAuth client. 1. Replace `{CODE}` with the authentication code query parameter you copied in step 4. 1. Replace *`{REDIRECT URI}`* with the worker portal URL. The following is an example of the cURL request after making the modifications described above: ``` curl --request POST \ --url 'https://example.com/token' \ --header 'content-type: application/x-www-form-urlencoded' \ --data grant_type=authorization_code \ --data 'client_id=f490a907-9bf1-4471-97aa-6bfd159f81ac' \ --data client_secret=client-secret \ --data code=MCNYDB... \ --data 'redirect_uri=https://example.labeling.sagemaker.aws/oauth2/idpresponse' ``` 1. This step depends on the type of `access_token` your IdP returns, a plain text access token or a JWT access token. + If your IdP does not support JWT access tokens, `access_token` may be plain text (for example, a UUID). The response you see may look similar to the following. In this case, move to step 7. ``` { "access_token":"179c144b-fccb-4d96-a28f-eea060f39c13", "token_type":"Bearer", "expires_in":3600, "refresh_token":"ef43e52e-9b4f-410c-8d4c-d5c5ee57631a", "scope":"openid" } ``` + If your IdP supports JWT access tokens, step 5 should generate an access token in JWT format. For example, the response may look similar to the following: ``` { "access_token":"eyJh...JV_adQssw5c", "refresh_token":"i6mapTIAVSp2oJkgUnCACKKfZxt_H5MBLiqcybBBd04", "refresh_token_expires_in":6327, "scope":"openid", "id_token":"eyJ0eXAiOiJK9...-rDaQzUHl6cQQWNiDpWOl_lxXjQEvQ" } ``` Copy the JWT and decode it. You can use python script or a third party website to decode it. For example, you can go to the website [https://jwt.io/](https://jwt.io/) and paste the JWT into the **Encoded** box to decode it. Make sure the decoded response contains the following: + The **Required** SageMaker AI claims in the table found in [Send Required and Optional Claims to Ground Truth and Amazon A2I](#sms-workforce-create-private-oidc-configure-idp). If it does not, you must reconfigure your OIDC IdP to contain these claims. + The [Issuer](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_OidcConfig.html#sagemaker-Type-OidcConfig-Issuer) you specified when you set up the IdP workforce. 1. In a terminal and enter the following command after making required modifications listed below: ``` curl -X POST -H 'Authorization: Bearer {ACCESS TOKEN}' -d '' -k -v {USERINFO ENDPOINT} ``` 1. Replace `{USERINFO ENDPOINT}` with the user info endpoint for your OIDC IdP. 1. Replace `{ACCESS TOKEN}` with the access token in the response you received in step 7. This is the entry for the `"access_token"` parameter. The following is an example of the cURL request after making the modifications described above: ``` curl -X POST -H 'Authorization: Bearer eyJ0eX...' -d '' -k -v https://example.com/userinfo ``` 1. The response to the final step in the procedure above may look similar to the following code block. If the `access_token` returned in step 6 was plain text, you must verify that this response contains required information. In this case, the response must contain the **Required** SageMaker AI claims in the table found in [Send Required and Optional Claims to Ground Truth and Amazon A2I](#sms-workforce-create-private-oidc-configure-idp). For example, `sagemaker-groups`, `sagamaker-name`. ``` { "sub":"122", "exp":"10000", "sagemaker-groups":["group1","group2"] "sagemaker-name":"name", "sagemaker-sub":"122", "sagemaker-client_id":"123456" } ``` ## Next Steps Once you've created a private workforce using your IdP and verified your IdP authentication response, you can create work teams using your IdP groups. To learn more, see [Manage a Private Workforce (OIDC IdP)](sms-workforce-manage-private-oidc.md). You can restrict worker access to tasks to specific IP addresses, and update or delete your workforce using the SageMaker API. To learn more, see [Private workforce management using the Amazon SageMaker API](sms-workforce-management-private-api.md). # Manage a Private Workforce (OIDC IdP) Once you've created a private workforce using your OpenID Connect (OIDC) Identity Provider (IdP), you can manage your workers using your IdP. For example, you can add, remove, and group workers directly through your IdP. To add workers to an Amazon SageMaker Ground Truth (Ground Truth) labeling job or Amazon Augmented AI (Amazon A2I) human review task, you create work teams using 1-10 IdP groups and assign that work team to the job or task. You assign a work team to a job or task by specifing that work team when you create a labeling job (Ground Truth) or a human review workflow (Amazon A2I). You can only assign one team to each labeling job or human review workflow. You can use the same team to create multiple labeling jobs or human review tasks. You can also create multiple work teams to work on different labeling jobs or human review tasks. ## Prerequisites To create and manage private work teams using your OIDC IdP groups, first you must create a workforce using the SageMaker API operation [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateWorkforce.html](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateWorkforce.html). To learn more, see [Create a Private Workforce (OIDC IdP)](sms-workforce-create-private-oidc.md). ## Add work teams You can use the SageMaker AI console to create a private work team using your OIDC IdP workforce on the **Labeling workforces** page under **Ground Truth**. If you are creating a Ground Truth labeling job, you can also create a private work team while creating a labeling job. **Note** You create and manage work teams for Amazon A2I in the Ground Truth area of the SageMaker AI console. You can also use the SageMaker API and associated language-specific SDKs to create a private work team. Use the following procedures to learn how to create a private work team using the SageMaker AI console and API. **To create a private work team on the Labeling workforces page (console)** 1. Go to the Ground Truth area of the SageMaker AI console: [https://console.aws.amazon.com/sagemaker/groundtruth](https://console.aws.amazon.com/sagemaker/groundtruth). 1. Select **Labeling workforces**. 1. Select **Private**. 1. In the **Private teams** section, select **Create private team**. 1. In the **Team details** section, enter a **Team name**. 1. In the **Add workers** section, enter the name of a single user group. All workers associated with this group in your IdP are added to this work team. 1. To add more than one user group, select **Add new user group** and enter the names of the user groups you want to add to this work team. Enter one user group per line. 1. (Optional) For Ground Truth labeling jobs, if you provide an email for workers in your JWT, Ground Truth notifies workers when a new labeling task is available if you select an SNS topic. 1. Select **Create private team**. **To create a private work team while creating a Ground Truth labeling job (console)** 1. Go to the Ground Truth area of the SageMaker AI console: [https://console.aws.amazon.com/sagemaker/groundtruth](https://console.aws.amazon.com/sagemaker/groundtruth). 1. Select **Labeling jobs**. 1. Use the instructions in [Create a Labeling Job (Console)](sms-create-labeling-job-console.md) to create a labeling job. Stop when you get to the **Workers** section on the second page. 1. Select **Private** for your worker type. 1. Enter a **Team name**. 1. In the **Add workers** section, enter the name of a single user group under **User groups**. All workers associated with this group in your IdP are added to this work team. **Important** The group names you specify for **User groups** must match the group names specified in your OIDC IdP. 1. To add more than one user group, select **Add new user group** and enter the names of the user groups you want to add to this work team. Enter one user group per line. 1. Complete all remaining steps to create your labeling job. The private team that you create is used for this labeling job, and is listed in the **Labeling workforces** section of the SageMaker AI console. **To create a private work team using the SageMaker API** You can create a private work team using the SageMaker API operation `[CreateWorkteam](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateWorkteam.html)`. When you use this operation, list all user groups that you want included in the work team in the `OidcMemberDefinition` parameter `Groups`. **Important** The group names you specify for `Groups` must match the group names specified in your OIDC IdP. For example, if your user group names are `group1`, `group2`, and `group3` in your OIDC IdP, configure `OidcMemberDefinition` as follows: ``` "OidcMemberDefinition": { "Groups": ["group1", "group2", "group3"] } ``` Additionally, you must give the work team a name using the `WorkteamName` parameter. ## Add or remove IdP groups from work teams After you've created a work team, you can use the SageMaker API to manage that work team. Use the [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateWorkteam.html](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateWorkteam.html) operation to update the IdP user groups included in that work team. + Use the `WorkteamName` parameter to identify the work team that you want to update. + When you use this operation, list all user groups that you want included in the work team in the [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_OidcMemberDefinition.html](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_OidcMemberDefinition.html) parameter `Groups`. If a user group is associated with a work team and you do *not* include it in this list, that user group is no longer associated with this work team. ## Delete a work team You can delete a work team using the SageMaker AI console and SageMaker API. **To delete a private work team in the SageMaker AI console** 1. Go to the Ground Truth area of the SageMaker AI console: [https://console.aws.amazon.com/sagemaker/groundtruth](https://console.aws.amazon.com/sagemaker/groundtruth). 1. Select **Labeling workforces**. 1. Select **Private**. 1. In the **Private teams** section, select the work team that you want to delete. 1. Select **Delete**. **To delete a private work team (API)** You can delete a private work team using the SageMaker API operation `[DeleteWorkteam](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_DeleteWorkteam.html)`. ## Manage Individual Workers When you create a workforce using your own OIDC IdP, you cannot use Ground Truth or Amazon A2I to manage individual workers. + To add a worker to a work team, add that worker to a group associated with that work team. + To remove a worker from a work team, remove that worker from all user groups associated with that work team. ## Update, Delete, and Describe Your Workforce You can update, delete, and describe your OIDC IdP workforce using the SageMaker API. The following is a list of API operations that you can use to manage your workforce. For additional details, including how you can locate your workforce name, see [Private workforce management using the Amazon SageMaker API](sms-workforce-management-private-api.md). + [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateWorkforce.html](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateWorkforce.html) – You may want to update a workforce created using your own OIDC IdP to specify a different authorization endpoint, token endpoint, or issuer. You can update any parameter found in `[OidcConfig](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_OidcConfig.html)` using this operation. You can only update your OIDC IdP configuration when there are no work teams associated with your workforce. To learn how to delete work teams, see [Delete a work team](#sms-workforce-manage-private-oidc-workteam-delete). + [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_DeleteWorkforce.html](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_DeleteWorkforce.html) – Use this operation to delete your private workforce. If you have any work teams associated with your workforce, you must delete those work teams before you delete your work force. For more information, see [Delete a work team](#sms-workforce-manage-private-oidc-workteam-delete). + [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_DescribeWorkforce.html](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_DescribeWorkforce.html) – Use this operation to list private workforce information, including workforce name, Amazon Resource Name (ARN), and, if applicable, allowed IP address ranges (CIDRs).