# Amazon Cognito Workforces
Create and manage your private workforce using Amazon Cognito when you want to create your workforce using the Amazon SageMaker AI console or you don't want the overhead of managing worker credentials and authentication. When you create a private workforce with Amazon Cognito, it provides authentication, authorization, and user management for your private workers.
**Topics**
+ [Create a Private Workforce (Amazon Cognito)](sms-workforce-create-private.md)
+ [Manage a Private Workforce (Amazon Cognito)](sms-workforce-management-private.md)
# Create a Private Workforce (Amazon Cognito)
When you use Amazon Cognito, you can create a private workforce in one of the following ways:
+ Create a new workforce while you are creating your labeling job. To learn how, see [Create an Amazon Cognito Workforce When Creating a Labeling Job](sms-workforce-create-private-console.md#create-workforce-labeling-job).
+ Create a new workforce before you create your labeling job. To learn how, see [Create an Amazon Cognito Workforce Using the Labeling Workforces Page](sms-workforce-create-private-console.md#create-workforce-sm-console).
+ Import an existing workforce after creating a user pool in the Amazon Cognito console. To learn how, see [Create a Private Workforce (Amazon Cognito Console)](sms-workforce-create-private-cognito.md).
Once you create a private workforce, that workforce and all work teams and workers associated with it are available to use for all Ground Truth labeling job tasks and Amazon Augmented AI human review workflows tasks.
If you are new to Amazon SageMaker AI and want to test Ground Truth or Amazon A2I, we suggest that you create a private work team consisting of people from your organization using the console. Use this work team when creating labeling or human review workflows (flow definitions) to test your worker UI and job workflow.
**Topics**
+ [Create a Private Workforce (Amazon SageMaker AI Console)](sms-workforce-create-private-console.md)
+ [Create a Private Workforce (Amazon Cognito Console)](sms-workforce-create-private-cognito.md)
# Create a Private Workforce (Amazon SageMaker AI Console)
You can create a private workforce in the Amazon SageMaker AI console in one of two ways:
+ When creating a labeling job in the **Labeling jobs** page of the Amazon SageMaker Ground Truth section.
+ Using the **Labeling workforces** page of the Amazon SageMaker Ground Truth section. If you are creating a private workforce for an Amazon A2I human review workflow, use this method.
Both of these methods also create a default work team containing all of the members of the workforce. This private workforce is available to use for both Ground Truth and Amazon Augmented AI jobs.
When you create a private workforce using the console, SageMaker AI uses Amazon Cognito as an identity provider for your workforce. If you want to use your own OpenID Connect (OIDC) Identity Provider (IdP) to create and manage your private workforce, you must create a workforce using the SageMaker API operation `CreateWorkforce`. To learn more, see [Create a Private Workforce (OIDC IdP)](sms-workforce-create-private-oidc.md).
## Create an Amazon Cognito Workforce When Creating a Labeling Job
If you haven't created a private workforce when you create your labeling job and you choose to use private workers, you are prompted to create a work team. This will create a private workforce using Amazon Cognito.
**To create a workforce while creating a labeling job (console)**
1. Open the SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. In the navigation pane, choose **Labeling jobs** and fill in all required fields. For instructions on how to start a labeling job, see [Getting started: Create a bounding box labeling job with Ground Truth](sms-getting-started.md). Choose **Next**.
1. Choose **Private** for the workforce type.
1. In the **Workers** section, enter:
1. The **Team name**.
1. Email addresses for up to 100 workforce members. Email addresses are case sensitive. Your workers must log in using the same case used when the address was initially entered. You can add additional workforce members after the job has been created.
1. The name of your organization. SageMaker AI uses this to customize the email sent to the workers.
1. A contact email address for workers to report issues related to the task.
When you create the labeling job, an email is sent to each worker inviting them to join the workforce. After creating the workforce, you can add, delete, and disable workers using the SageMaker AI console or the Amazon Cognito console.
## Create an Amazon Cognito Workforce Using the Labeling Workforces Page
To create and manage your private workforce using Amazon Cognito, you can use the **Labeling workforces** page. When following the instructions below, you have the option to create a private workforce by entering worker emails importing a pre-existing workforce from an Amazon Cognito user pool. To import a workforce, see [Create a Private Workforce (Amazon Cognito Console)](sms-workforce-create-private-cognito.md).
**To create a private workforce using worker emails**
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. In the navigation pane, choose **Labeling workforces**.
1. Choose **Private**, then choose **Create private team**.
1. Choose **Invite new workers by email**.
1. Paste or type a list of up to 50 email addresses, separated by commas, into the email addresses box.
1. Enter an organization name and contact email.
1. Optionally, choose an SNS topic to which to subscribe the team so workers are notified by email when new Ground Truth labeling jobs become available. Amazon SNS notifications are supported by Ground Truth and are not supported by Augmented AI. If you subscribe workers to receive SNS notifications, they only receive notifications about Ground Truth labeling jobs. They do not receive notifications about Augmented AI tasks.
1. Click the **Create private team** button.
After you import your private workforce, refresh the page. On the **Private workforce summary** page, you can see information about the Amazon Cognito user pool for your workforce, a list of work teams for your workforce, and a list of all of the members of your private workforce.
**Note**
If you delete all of your private work teams, you have to repeat this process to use a private workforce in that region.
# Create a Private Workforce (Amazon Cognito Console)
Amazon Cognito is used to define and manage your private workforce and your work teams. It is a service that you can use to create identities for your workers and authenticate these identities with identity providers. A private workforce corresponds to a single **Amazon Cognito user pool**. Private work teams correspond to **Amazon Cognito user groups **within that user pool.
Example identity providers supported by Amazon Cognito:
+ Social sign-in providers such as Facebook and Google
+ OpenID Connect (OIDC) providers
+ Security Assertion Markup Language (SAML) providers such as Active Directory
+ The Amazon Cognito built-in identity provider
For more information, see [What Is Amazon Cognito?](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html).
To create a private workforce using Amazon Cognito, you must have an existing Amazon Cognito user pool containing at least one user group. See [Tutorial: Creating a User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/tutorial-create-user-pool.html) to learn how to create a user pool. See [Adding Groups to a User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html) to learn how to add a user group to a pool.
Once your user pool has been created, follow the steps below to create a private workforce by importing that user pool into Amazon SageMaker AI.
**To create a private workforce by importing a Amazon Cognito user pool**
1. Open the SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. In the navigation pane, choose **Labeling workforces**.
1. Choose **Private**.
1. Choose **Create private team**. This creates a private workforce and a work team.
1. Choose **Import workers from existing Amazon Cognito user groups**.
1. Choose a user pool that you have created. User pools require a domain and an existing user group. If you get an error that the domain is missing, set it in the **Domain name** options on the **App integration** page of the Amazon Cognito console for your group.
1. Choose an app client. We recommend using a client generated by SageMaker AI.
1. Choose a user group from your pool to import its members.
1. Optionally choose an Amazon Simple Notification Service (Amazon SNS) topic to which to subscribe the team so that workers are notified by email when new labeling jobs become available. Amazon SNS notifications are supported by Ground Truth and are not supported by Augmented AI. If you subscribe workers to receive SNS notifications, they only receive notifications about Ground Truth labeling jobs. They do not receive notifications about Augmented AI tasks.
1. Choose **Create private team**.
**Important**
After you create a workforce using an Amazon Cognito user pool, it should not be deleted without first deleting all work teams associated with that pool in the SageMaker AI console.
After you import your private workforce, refresh the page to see the **Private workforce summary** page. On this page, you can see information about the Amazon Cognito user pool for your workforce, a list of work teams for your workforce, and a list of all of the members of your private workforce. This workforce is now available to use in both Amazon Augmented AI and Amazon SageMaker Ground Truth for human review tasks and data labeling jobs respectively.
# Manage a Private Workforce (Amazon Cognito)
After you have created a private workforce using Amazon Cognito, you can create and manage work teams using the Amazon SageMaker AI console and API operations.
You can do the following using either the [SageMaker AI console](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-workforce-management-private-console.html) or [Amazon Cognito console](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-workforce-management-private-cognito.html).
+ Add and delete work teams.
+ Add workers to your workforce and one or more work teams.
+ Disable or remove workers from your workforce and one or more workteams. If you add workers to a workforce using the Amazon Cognito console, you must use the same console to remove the worker from the workforce.
You can restrict access to tasks to workers at specific IP addresses using the SageMaker API. For more information, see [Private workforce management using the Amazon SageMaker API](sms-workforce-management-private-api.md).
**Topics**
+ [Manage a Workforce (Amazon SageMaker AI Console)](sms-workforce-management-private-console.md)
+ [Manage a Private Workforce (Amazon Cognito Console)](sms-workforce-management-private-cognito.md)
# Manage a Workforce (Amazon SageMaker AI Console)
You can use the Amazon SageMaker AI console to create and manage the work teams and individual workers that make up a private workforce.
Use a work team to assign members of your private workforce to a labeling or human review *job*. When you create your workforce using the SageMaker AI console, there is a work team called **Everyone-in-private-workforce** that enables you to assign your entire workforce to a job. Because an imported Amazon Cognito user pool may contain members that you don't want to include in your work teams, a similar work team is not created for Amazon Cognito user pools.
You have two choices to create a new work team:
+ You can create a work team in the SageMaker AI console and add members from your workforce to the team.
+ You can create a user group by using the Amazon Cognito console and then create a work team by importing the user group. You can import more than one user group into each work team. You manage the members of the work team by updating the user group in the Amazon Cognito console. See [Manage a Private Workforce (Amazon Cognito Console)](sms-workforce-management-private-cognito.md) for more information.
## Create a Work Team Using the SageMaker AI Console
You can create a new Amazon Cognito user group or import an existing user group using the SageMaker AI console, on the **Labeling workforces** page. For more information on creating a user group in the Amazon Cognito console, see [Manage a Private Workforce (Amazon Cognito Console)](sms-workforce-management-private-cognito.md).
**To create a work team using the SageMaker AI console**
1. Open the SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. Choose **Labeling workforces** from the left menu.
1. Under **Private**, choose **Create private team**.
1. Under **Team details**, enter a **Team name**. The name must be unique in your account in an AWS Region.
1. Under **Add workers**, choose a method to add workers to the team using a user group.
+ If you chose **Create a team by adding workers to a new Amazon Cognito user group**, select the workers to add to the team.
+ If you chose **Create a team by importing existing Amazon Cognito user groups**, choose the user groups that are part of the new team.
1. If you select an **SNS topic**, all workers added to the team are subscribed to the Amazon SNS topic and notified when new work items are available to the team. Select from a list of your existing Ground Truth related Amazon SNS topics or select **Create new topic** to open a topic-creation dialog.
Amazon SNS notifications are supported by Ground Truth and are not supported by Augmented AI. If you subscribe workers to receive SNS notifications, they only receive notifications about Ground Truth labeling jobs. They do not receive notifications about Augmented AI tasks.
Workers in a workteam subscribed to a topic receive notifications when a new Ground Truth labeling job for that team becomes available and when one is about to expire.
Read [Create the Amazon SNS topic](sms-workforce-management-private-sns.md) for more information about using Amazon SNS topic.
### Subscriptions
After you have created a work team, you can see more information about the team and change or set the Amazon SNS topic to which its members are subscribed by visiting the Amazon Cognito console. If you added any team members before you subscribed the team to a topic, you need to manually subscribe those members to that topic. Read [Create and manage Amazon SNS topics for your work teams](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-workforce-management-private-sns.html) for more information on creating and managing the Amazon SNS topic.
## Add or Remove Workers
A *work team* is a group of workers within your workforce to whom you can assign jobs. A worker can be added to more than one work team. Once a worker has been added to a work team, that worker can be disabled or removed.
### Add Workers to the Workforce
Adding a worker to the workforce enables you to add that worker to any work team within that work force.
**To add workers using the private workforce summary page**
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. Choose** Labeling workforces** to navigate to your private workforce summary page.
1. Choose **Private**.
1. Choose **Invite new workers**.
1. Paste or type a list of email addresses, separated by commas, into the email addresses box. You can have up to 50 email addresses in this list.
### Add a Worker to a Work Team
A worker must be added to the workforce before being added to a work team. To add a worker to a work team, first navigate to the **Private workforce summary** page using the steps above.
**To add a worker to a work team from the private workforce summary page**
1. In the **Private teams** section, choose the team to which you want to add the workers.
1. Choose the **Workers** tab.
1. Choose **Add workers to team** and choose the boxes next to the workers that you want to add.
1. Click **Add workers to team**.
### Disable and Remove a Worker from the Workforce
Disabling a worker stops the worker from receiving a job. This action does not remove the worker from the workforce, or from any work team with which the worker is associated. To disable or remove a worker from a work team, first navigate to the private workforce summary page using the steps above.
**To deactivate a worker using the private workforce summary page**
1. In the **Workers** section, choose the worker that you would like to disable.
1. Choose **Disable**.
If desired, you can subsequently **Enable** a worker after they have been disabled.
You can remove workers from your private workforce directly in the SageMaker AI console if that worker was added in this console. If you added the worker (user) in the Amazon Cognito console, see [Manage a Private Workforce (Amazon Cognito Console)](sms-workforce-management-private-cognito.md) to learn how to remove the worker in the Amazon Cognito console.
**To remove a worker using the private workforce summary page**
1. In the **Workers** section, choose the worker that you would like to delete.
1. If the worker has not been disabled, choose **Disable**.
1. Select the worker and choose **Delete**.
# Manage a Private Workforce (Amazon Cognito Console)
A private workforce corresponds to a single **Amazon Cognito user pool**. Private work teams correspond to **Amazon Cognito user groups** within that user pool. Workers correspond to **Amazon Cognito users** within those groups.
After your workforce has been created, you can add work teams and individual workers through the Amazon Cognito console. You can also delete workers from your private workforce or remove them from individual teams in the Amazon Cognito console.
**Important**
You can't delete work teams from the Amazon Cognito console. Deleting a Amazon Cognito user group that is associated with an Amazon SageMaker AI work team will result in an error. To remove work teams, use the SageMaker AI console.
## Create Work Teams (Amazon Cognito Console)
You can create a new work team to complete a job by adding a Amazon Cognito user group to the user pool associated with your private workforce. To add a Amazon Cognito user group to an existing worker pool, see [Adding groups to a User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html).
**To create a work team using an existing Amazon Cognito user group**
1. Open the SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. In the navigation pane, choose **Workforces**.
1. For **Private teams**, choose **Create private team**.
1. Under **Team details**, give the team a name. The name must be unique in your account in an AWS Region.
1. For **Add workers, **choose **Import existing Amazon Cognito user groups**, and choose one or more user groups that are part of the new team.
1. If you choose an **SNS topic**, all workers added to the team are subscribed to the Amazon Simple Notification Service (Amazon SNS) topic and notified when new work items are available to the team. Choose from a list of your existing SNS topics related to SageMaker Ground Truth or Amazon Augmented AI or choose **Create new topic** to create one.
**Note**
Amazon SNS notifications are supported by Ground Truth and are not supported by Augmented AI. If you subscribe workers to receive SNS notifications, they only receive notifications about Ground Truth labeling jobs. They do not receive notifications about Augmented AI tasks.
### Subscriptions
After you have created a work team, you can see more information about the team and change or set the SNS topic to which its members are subscribed using the Amazon Cognito console. If you added any team members before you subscribed the team to a topic, you need to manually subscribe those members to that topic. For more information, see [Create the Amazon SNS topic](sms-workforce-management-private-sns.md).
## Add and Remove Workers (Amazon Cognito Console)
When using the Amazon Cognito console to add workers to a work team, you must add a user to the user pool associated with the workforce before adding that user to a user group. Users can be added to a user pool in various ways. For more information, see [Signing Up and Confirming User Accounts](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html).
### Add a Worker to a Work Team
After a user has been added to a pool, the user can be associated with user groups inside of that pool. After a user has been added to a user group, that user becomes a worker on any work team created using that user group.
**To add a user to a user group**
1. Open the Amazon Cognito console: [https://console.aws.amazon.com/cognito/](https://console.aws.amazon.com/cognito).
1. Choose **Manage User Pools**.
1. Choose the user pool associated with your SageMaker AI workforce.
1. Under **General Settings**, choose **Users and Groups** and do one of the following:
+ Choose **Groups**, choose the group that you want to add the user to, and choose **Add users**. Choose the users that you want to add by choosing the plus-icon to the right of the user's name.
+ Choose **Users**, choose the user that you want to add to the user group, and choose **Add to group**. From the dropdown menu, choose the group and choose **Add to group**.
### Disable and Remove a Worker From a Work Team
Disabling a worker stops the worker from receiving jobs. This action doesn't remove the worker from the workforce, or from any work team the worker is associated with. To remove a user from a work team in Amazon Cognito, you remove the user from the user group associated with that team.
**To deactivate a worker (Amazon Cognito console)**
1. Open the Amazon Cognito console: [https://console.aws.amazon.com/cognito/](https://console.aws.amazon.com/cognito).
1. Choose **Manage User Pools**.
1. Choose the user pool associated with your SageMaker AI workforce.
1. Under **General Settings**, choose **Users and Groups**.
1. Choose the user that you want to disable.
1. Choose **Disable User**.
You can enable a disabled user by choosing **Enable User**.
**To remove a user from a user group (Amazon Cognito console)**
1. Open the Amazon Cognito console: [https://console.aws.amazon.com/cognito/](https://console.aws.amazon.com/cognito).
1. Choose **Manage User Pools**.
1. Choose the user pool associated with your SageMaker AI workforce.
1. Under **General Settings**, choose **Users and Groups**.
1. For **User** tab, choose the **X** icon to the right of the group from which you want to remove the user.