aws_datazone: Unable to connect SSO (AWS Identity Center) to the AWS SageMaker Unified Studio unified domain with CDK v2 in Python

[malikalimoekhamedov]

Describe the bug

Hi team,

I'm in the process of setting up our AWS SageMaker Unified Studio infrastructure. We're using CDK v2 Python as IaC. As part of this process, I need to integrate the new unified domain with our AWS Identity Center instance. It appears to be possible through the console (click-ops), but I need to make it work with CDK.

The following code

single_sign_on = cdk.aws_datazone.CfnDomain.SingleSignOnProperty(
            idc_instance_arn=cfg.sso.idc_instance_arn,
            type="IAM_IDC",
            user_assignment="AUTOMATIC"
        )

domain = cdk.aws_datazone.CfnDomain(
    self,
    "Domain",
    name=domain_name,
    description="AWS SageMaker Unified Studio unified domain for Siemens Energy Catalyst.",
    domain_version="V2",  # This creates a SageMaker Unified Studio unified domain (V2) instead of the older Amazon DataZone domain (V1).
    single_sign_on=single_sign_on,
    domain_execution_role=domain_execution_role.role_arn,
    service_role=domain_service_role.role_arn,
)

resutls in the following error at deployment:

(Domain) Resource handler returned message: "Cannot invoke "String.equals(Object)" because the return value of "software.amazon.datazone.domain.SingleSignOn.getType()" is null"

This appears to be an issue with the CDK construct.

Thank you in advance for your assistance with this.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

I should be able to integrate SingleSignOn through CDK with the provided class.

Current Behavior

Error upon deployment:

(Domain) Resource handler returned message: "Cannot invoke "String.equals(Object)" because the return value of "software.amazon.datazone.domain.SingleSignOn.getType()" is null"

Reproduction Steps

You can use the code snippet to run into this issue:

single_sign_on = cdk.aws_datazone.CfnDomain.SingleSignOnProperty(
            idc_instance_arn=cfg.sso.idc_instance_arn,
            type="IAM_IDC",
            user_assignment="AUTOMATIC"
        )

        domain = cdk.aws_datazone.CfnDomain(
            self,
            "Domain",
            name=domain_name,
            description="AWS SageMaker Unified Studio unified domain for Siemens Energy Catalyst.",
            domain_version="V2",  # This creates a SageMaker Unified Studio unified domain (V2) instead of the older Amazon DataZone domain (V1).
            single_sign_on=single_sign_on,
            domain_execution_role=domain_execution_role.role_arn,
            service_role=domain_service_role.role_arn,
        )

Possible Solution

No response

Additional Information/Context

I tried using a dictionary with CloudFormation values in it instead of the instance of the CfnSingleSignOnProperty.

{"Type": "IAM_IDC", "UserAssignment": "AUTOMATIC"}

to no avail.

AWS CDK Library version (aws-cdk-lib)

v2.219.0

AWS CDK CLI version

2.1029.2 (build fccc5f9)

Node.js Version

v24.3.0

OS

Windows

Language

Python

Language Version

3.13.5

Other information

No response

[malikalimoekhamedov]

OK, interestingly enough, erecting the entire stack from scratch, instead of updating the existing one, properly connected the SSO through CDK.

[pahud]

Hi @malikalimoekhamedov,

Thank you for reporting this issue and for the follow-up comment about the workaround.

Based on your findings, this appears to be a CloudFormation resource handler bug in the AWS DataZone service rather than an issue with the CDK construct itself. The error message indicates a null pointer exception occurring in the
DataZone resource handler's Java code:

Cannot invoke "String.equals(Object)" because the return value of "software.amazon.datazone.domain.SingleSignOn.getType()" is null

The fact that creating the stack from scratch works, but updating an existing stack fails, suggests the resource handler's UPDATE operation has a bug where it doesn't properly initialize the SingleSignOn object before attempting to
access its type property.

Reproduction Attempt: I attempted to reproduce this issue with CDK v2.219.0 in both TypeScript and Python (matching your setup exactly), and was unable to replicate the error in either case - both stack updates succeeded. This
suggests either:

1. The issue may have been fixed in the CloudFormation resource handler since your report
2. The issue occurs under specific conditions (region, timing, specific domain configurations)
3. It may be an intermittent issue

Could you provide additional details?
• What AWS region are you deploying to?
• Can you share the exact CloudFormation error from the AWS Console (Events tab)?
• When did this occur? (to help correlate with potential service fixes)
• Are there any other custom configurations on your DataZone domain?

Workaround: As you discovered, the immediate workaround is to create the stack from scratch with the SingleSignOn configuration included from the beginning, rather than adding it to an existing domain through a stack update.

Next Steps: Since we cannot reproduce this issue, it may have already been resolved. However, if you encounter it again or can provide additional details, we can escalate to the AWS DataZone service team for investigation.

Thank you for the detailed report and for sharing your workaround!