A company needs to use its on-premises LDAP directory service to authenticate its users to the AWS Management Console. The directory service is not compatible with Security Assertion Markup Language (SAML).
Which solution meets these requirements?
A.
Enable AWS IAM Identity Center (AWS Single Sign-On) between AWS and the on-premises LDAP.
B.
Create an IAM policy that uses AWS credentials, and integrate the policy into LDAP.
C.
Set up a process that rotates the IAM credentials whenever LDAP credentials are updated.
D.
Develop an on-premises custom identity broker application or process that uses AWS Security Token Service (AWS STS) to get short-lived credentials.
The solution that best meets the requirements. This approach provides a pathway for authenticating LDAP users to AWS without requiring direct LDAP to AWS IAM Identity Center integration or SAML compatibility, offering a flexible and secure method to extend on-premises authentication mechanisms to AWS services.
A - AWS IAM Identity Center (formerly AWS SSO) allows integration with SAML-compatible identity providers, which won't work with on-premises LDAP directory (not SAML-compatible).
B - There's no way to "integrate" an IAM policy into LDAP.
C - Too complex. AWS already provides better mechanisms for handling temporary credentials - AWS STS.
D - YES. Actually, this approach is commonly used when SAML is not an option.
Identity federation can be accomplished in one of three ways.
(1) Use a corporate IdP (such as Microsoft Active Directory) or a custom identity broker application. Each option uses AWS STS.
(2) Create an integration that uses Security Assertion Markup Language (SAML).
(3) Use a web identity provider, such as Amazon Cognito.
option D
As per described here:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html#id_roles_common-scenarios_federated-users-idbroker
option A is wrong becouse for use SSO need to be compatible with SAML (at least this is what i understand from here:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html#id_roles_common-scenarios_federated-users-saml20 )
Option D
A custom identity broker application can be built to perform a similar function to an identity store that is not compatible with SAML 2.0. The broker application authenticates users, requests temporary credentials from AWS, and provides them to the user to access AWS resources.
If your identity store is not compatible with SAML 2.0, then you can build a custom identity broker application to perform a similar function. .....option D
upvoted 2 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
kempes
Highly Voted 1 year, 1 month agoaditianand
10 months, 3 weeks agoNSA_Poker
9 months, 2 weeks agoLeonSauveterre
Most Recent 3 months, 1 week agoScheldon
9 months, 1 week agoike001
9 months, 2 weeks agoNSA_Poker
9 months, 2 weeks ago1e22522
7 months, 3 weeks agoTwinSpark
10 months, 2 weeks agoNaveena_Devanga
1 year, 1 month agoaditianand
10 months, 3 weeks agojaswantn
1 year, 1 month ago