Q27 — AWS SAP-C02 Ch.3

Question 27 of 75 | ← Chapter 3

Q252. A solutions architect has implemented a SAML 2.0 federated identity solution with their company' s on- premises identity provider (ldP) to authenticate users' access to the AWS environment. When the solutions architect tests authentication through the federated identity web portal, access to the AWS environment is granted. However, when test users attempt to authenticate through the federated identity web portal, they are not able to access the AWS environment. Which items should the solutions architect check to ensure identity federation is properly configured? (Select THREE.)

Correct Answer: B. The IAM roles created for the federated users' or federated groups' trust policy have set the SAML provider as the principal., D. The web portal calls the AWS STS AssumeRoleWithSAML API with the ARN of the SAML provider, the ARN of the IAM role, and the SAML assertion from idP., F. The company's ldP defines SAML assertions that properly map users or groups in the company to IAM roles with appropriate permissions.

Explanation

B. The IAM roles created for the federated users' or federated groups' trust policy have set the SAML provider as the principal. This ensures that the roles are trusted by the SAML provider. D. The web portal calls the AWS STS AssumeRoleWithSAML API with the ARN of the SAML provider, the ARN of the IAM role, and the SAML assertion from idP. This ensures that the correct SAML assertion is being used to authenticate and assume the appropriate IAM role. F. The company's ldP defines SAML assertions that properly map users or groups in the company to IAM roles with appropriate permissions. This ensures that the correct mapping between the ldP and IAM roles is established, and the right permissions are granted to the users or groups. A is not a relevant check because it pertains to individual IAM user policies rather than SAML federation configuration. C is not a relevant check because it pertains to whether test users are part of a specific group in the ldP. E is not a relevant check because it pertains to network connectivity rather than SAML federation configuration.