A company using AWS Organizations for account management is migrating applications across different accounts and requires a single sign-on (SSO) solution. The SSO must integrate with the company's existing on-premises Microsoft Active Directory, which will continue to manage users and groups. What is the appropriate solution?