A company operates an intranet web application on Amazon EC2 instances, managed by an Application Load Balancer (ALB). Initially, user authentication was handled through an internal user database. The company now requires integration with an existing AWS Directory Service for Microsoft Active Directory to authenticate all users with directory accounts. What solution should be implemented to meet this requirement?

Exam-Like

Develop a new application client within the directory. Establish a listener rule for the ALB, utilizing the authenticate-oidc action. Set up the rule with the necessary issuer, client ID, secret, and endpoint details for the Active Directory service. Ensure the new application client is configured with the ALB's provided callback URL.

10.0%

Set up an Amazon Cognito user pool, integrating it with a federated identity provider (IdP) that contains metadata from the directory. Generate an application client, linking it to the user pool. Create a listener rule for the ALB, specifying the authenticate-cognito action. Configure the rule to utilize the user pool and application client.

20.0%

Integrate the directory as a new IAM identity provider (IdP). Establish a new IAM role with a SAML 2.0 federation entity type. Define a role policy granting access to the ALB. Set this role as the default for authenticated users associated with the IdP. Create a listener rule for the ALB, employing the authenticate-oidc action.

20.0%

Activate AWS IAM Identity Center (AWS Single Sign-On), configuring the directory as an external SAML-using identity provider (IdP). Implement automatic provisioning. Develop a new IAM role with a SAML 2.0 federation entity type. Craft a role policy allowing ALB access. Attach this role to all relevant groups. Establish a listener rule for the ALB, using the authenticate-cognito action.

50.0%

AWS Certified Solutions Architect - Professional

Get started today

Comments