Answer: Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console. Create a one-way forest trust or a one-way domain trust to connect the company’s self-managed Microsoft Active Directory with AWS SSO by using AWS Directory Service for Microsoft Active Directory.

## Explanation **Correct Answer: A** This solution meets all the requirements: 1. **AWS SSO** provides single sign-on across all AWS accounts managed by AWS Organizations 2. **AWS Directory Service for Microsoft Active Directory** (AWS Managed Microsoft AD) can establish a trust relationship with the on-premises Active Directory 3. **One-way forest/domain trust** allows authentication requests to flow from AWS to the on-premises AD while keeping user management on-premises **Why other options are incorrect:** **B.** Two-way forest trust is unnecessary and potentially less secure. A one-way trust is sufficient for AWS SSO to authenticate users against the on-premises AD. **C.** Using only AWS Directory Service without AWS SSO doesn't provide the centralized SSO solution across multiple accounts that AWS Organizations integration provides. **D.** Deploying an on-premises IdP adds unnecessary complexity. AWS SSO can directly integrate with on-premises AD through AWS Managed Microsoft AD with trust relationships. **Key AWS Services Involved:** - **AWS SSO**: Provides centralized SSO access to multiple AWS accounts and business applications - **AWS Directory Service for Microsoft Active Directory**: Creates a managed Microsoft AD in AWS that can establish trust with on-premises AD - **AWS Organizations**: Manages multiple AWS accounts centrally **Architecture Flow:** 1. Users are managed in on-premises Active Directory 2. AWS Managed Microsoft AD establishes a one-way trust with on-premises AD 3. AWS SSO is configured to use AWS Managed Microsoft AD as identity source 4. Users can SSO into all AWS accounts managed by AWS Organizations using their on-premises AD credentials

Author: LeetQuiz Editorial Team