Which solution will meet these requirements?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A company hosts an intranet web application on Amazon EC2 instances behind an Application Load Balancer (ALB).Currently, users authenticate to the application against an internal user database.The company needs to authenticate users to the application by using an existing AWS Directory Service for Microsoft Active Directory directory.All users with accounts in the directory must have access to the application.

Which solution will meet these requirements?

Create a new app client in the directory. Create a listener rule for the ALB. Specify the authenticate-oidc action for the listener rule. Configure the listener rule with the appropriate issuer, client ID and secret, and endpoint details for the Active Directory service. Configure the new app client with the callback URL that the ALB provides.

Configure an Amazon Cognito user pool. Configure the user pool with a federated identity provider (ldP) that has metadata from the directory. Create an app client. Associate the app client with the user pool. Create a listener rule for the ALSpecify the authenticate-cognito action for the listener rule. Configure the listener rule to use the user pool and app client.

Add the directory as a new IAM identity provider (ldP). Create a new IAM role that has an entity type of SAML 2.0 federation. Configure a role policy that allows access to the ALB. Configure the new role as the default authenticated user role for the ldP. Create a listener rule for the ALB. Specify the authenticate-oidc action for the listener rule.

Enable AWS IAM Identity Center (AWS Single Sign-On). Configure the directory as an external identity provider (ldP) that uses SAML. Use the automatic provisioning method. Create a new IAM role that has an entity type of SAML 2.0 federation. Configure a role policy that allows access to the ALB. Attach the new role to all groups. Create a listener rule for the ALB. Specify the authenticate-cognito action for the listener rule.

Explanations:

AWS Directory Service does not natively support OpenID Connect (OIDC), which is required by the authenticate-oidc action. This option incorrectly suggests configuring OIDC with Active Directory, which is not feasible directly through AWS Directory Service for Microsoft AD.

Amazon Cognito can federate with Active Directory through SAML by using a federated identity provider. By creating an app client and using authenticate-cognito in the ALB listener rule, Cognito can handle the authentication, meeting the requirement to use AWS Directory Service for Microsoft Active Directory for user authentication.

Although IAM roles and SAML federation can authenticate with AWS resources, this setup does not support direct authentication to applications hosted behind an ALB using Active Directory. The authenticate-oidc action is incompatible with this setup.

AWS IAM Identity Center (AWS SSO) can integrate with Active Directory but does not support using the authenticate-cognito action in the ALB listener rule. AWS SSO with SAML is also not directly applicable for accessing the intranet application behind the ALB in this setup.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × 2 =