Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs?

Explanations:

Creating a custom authorization service using AWS Lambda is not necessary in this scenario since the authentication will be handled by Amazon Cognito in conjunction with the SAML identity provider.

Configuring a SAML identity provider in Amazon Cognito to map attributes to the user pool attributes is essential for ensuring that the attributes from the SAML assertion are correctly interpreted and stored in the Cognito user pool for subsequent authentication and authorization.

Configuring the SAML identity provider to add the Amazon Cognito user pool as a relying party allows the identity provider to issue tokens that Cognito can recognize and validate, enabling users to authenticate via SAML.

Integrating an Amazon Cognito identity pool with social login providers is not required for this scenario as the authentication is primarily handled through the SAML identity provider, not social login.

Updating DynamoDB to store user email addresses and passwords is not necessary since user authentication is managed by the SAML identity provider and Cognito, which abstracts the need to manage user credentials directly in DynamoDB.

Updating API Gateway to use a COGNITO_USER_POOLS authorizer is necessary to ensure that the API Gateway validates requests based on the Cognito user pool tokens issued upon successful authentication of users via the SAML identity provider.