Which of the following actions would enable authentication and authorization and satisfy the requirements?
(Choose two.)
Use a custom-built SAML-compatible solution for authentication and AWS SSO for authorization.
Create a custom-built LDAP connector using Amazon API Gateway and AWS Lambda for authentication. Store authorization tokens in Amazon DynamoDB, and validate authorization requests using another Lambda function that reads the credentials from DynamoDB.
Use a custom-built OpenID Connect-compatible solution with AWS SSO for authentication and authorization.
Use a custom-built SAML-compatible solution that uses LDAP for authentication and uses a SAML assertion to perform authorization to the IAM identity provider.
Use a custom-built OpenID Connect-compatible solution for authentication and use Amazon Cognito for authorization.
Explanations:
AWS SSO does not support authorization to IAM roles directly for mobile apps. Since the solution requires a custom-built authentication and IAM role-based authorization, using AWS SSO does not fulfill the authorization requirements.
Custom LDAP with API Gateway and Lambda for authentication does not use IAM roles directly for authorization and lacks integration with AWS federated access requirements. Storing tokens in DynamoDB is unnecessary and doesn’t meet IAM role authorization needs.
AWS SSO is not suited for mobile application use with custom-built OpenID Connect (OIDC). The setup requires direct IAM role-based authorization, which is not achievable through AWS SSO.
A custom SAML solution with LDAP for authentication and SAML assertions for IAM identity provider authorization meets the requirements for custom authentication and IAM role-based authorization.
A custom-built OpenID Connect-compatible solution for authentication with Amazon Cognito for authorization supports custom authentication while integrating with IAM roles for authorization via Cognito’s role-based access features.
I organize that the answer is:
Use a custom-built SAML-compatible solution that uses LDAP for authentication and uses a SAML assertion to perform authorization to the IAM identity provider.
I guess:
Use a custom-built SAML-compatible solution that uses LDAP for authentication and uses a SAML assertion to perform authorization to the IAM identity provider.