Which solution meets the requirements by using the LEAST amount of management overhead?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A company is building an AWS landing zone and has asked a Solutions Architect to design a multi-account access strategy that will allow hundreds of users to use corporate credentials to access the AWS Console.The company is running a Microsoft Active Directory, and users will use an AWS Direct Connect connection to connect to AWS.The company also wants to be able to federate to third-party services and providers, including custom applications.

Which solution meets the requirements by using the LEAST amount of management overhead?

Connect the Active Directory to AWS by using single sign-on and an Active Directory Federation Services (AD FS) with SAML 2.0, and then configure the Identity Provider (IdP) system to use form-based authentication. Build the AD FS portal page with corporate branding, and integrate third-party applications that support SAML 2.0 as required.

Create a two-way Forest trust relationship between the on-premises Active Directory and the AWS Directory Service. Set up AWS Single Sign-On with AWS Organizations. Use single sign-on integrations for connections with third-party applications.

Configure single sign-on by connecting the on-premises Active Directory using the AWS Directory Service AD Connector. Enable federation to the AWS services and accounts by using the IAM applications and services linking function. Leverage third-party single sign-on as needed.

Connect the company’s Active Directory to AWS by using AD FS and SAML 2.0. Configure the AD FS claim rule to leverage Regex and a common Active Directory naming convention for the security group to allow federation of all AWS accounts. Leverage third-party single sign-on as needed, and add it to the AD FS server.

Explanations:

This option involves using AD FS with SAML 2.0, which adds complexity and management overhead, especially with custom portal page development and integration for third-party applications. It doesn’t leverage AWS’s built-in services effectively for streamlined management.

Establishing a two-way Forest trust with AWS Directory Service and using AWS Single Sign-On (SSO) simplifies management by utilizing AWS Organizations and built-in SSO integrations for third-party applications, reducing overhead while ensuring users can access multiple accounts.

While connecting Active Directory using the AD Connector is a viable option, it does not leverage AWS Single Sign-On, which is designed for multi-account management and simplifies federated access. This may lead to higher management overhead compared to option B.

This approach requires configuring claim rules and Regex for security groups in AD FS, adding complexity and management challenges. It also doesn’t integrate as smoothly with AWS services compared to using AWS SSO, which is specifically designed for multi-account access management.

2025-10-14

1 Comment

  1. Margaret
    Author

    I design that the answer is:
    Create a two-way Forest trust relationship between the on-premises Active Directory and the AWS Directory Service. Set up AWS Single Sign-On with AWS Organizations. Use single sign-on integrations for connections with third-party applications.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × one =