Which solution will meet these requirements?
Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console. Create a one-way forest trust or a one-way domain trust to connect the company’s self-managed Microsoft Active Directory with AWS SSO by using AWS Directory Service for Microsoft Active Directory.
Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console. Create a two-way forest trust to connect the company’s self-managed Microsoft Active Directory with AWS SSO by using AWS Directory Service for Microsoft Active Directory.
Use AWS Directory Service. Create a two-way trust relationship with the company’s self-managed Microsoft Active Directory.
Deploy an identity provider (IdP) on premises. Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console.
Explanations:
A one-way trust does not allow for bi-directional authentication, which is necessary for full SSO capabilities across accounts.
A two-way forest trust allows for full integration between the on-premises Active Directory and AWS SSO, enabling seamless SSO across multiple AWS accounts.
While a two-way trust is necessary, simply using AWS Directory Service without configuring AWS SSO does not fulfill the requirement for SSO across accounts.
Deploying an on-premises IdP can provide SSO, but it does not utilize AWS SSO, which is explicitly required in the scenario.
From my perspective, the answer is:
Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console. Create a two-way forest trust to connect the company’s self-managed Microsoft Active Directory with AWS SSO by using AWS Directory Service for Microsoft Active Directory.