Which solution will meet these requirements?
Create IAM users for the employees in the required AWS accounts. Connect IAM users to the existing IdP. Configure federated authentication for the IAM users.
Set up AWS account root users with user email addresses and passwords that are synchronized from the existing IdP.
Configure AWS IAM Identity Center (AWS Single Sign-On). Connect IAM Identity Center to the existing IdP. Provision users and groups from the existing IdP.
Use AWS Resource Access Manager (AWS RAM) to share access to the AWS accounts with the users in the existing IdP.
Explanations:
Creating IAM users for several thousand employees would be impractical due to management overhead. While federated authentication can be configured, it would require a large number of IAM users and doesn’t utilize the existing IdP effectively.
Setting up root user accounts with synchronized email addresses and passwords is not a recommended practice due to security concerns. It does not leverage federated authentication and violates best practices by using root accounts for daily operations.
Configuring AWS IAM Identity Center (formerly AWS Single Sign-On) and connecting it to the existing IdP is the most effective solution. It allows for centralized user management and seamless authentication for employees across multiple AWS accounts, leveraging the existing IdP for single sign-on (SSO).
AWS Resource Access Manager (AWS RAM) is used for sharing resources across accounts but does not provide authentication or access management for users from an external IdP. This option does not address the authentication requirements for the several thousand employees.
I structure that the answer is:
Configure AWS IAM Identity Center (AWS Single Sign-On). Connect IAM Identity Center to the existing IdP. Provision users and groups from the existing IdP.