Which solution will meet these requirements?
Configure AWS IAM Identity Center (AWS Single Sign-On) to connect to Active Directory by using SAML 2.0. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using attribute-based access controls (ABACs).
Configure AWS IAM Identity Center (AWS Single Sign-On) by using IAM Identity Center as an identity source. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using IAM Identity Center permission sets.
In one of the company’s AWS accounts, configure AWS Identity and Access Management (IAM) to use a SAML 2.0 identity provider. Provision IAM users that are mapped to the federated users. Grant access that corresponds to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM users.
In one of the company’s AWS accounts, configure AWS Identity and Access Management (IAM) to use an OpenID Connect (OIDC) identity provider. Provision IAM roles that grant access to the AWS account for the federated users that correspond to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM roles.
Explanations:
This option leverages AWS IAM Identity Center to connect to Active Directory using SAML 2.0, enabling single sign-on and centralized identity management. SCIM v2.0 allows for automated user provisioning, and attribute-based access control supports the required conditional access based on user groups and roles.
While this option uses AWS IAM Identity Center, it relies on IAM Identity Center as the identity source instead of connecting to Active Directory. This does not fulfill the requirement of managing user identities in a single location, as it would require duplicate user management outside of Active Directory.
This solution involves creating IAM users mapped to federated users. While it uses SAML 2.0 for authentication, managing users directly in IAM does not provide centralized identity management and may complicate user provisioning and access control based on groups and roles from Active Directory.
This option uses an OpenID Connect (OIDC) identity provider instead of SAML 2.0 and involves IAM roles for access. Although it supports federated access, it does not meet the requirement of integrating with Active Directory for centralized user identity management and may complicate user management.