AWS Certified Solutions Architect – Associate (SAA-C03) — Question 758

A company needs to use its on-premises LDAP directory service to authenticate its users to the AWS Management Console. The directory service is not compatible with Security Assertion Markup Language (SAML).

Which solution meets these requirements?

Answer options

• A. Enable AWS IAM Identity Center (AWS Single Sign-On) between AWS and the on-premises LDAP.
• B. Create an IAM policy that uses AWS credentials, and integrate the policy into LDAP.
• C. Set up a process that rotates the IAM credentials whenever LDAP credentials are updated.
• D. Develop an on-premises custom identity broker application or process that uses AWS Security Token Service (AWS STS) to get short-lived credentials.

Correct answer: D

Explanation

When an on-premises directory service does not support SAML 2.0, a custom identity broker application must be built to bridge the gap. This broker authenticates users against the local LDAP directory and then requests temporary AWS security credentials from AWS Security Token Service (AWS STS) using the AssumeRole API. Other solutions, such as AWS IAM Identity Center, require SAML 2.0 for external identity provider integration, making them incompatible with this non-SAML LDAP setup.