AWS Certified Solutions Architect – Professional — Question 135

What is a possible reason you would need to edit claims issued in a SAML token?

Answer options

• A. The NameIdentifier claim cannot be the same as the username stored in AD.
• B. Authentication fails consistently.
• C. The NameIdentifier claim cannot be the same as the claim URI.
• D. The NameIdentifier claim must be the same as the username stored in AD.

Correct answer: A

Explanation

The correct answer, A, is accurate because the NameIdentifier claim must be unique and not identical to the AD username to avoid conflicts. Option B is incorrect as it addresses a general authentication issue rather than claims editing. Option C is irrelevant since the NameIdentifier and claim URI relationship does not typically require editing. Option D is wrong because it contradicts the requirement for uniqueness in the NameIdentifier claim.