AWS Certified Solutions Architect – Professional — Question 784
A company is developing a new game app for mobile devices. The app has two user tiers: one tier for free-play users and another tier for premium users.
The company currently uses custom identity authentication across its apps. The company wants to continue to use custom authentication if possible. However, the company's custom identity provider (IdP) is not compatible with either the SAML or Open ID Connect (OIDC) standards. A solutions architect needs to design an authentication approach that makes it easy to transition free-play users to premium users.
Which design will meet these requirements with the LEAST development effort?
Answer options
- A. Create a single Amazon Cognito identity pool. Develop an authentication provider for the pool that calls the existing custom IdP. Implement two separate authentication flows in the mobile app: one for the free-play users and one for the premium users.
- B. Create an Amazon Cognito user pool for the premium users. Add a user pool sign-in through the custom IdP. Create a second Amazon Cognito user pool to provide guest access for the free-play users.
- C. Create two Amazon Cognito identity pools. Develop an authentication provider for the premium user identity pool that calls the existing custom IdP. For the second identity pool, configure an authentication flow for the free-play users.
- D. Create a single Amazon Cognito user pool. Add a user pool sign-in through the custom IdP. Set up Amazon Cognito guest access in the same user pool for the free-play users.
Correct answer: B
Explanation
Amazon Cognito user pools allow integration with custom identity providers using developer authenticated identities, which is ideal when the IdP does not support SAML or OIDC. By creating two separate user pools—one for premium users linked to the custom IdP and another for free-play guest access—the company can easily manage and transition users between tiers with minimal custom code. Using identity pools (Options A and C) would require significantly more development effort to implement custom authentication providers and map tokens.