AWS Certified SysOps Administrator – Associate (legacy) — Question 870

Which of the following steps are required to configure SAML 2.0 for federated access to AWS? (Choose two.)

Answer options

• A. Create IAM users for each identity provider (IdP) user to allow access to the AWS environment.
• B. Define assertions that map the company's identity provider (IdP) users to IAM roles.
• C. Create IAM roles with a trust policy that lists the SAML provider as the principal.
• D. Create IAM users, place them in a group named SAML, and grant them necessary IAM permissions.
• E. Grant identity provider (IdP) users the necessary IAM permissions to be able to log in to the AWS environment.

Correct answer: A, B

Explanation

Configuring SAML 2.0 federation requires defining assertions to map corporate identity provider (IdP) users to specific IAM roles for access. Additionally, creating corresponding IAM users for each IdP user allows AWS to manage and map permissions individually within the environment. Other methods, such as placing users in a SAML group or granting permissions directly to external IdP users without mapping, are not valid configuration steps.