Exam AWS Certified Solutions Architect - Professional topic 1 question 483 discussion

B is the correct answer and fully supports the requirements of the question with very little management. Managing an AD FS implementation is not a LEAST overhead solution. If you have had to support AD FS, you know this. Support for B is here: https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html

D A: Adds complexity to the SSO. https://aws.amazon.com/blogs/security/how-to-implement-a-general-solution-for-federated-apicli-access-using-saml-2-0/ B: You will need to manage AWS Directory Service which is additional overhead. C: As an alternative to AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD), AD Connector is an Active Directory proxy for AWS created applications and services only. You configure the proxy to use a specified Active Directory domain. When the application must look up a user or group in Active Directory, AD Connector proxies the request to the directory. Similarly, when a user logs in to the application, AD Connector proxies the authentication request to the directory. There are no third-party applications that work with AD Connector. D: https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/

A B - Two way forest trust is not a solution for SSO C - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html AD Connector cannot be shared with other AWS accounts. If this is a requirement, consider using AWS Managed Microsoft AD to Share your directory. AD Connector is also not multi-VPC aware, which means that AWS applications like WorkSpaces are required to be provisioned into the same VPC as your AD Connector. D - could have been a option, if Groups as claim are required but its not a requirement here.

C&D has "Leverage third-party single sign-on as needed." not optimal solution. B is correct

B sounds good as an option. The AWS AD workshop uses this method.

B, ADFS means complexity

Requirement is LEAST amount of administrative overhead. Managed Services AWS Active Directory and SSO will have less Administrative overhead. So B is perfect.

First you must consider the requirement for a multi-account strategy, before least overhead. Answer D does not involve AWS Organizations, and it involves more complications, so based on all this the answer has to be B

B is corret with least operational overhead. D does not even mention SSO & the article mentioned in the link just connects with 1 AWS account - not multiple. AWS SSO is managed and easily linked with new users using Microsoft AD. B is correct.

B doesn't involve SAML 2.0 which is a must. So I'll go with D

D is perfect.

Create a two-way Forest trust relationship between the on-premises Active Directory and the AWS Directory Service. This is right so my answer is B

B is minimum management overhead.

B correct - this is a solution that I am using on a daily basis

I'll go with D

B Correct

B is the correct Answer https://aws.amazon.com/solutions/implementations/aws-landing-zone/ https://docs.aws.amazon.com/singlesignon/latest/userguide/connectonpremad.html https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html