SAP-C02 · Question #142
SAP-C02 Question #142: Real Exam Question with Answer & Explanation
The correct answer is B: The IAM roles created for the federated users' or federated groups' trust policy have set the. When federated users fail to access AWS, the solutions architect should verify that IAM roles' trust policies correctly allow the IdP to assume them, that the web portal correctly calls the STS AssumeRoleWithSAML API, and that the IdP's SAML assertions properly map users to these
Question
A solutions architect has implemented a SAML 2.0 federated identity solution with their company's on-premises identity provider (IdP) to authenticate users' access to the AWS environment. When the solutions architect tests authentication through the federated identity web portal access to the AWS environment is granted. However, when test users attempt to authenticate through the federated identity web portal, they are not able to access the AWS environment. Which items should the solutions architect check to ensure identity federation is property configured? (Choose three.)
Options
- AThe IAM user's permissions pokey has allowed the use of SAML federation for that user
- BThe IAM roles created for the federated users' or federated groups' trust policy have set the
- CTest users are not in the AWSFederatedUsers group in the company's IdP
- DThe web portal calls the AWS STS AssumeRoleWithSAML API with the ARN of the SAML
- EThe on-premises IdP's DNS hostname is reachable from the AWS environment VPCs.
- FThe company's IdP defines SAML assertions that property map users or groups m the company
Explanation
When federated users fail to access AWS, the solutions architect should verify that IAM roles' trust policies correctly allow the IdP to assume them, that the web portal correctly calls the STS AssumeRoleWithSAML API, and that the IdP's SAML assertions properly map users to these roles.
Common mistakes.
- A. SAML federation uses IAM roles for federated identities, not IAM users, so an IAM user's permissions policy is not relevant to this issue.
- C. The group name 'AWSFederatedUsers' is not a mandatory or standard group required by AWS for federation; the issue lies with how any groups or users are mapped to SAML attributes and subsequently to AWS IAM roles.
- E. The problem states the solutions architect can access, implying basic connectivity and DNS resolution for the IdP are functional for the federation flow from the user's browser, making this an unlikely cause for only test users failing.
Concept tested. AWS IAM SAML federation configuration
Reference. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
Community Discussion
No community discussion yet for this question.