SCS-C03 Question #9: Real Exam Question with Answer & Explanation

Question

A company uses AWS IAM Identity Center with SAML 2.0 federation. The company decides to change its federation source from one identity provider (IdP) to another. The underlying directory for both IdPs is Active Directory. Which solution will meet this requirement?

Options

• ADisable all existing users and groups within IAM Identity Center that were part of the federation
• BModify the attribute mappings within the IAM Identity Center trust relationship to match
• CReconfigure all existing IAM roles in the company's AWS accounts to explicitly trust the new IdP
• DConfirm that the Network Time Protocol (NTP) clock skew is correctly set between IAM Identity

Explanation

AWS IAM Identity Center relies on SAML assertions and attribute mappings to associate federated users with identities, groups, and permission sets. According to the AWS Certified Security - Specialty documentation, when changing identity providers while maintaining the same underlying directory, existing users and group identities can be preserved by updating attribute mappings to align with the new IdP's SAML assertions. By modifying the attribute mappings, IAM Identity Center can correctly interpret usernames, group memberships, and unique identifiers sent by the new IdP without requiring changes to AWS account roles or permission sets. This approach minimizes operational effort and avoids disruption to access management. Option A unnecessarily disables identities and causes access outages. Option C is incorrect because IAM Identity Center abstracts role trust relationships, and roles do not directly trust the IdP. Option D is unrelated to federation source configuration and only affects authentication AWS best practices recommend updating attribute mappings when switching IdPs that share the same directory source.

No community discussion yet for this question.