Question #729
A solutions architect has configured a SAML 2.0 federated identity solution using their organization's on-premises identity provider (IdP) to enable user access to AWS services. Initial testing confirms federated users can authenticate via the web portal, but they are unable to access the AWS Management Console. What should the solutions architect validate to troubleshoot this issue? (Choose three.)
The IAM roles assigned to federated users have inline policies granting the necessary permissions.
The trust policy of the IAM roles designates the SAML provider as the trusted entity.
The IdP is configured to invoke the AWS STS AssumeRoleWithSAML API with the correct SAML assertion, IAM role ARN, and SAML provider ARN.
The network ACLs for the on-premises IdP permit inbound traffic from AWS VPC CIDR ranges.
The SAML assertions from the IdP accurately map user groups to the corresponding IAM roles.
The IAM users are granted permissions to assume roles through SAML federation.
Explanation
The issue arises because federated users can authenticate but cannot access the AWS Management Console. Key checks include:
- B: The IAM role's trust policy must specify the SAML provider as a trusted entity to allow role assumption.
- C: The IdP must correctly call the AssumeRoleWithSAML API with valid parameters (SAML assertion, IAM role ARN, SAML provider ARN) to generate temporary credentials.
- E: SAML assertions must map user groups to the correct IAM roles; misconfiguration here prevents role assignment.
Other options are incorrect because:
- A: Inline policies are not required; managed policies suffice.
- D: Network ACLs for on-premises IdP are unrelated to AWS console access.
- F: IAM users are not involved in SAML federation; roles are assumed via the IdP.
Key takeaway: SAML federation relies on correct trust policies, IdP configuration, and role mapping in assertions.
Answer
The correct answer is: BCE