Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

PRE-BLACK FRIDAY SALE - GET 20% OFF ALL REVIEWERS

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional Section Based Set 1 Question 3 – Is the answer choice correcT?

  • Section Based Set 1 Question 3 – Is the answer choice correcT?

  • SalientListener

    Member
    July 30, 2024 at 11:44 pm

    A large software company has an on-premises LDAP server and a web application hosted on its VPC in AWS. The solutions architect has established an IPSec VPN connection between the AWS VPC and the company’s on-premises network. The company wants to enable employees to access the web application and other AWS resources using the same corporate account used inside the company network.

    Which of the following actions should the solutions architect implement to achieve the company requirements? (SELECT TWO.)

    (1) Launch an identity broker that authenticates against LDAP server and then calls STS to get IAM federated user credentials. Configure the web application to call the identity broker that you created to get IAM federated user credentials with access to the appropriate AWS service.

    (2) Configure the web application to authenticate against the on-premises LDAP server and retrieve the name of an IAM role associated with the user. The application then calls the STS to assume that IAM role. The application can use the temporary credentials to access any AWS resource.


    (1) Is absolutely right

    (2) Can applications DIRECTLY authenticate against LDAP and “Retrieve the name of the IAM Role for the user”? I have not heard of an LDAP authentication where you can retrieve the role during LDAP auth. From your link provided in the answer choices – and from diff AWS material – these are the only ways LDAP could authenticate:

    #1 Application —Calls SAML IDP — IDP Auths against LDAP– Returns SAML Assertion – User calls STS Assume Role and access AWS

    #2 Application —Calls Custom IDP (doesnt support SAML) — IDP Auths against LDAP– IDP Calls STS Assume Role and returns to Application – Application then access AWS

    Where is this option mentioned?

    Application —- Calls LDAP — LDAP returns user role tied to this auth — Application access AWS?

    Ie when can can application authenticate against the on-premises LDAP server and retrieve the name of an IAM role associated with the user? LDAP has no awareness of IAM roles

  • Neil-TutorialsDojo

    Member
    July 31, 2024 at 9:39 am

    Hi Salient Listener,

    Thank you for your detailed review and feedback.
    You are right, applications cannot directly authenticate against LDAP. The typical flow for LDAP integration with AWS using federation would be:

    a) The application authenticates the user against the on-premises LDAP server. b) After successful LDAP authentication, the application calls an identity broker/federation proxy. c) The identity broker authenticates against LDAP again to verify the user’s identity. d) The identity broker then calls AWS STS AssumeRole* API to get temporary AWS credentials for an IAM role mapped to the user/group. e) The temporary credentials are passed back to the application, which can then access AWS resources permitted by the assigned IAM role.
    With that note, we already made the necessary changes for this question accordingly. It should be reflected as soon as our admin approves the changes.
    Thank you once again for helping us improve our content.

    Regards,
    Neil @ tutorials dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now