Your team plans to use a third-party identity provider (IdP) such as Shibboleth. You need to configure the environment to enable single sign-on (SSO) to the AWS Management Console. In order to establish the SAML 2.0 federation successfully between the IdP and AWS, AWS should be added as a relying party in the third-party IdP. Which of the following options would you choose to set up the relying party?

Answer options:

A.Set up IAM federated roles where the Principal is the SAML provider ARN that you created for the SAML IdP.
B.Get a public certificate from a certifying authority (CA) and use it to secure the communication between the IdP and AWS.
C.Create a SAML identity provider in AWS and upload the metadata document from the IdP to the provider.
D.Add the AWS metadata URL "https://signin.aws.amazon.com/static/saml-metadata.xml" to the IdP configuration file such as relying-party.xml.

Correct Answer – D
In order to enable the single sign-on to AWS, the third-party IdP should be configured to use AWS as a relying party. One example can be found in https://aws.amazon.com/blogs/security/how-to-use-shibboleth-for-single-sign-on-to-the-aws-management-console/.
Option A is incorrect: This option ensures that the IAM role is used for the identity provider. However, it does not set up the relying party in the IdP.
Option B is incorrect: This option is not required as it is not related to adding a relying party in the IdP.
Option C is incorrect: This is a step that you create a SAML identity provider in AWS for the IdP. It is not what the question is asking.
Option D is CORRECT: This step adds AWS as a relying party in the IdP. Take Shibboleth as an example. The metadata URL is added in relying-party.xml.