A company has employees who need to run internal applications that access the company`s AWS resources. These employees already have user credentials in the company`s current identity authentication system, based on their roles, supported by SAML2.0. How should the SSO setup be designed?

Answer options:

A.Create an IAM user to share based on employee roles in the company.
B.Create a custom identity broker application that authenticates the employees using the existing system, uses the GetFederationToken API call and passes a permission policy to gain temporary access credentials from STS.
C.Create a custom identity broker application that authenticates employees using the existing system and uses the AssumeRole API call to gain temporary, role-based access to AWS.
D.Configure an AD server that synchronizes from the company`s current Identity Provider and configures SAML based Single-Sign-On which will then use the DecodeAuthorizationMessage API call to generate credentials for the employees.

Answers – B and C
Option A is incorrect because already a role-based setup is in place.
Option B is CORRECT because (a) it creates a custom identity broker application for authenticating the users using their existing credentials, (b) it gets temporary access credentials using STS, and (3) it uses federated access for accessing the AWS resources.
Option C is CORRECT because (a) it creates a custom identity broker application for authenticating the users using their existing credentials, and (b) it uses AssumeRole API for accessing the resources using a temporary role.
Option D is INCORRECT as the DecodeAuthorizationMessage API call only decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request.
More information on AssumeRole and GetFederatedToken:
Assume Role - Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) that you can use to access AWS resources that you might not normally have access to. Typically, you use AssumeRole for cross-account access or federation.
For more information, please visit the below URL-
http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
GetFederationToken - Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network
For more information, please visit the below URL-
http://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html