One of your customers owns a SAML 2.0 Active Directory Federation Services (ADFS) server. The customer wants to enable the federated users to access the AWS Management Console. In order to configure it, you are creating an IAM role that identifies the IdP server for purposes of the federation. How would you configure the trusted entity principal of the IAM role?

Answer options:

A.The principal should be the metadata document name of the IdP.
B.The principal should be other IAM role ARNs that the federated users will assume.
C.The principal should be "https://signin.aws.amazon.com/saml".
D.The principal should be the IAM SAML provider that you created for the IdP.

Correct Answer: D
Options A, B, C are incorrect because the principal should be the SAML provider in IAM. The IAM role will establish a trust relationship between IAM and the IdP. An example of the trust policy is as follows:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Federated": "arn:aws:iam::ACCOUNT-ID-EXAMPLE:saml-provider/MyOrgSSOProvider"},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {"StringEquals": {
"saml:edupersonorgdn": "MyOrg",
"saml:aud": "https://signin.aws.amazon.com/saml"
}}
}]
}
Option D is CORRECT because the IAM SAML provider should be set as the IAM principal. To enable federated access, you should first create a SAML provider in AWS console (IAM > Identity providers > Create Identity Provider) as follows:
Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html