The scenario requires enabling users to use their on-premises Active Directory (AD) credentials to access resources in a separate cloud environment. This is achieved through identity federation. Federation establishes a trust relationship between the on-premises AD, acting as the Identity Provider (IdP), and the cloud platform, acting as the Service Provider (SP). When a user accesses a cloud application, the SP redirects the authentication request to the on-prem IdP. The IdP authenticates the user and sends a security token (e.g., a SAML assertion) to the SP, granting access without requiring a separate cloud-based password.

B. Privileged identity management: This is a security control for managing, monitoring, and restricting access for accounts with elevated permissions (e.g., administrators), not for enabling standard user authentication across different identity domains.

C. Challenge-Handshake Authentication Protocol (CHAP): This is an older authentication protocol primarily used for Point-to-Point Protocol (PPP) links, such as dial-up connections. It is not suitable for modern, web-based identity federation in a hybrid cloud.

D. Two-step verification: This is a method of enhancing security by requiring a second factor of authentication (e.g., a code from a mobile app). It is a feature that can be added to an authentication process but is not the mechanism that enables identity federation itself.

1. National Institute of Standards and Technology (NIST). (2017). Special Publication 800-63-3: Digital Identity Guidelines.

Reference: Section 6.1.1, "Federation and Assertions".

Content: This section defines federation as a process where a "Credential Service Provider (CSP) (acting as an IdP) provides an assertion of a subscriber’s identity to a Relying Party (RP)." This directly maps to the scenario where the on-premises AD (IdP) provides an identity assertion to the cloud service (RP).

DOI: https://doi.org/10.6028/NIST.SP.800-63-3

2. Microsoft. (2023). What is federation with Azure AD?. Microsoft Learn Documentation.

Reference: "Federation" section.

Content: The document states, "Federation is a collection of domains that have established trust... With federation, users can authenticate to on-premises Active Directory and then access Azure AD resources without having to enter their password again." This is a direct vendor implementation description of the solution required in the question.

3. Rivest, R. L., & Zissman, M. (2017). Lecture 19: Web Security, Single Sign-On. MIT OpenCourseWare, 6.857 Computer and Network Security.

Reference: Slides on "Federated Identity / Single Sign-On (SSO)".

Content: The lecture notes explain that federated identity systems like SAML (Security Assertion Markup Language) allow a Service Provider to trust an Identity Provider for authentication, enabling users to log in once at their home organization (the IdP) and access multiple external services (SPs). This academic source validates the core concept.