To establish a federated trust relationship using SAML 2.0 between AWS IAM Identity Center (acting as the Service Provider or SP) and an external Identity Provider (IdP), a two-way exchange of configuration data, known as metadata, is required. The CloudOps engineer needs the IdP's metadata file, which contains its sign-in URL and the public X.509 certificate used to verify SAML assertions. Conversely, the engineer must provide the IAM Identity Center's metadata (such as the Assertion Consumer Service URL and issuer URL) to the IdP administrator to configure the trust on their end. This metadata exchange is a fundamental prerequisite for SAML federation.

C. SAML federation relies on DNS-resolvable endpoint URLs specified in the metadata, not on static IP addresses, which are not a standard or reliable configuration method.

D. While administrative permissions are needed in the management account, root access is not required and violates the security best practice of least privilege. An IAM role with sufficient permissions is the correct approach.

E. The federation with the external IdP is configured centrally within IAM Identity Center in the management account. Administrative permissions in member accounts are not a prerequisite for this specific task.

1. AWS IAM Identity Center User Guide: In the section "Connect to your external identity provider

" the documentation outlines the prerequisites. It explicitly states

"Before you begin

you must obtain the SAML 2.0 metadata document from your IdP. This document is an XML file that includes the IdP's public key certificate

the entity ID

and the IdP's SSO sign-in URL." This directly supports option B.

Source: AWS IAM Identity Center User Guide

"Manage your identity source

" "Connect to your external identity provider."

2. AWS IAM Identity Center User Guide: The same guide details the information that must be provided to the external IdP. It states

"You can find the IAM Identity Center SAML metadata values that you need to provide to your IdP on the View details page... These values include the IAM Identity Center assertion consumer service (ACS) URL and the IAM Identity Center issuer URL." This confirms the necessity of having a copy of this metadata

supporting option A.

Source: AWS IAM Identity Center User Guide

"Manage your identity source

" "Connect to your external identity provider."

3. AWS Security Best Practices in IAM: This documentation emphasizes avoiding the use of the root user for administrative tasks. It states

"Don't use the AWS account root user for your everyday tasks... Instead

create an administrative user for yourself." This principle invalidates the requirement for root access as mentioned in option D.

Source: AWS Identity and Access Management User Guide

"Security best practices in IAM

" "Secure your AWS account root user."