An enterprise has mandated that their cloud-hosted applications authenticate users from the on-premises directory service without duplicating sensitive credentials. Which approach should be employed to meet this requirement while leveraging the organization's existing user directory?
Migrate the on-premises directory service users to a cloud directory service with User Pools.
Generate temporary access credentials for users via a token service to authenticate against the on-premises directory service.
Implement application-side user authentication controls using the Access Control List (ACL) feature of a cloud directory service.
Integrate the application through federation using SAML 2.0 with the organization's existing identity management system.