ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company hosts an internal HTTPS web application on Amazon EC2 instances behind an Application Load Balancer. Employees already use Azure AD for authentication. Security wants to add single sign-on so users can access the application with their corporate credentials, leverage Azure AD conditional access, and avoid any modification to the application code. Session lifetime must be limited to 1 hour. Which solution best satisfies these requirements?
Deploy a Keycloak cluster on EC2, federate it with Azure AD through SAML, and re-implement the application's login flow to act as a SAML service provider.
Create an Amazon Cognito user pool, establish SAML federation with Azure AD, and update the application to validate Amazon Cognito JWT access tokens.
Enable AWS IAM Identity Center, configure Azure AD as a SAML 2.0 IdP, and have the Application Load Balancer trust Identity Center to authenticate users.
Configure an authentication action on the Application Load Balancer listener that uses Azure AD as an external OpenID Connect IdP, setting the client ID, client secret, discovery URL, and a 3,600-second session cookie.
The Application Load Balancer can natively perform user authentication by redirecting unauthenticated requests to an OpenID Connect (OIDC)-compatible identity provider. By configuring Azure AD as the external OIDC IdP and supplying the discovery URL, client ID, and client secret, the ALB handles the full authentication handshake. The load balancer then sets its own session cookie, whose lifetime can be configured-for example, 3,600 seconds-to meet the 1-hour requirement. Because authentication occurs before traffic reaches the targets, no change is required in the application code, and Azure AD conditional-access policies continue to apply.
The other options either introduce extra infrastructure (Keycloak), require code changes (Amazon Cognito integration), or use AWS IAM Identity Center, which is intended for access to AWS resources rather than arbitrary applications behind an ALB.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is OpenID Connect (OIDC)?
Open an interactive chat with Bash
How does Azure AD work as an external OIDC IdP?
Open an interactive chat with Bash
Why does using the Application Load Balancer (ALB) eliminate the need for application code changes?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .