AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your organization uses IAM Identity Center with AWS Managed Microsoft AD as the identity source. More than 300 user and group assignments span 150 AWS accounts and dozens of permission sets. The company will retire Active Directory and adopt Okta as its workforce identity platform. During a brief maintenance window, you must switch IAM Identity Center to use Okta without leaving users locked out of the AWS accounts for an extended period.
Which approach will meet these requirements?
First switch the identity source from Active Directory to the built-in Identity Center directory to preserve assignments, and then switch to Okta as the external IdP.
Use the ListAccountAssignments API to export the current assignments, provision identical users and groups in Okta through SCIM, change the identity source to the external IdP, and then call CreateAccountAssignment in an automated script to restore each assignment.
Change the identity source directly to the external IdP and rely on Okta to send matching SAML assertions so that IAM Identity Center keeps the existing assignments.
Increase the IAM Identity Center session duration to keep existing sessions active, switch the identity source to Okta, and allow sessions to expire naturally after the cutover.
Changing the IAM Identity Center identity source from Active Directory to an external identity provider deletes all users, groups, and account assignments. To minimize downtime you must first export the existing assignments, provision the same identities from Okta, and then recreate the assignments with automation. The ListAccountAssignments API can be scripted to capture every current mapping, and the CreateAccountAssignment API can replay them quickly after the switch. Simply changing the identity source and relying on SAML assertions or longer session durations does not stop IAM Identity Center from deleting assignments. Pivoting through the built-in directory also triggers assignment deletion during the first switch, so it offers no benefit.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the ListAccountAssignments API, and how does it help in this scenario?
Open an interactive chat with Bash
What is SCIM, and how is it used to integrate Okta with IAM Identity Center?
Open an interactive chat with Bash
Why does changing the identity source delete all users, groups, and assignments in IAM Identity Center?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Accelerate Workload Migration and Modernization
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access