A. With each AWS account, create dedicated IAM users that employees can assume through federation based upon group membership in their existing identity provider.
B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider. Create a custom authorizer by using AWS SDK to give federated users the ability to assume their target role in the resource accounts.
C. Implement AWS Control Tower for multi-account management by integrating AWS Single Sign-On with the company’s existing identity provider. Create IAM roles for the identity provider to assume.
D. Configure the IAM trust policies within each account’s role to set up a trust back to the company’s existing identity provider. Allow users to assume the role based on their SAML token.