Answer :
- It may require users to VPN back to the corporate network before accessing cloud services
Explanation :
The correct answer is that users may have to VPN back to the corporate network before accessing cloud services (CSA guidance page 135). Directory servers with appropriate capabilities (e.g. Active Directory Federations Services) can form federation with cloud services. Although both SAML and oAuth are standards that can be leveraged for federation, these are not the best answer. Finally, while identity broker services may be more scalable depending on the use case involved, this is not found in the CSA guidance.