What configuration allows user authentication against an on-premises identity store for cloud services?

The correct choice is identity federation. This configuration allows an organization to use an on-premises identity store, such as Active Directory or LDAP, to authenticate users accessing cloud services.

With identity federation, you can establish a trust relationship between the on-premises identity provider and the cloud service provider. This enables users to authenticate with their existing credentials without needing to create separate accounts for the cloud services. Instead, authentication requests are redirected to the on-premises identity store, where the user's credentials are verified. Once validated, the user gains access to the cloud resources seamlessly, enhancing both security and user experience.

In contrast, tokenization refers to the process of substituting sensitive data elements with non-sensitive equivalents, which doesn't facilitate user authentication. Single sign-on allows users to access multiple applications with one set of credentials, but it typically relies on federated identity mechanisms to connect with the on-premises identity store. Multifactor authentication adds an additional layer of security by requiring multiple forms of verification during the authentication process, but it is not specifically focused on connecting to on-premises identity stores for cloud services.