Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

AWS SSO "User Portal" session timeout.

0

The AWS documentation for SSO has details on how to set a session duration for logging into the AWS console: https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html

I set this to 1 hour to test. However, a behavior I've noticed is that when clicking on the link for the "management console", it opens a new tab in the browser (leaving the "user portal" open in the previous tab. The management console tab expires after 1 hour but if you go back to the previous tab with the "user portal" still open, you can simply click on the link for the "management console" to open a new tab without the need to re-authenticate.

Is there a way to configure a session timeout for the "user portal" in SSO?

  • Andreas Seemueller EXPERTE
    vor 2 Jahren

    Can you detail which identity source you are using? SSO internal, AD, or an external identity provider?

Themen
Sicherheit, Identität & KonformitätAWS Framework mit guter Struktur
Tags
AWS IAM IdentitätszentrumSicherheit
Sprache
English
bluescape-jreed
gefragt vor 2 Jahren1380 Aufrufe
3 Antworten
0

Can you detail which identity source you are using? SSO internal, AD, or an external identity provider? I'm using AzureAD as an external identity provider.

I guess you are using SAML 2.0 integration then? In that case you need to configure the session lifecycle on the Azure AD side. (see: https://docs.microsoft.com/en-us/graph/api/resources/tokenlifetimepolicy?view=graph-rest-1.0). The lifetime of the session set the maximum time a user can use the Amazon SSO web portal without re-authenticating to the external IDP.

EXPERTE
Andreas Seemueller
beantwortet vor 2 Jahren
profile picture
EXPERTE
Giovanni Lauria
überprüft vor einem Monat
  • bluescape-jreed
    vor 2 Jahren

    I don't see this attribute listed in AWS's list of SAML assertions though. The closest one I can find is SessionDuration but that only affects the AWS Management Console and not the AWS User Portal. Its uses 60 minutes as a default if not specified.

    So what this effectively does is it expires the AWS Management Console session after 60 minutes. However, if you can go back to the browser tab where you still have the User Portal open, you can click on the "Management Console" link to open a new session for 60 minutes without having to do any re-authentication with SAML.

    The "User Portal" seems to leave its session open for several hours (I think 8 but I need to test that)

  • bluescape-jreed
    vor 2 Jahren

    https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-session-duration

  • A
    vor 3 Monaten

    Where would I deploy the policy in Entra?

0

Can you detail which identity source you are using? SSO internal, AD, or an external identity provider?

I'm using AzureAD as an external identity provider.

bluescape-jreed
beantwortet vor 2 Jahren
0

Identity center launched the new feature to configure session duration for access portal - https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html

aarushi
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt