Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

AWS SSO "User Portal" session timeout.

0

The AWS documentation for SSO has details on how to set a session duration for logging into the AWS console: https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html

I set this to 1 hour to test. However, a behavior I've noticed is that when clicking on the link for the "management console", it opens a new tab in the browser (leaving the "user portal" open in the previous tab. The management console tab expires after 1 hour but if you go back to the previous tab with the "user portal" still open, you can simply click on the link for the "management console" to open a new tab without the need to re-authenticate.

Is there a way to configure a session timeout for the "user portal" in SSO?

  • Andreas Seemueller EXPERTO
    hace 2 años

    Can you detail which identity source you are using? SSO internal, AD, or an external identity provider?

Temas
Seguridad, identidad y cumplimientoAWS Well-Architected Framework
Etiquetas
Centro de identidad de AWS IAMSeguridad
Idioma
English
bluescape-jreed
preguntada hace 2 años1379 visualizaciones
3 Respuestas
0

Can you detail which identity source you are using? SSO internal, AD, or an external identity provider? I'm using AzureAD as an external identity provider.

I guess you are using SAML 2.0 integration then? In that case you need to configure the session lifecycle on the Azure AD side. (see: https://docs.microsoft.com/en-us/graph/api/resources/tokenlifetimepolicy?view=graph-rest-1.0). The lifetime of the session set the maximum time a user can use the Amazon SSO web portal without re-authenticating to the external IDP.

EXPERTO
Andreas Seemueller
respondido hace 2 años
profile picture
EXPERTO
Giovanni Lauria
revisado hace un mes
  • bluescape-jreed
    hace 2 años

    I don't see this attribute listed in AWS's list of SAML assertions though. The closest one I can find is SessionDuration but that only affects the AWS Management Console and not the AWS User Portal. Its uses 60 minutes as a default if not specified.

    So what this effectively does is it expires the AWS Management Console session after 60 minutes. However, if you can go back to the browser tab where you still have the User Portal open, you can click on the "Management Console" link to open a new session for 60 minutes without having to do any re-authentication with SAML.

    The "User Portal" seems to leave its session open for several hours (I think 8 but I need to test that)

  • bluescape-jreed
    hace 2 años

    https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-session-duration

  • A
    hace 3 meses

    Where would I deploy the policy in Entra?

0

Can you detail which identity source you are using? SSO internal, AD, or an external identity provider?

I'm using AzureAD as an external identity provider.

bluescape-jreed
respondido hace 2 años
0

Identity center launched the new feature to configure session duration for access portal - https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html

aarushi
respondido hace un año

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante