By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS SSO "User Portal" session timeout.

0

The AWS documentation for SSO has details on how to set a session duration for logging into the AWS console: https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html

I set this to 1 hour to test. However, a behavior I've noticed is that when clicking on the link for the "management console", it opens a new tab in the browser (leaving the "user portal" open in the previous tab. The management console tab expires after 1 hour but if you go back to the previous tab with the "user portal" still open, you can simply click on the link for the "management console" to open a new tab without the need to re-authenticate.

Is there a way to configure a session timeout for the "user portal" in SSO?

  • Andreas Seemueller EXPERT
    2 years ago

    Can you detail which identity source you are using? SSO internal, AD, or an external identity provider?

Topics
Security, Identity, & ComplianceAWS Well-Architected Framework
Tags
AWS IAM Identity CenterSecurity
Language
English
bluescape-jreed
asked 2 years ago1356 views
3 Answers
0

Can you detail which identity source you are using? SSO internal, AD, or an external identity provider? I'm using AzureAD as an external identity provider.

I guess you are using SAML 2.0 integration then? In that case you need to configure the session lifecycle on the Azure AD side. (see: https://docs.microsoft.com/en-us/graph/api/resources/tokenlifetimepolicy?view=graph-rest-1.0). The lifetime of the session set the maximum time a user can use the Amazon SSO web portal without re-authenticating to the external IDP.

EXPERT
Andreas Seemueller
answered 2 years ago
profile picture
EXPERT
Giovanni Lauria
reviewed 17 days ago
  • bluescape-jreed
    2 years ago

    I don't see this attribute listed in AWS's list of SAML assertions though. The closest one I can find is SessionDuration but that only affects the AWS Management Console and not the AWS User Portal. Its uses 60 minutes as a default if not specified.

    So what this effectively does is it expires the AWS Management Console session after 60 minutes. However, if you can go back to the browser tab where you still have the User Portal open, you can click on the "Management Console" link to open a new session for 60 minutes without having to do any re-authentication with SAML.

    The "User Portal" seems to leave its session open for several hours (I think 8 but I need to test that)

  • bluescape-jreed
    2 years ago

    https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-session-duration

  • A
    2 months ago

    Where would I deploy the policy in Entra?

0

Can you detail which identity source you are using? SSO internal, AD, or an external identity provider?

I'm using AzureAD as an external identity provider.

bluescape-jreed
answered 2 years ago
0

Identity center launched the new feature to configure session duration for access portal - https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html

aarushi
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content