- Newest
- Most votes
- Most comments
yes, I did: this is one of the permissions set, all the other are set the same way - everything is via pulumi (like terraform)
Hi,
See https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html
To set the session duration
1. Open the IAM Identity Center console.
2. Under Multi-account permissions, choose Permission sets.
3. Choose the name of the permission set for which you want to change the session duration.
4. On the details page for the permission set, to the right of the General settings section heading, choose Edit.
5. On the Edit general permission set settings page, choose a new value for Session duration.
Did you do step #5 ?
What may be occurring is that the SAML assertion has the SessionNotOnOrAfter attribute defined. If so, please check if that’s set to an hours duration.
“Note, too, that if a SessionNotOnOrAfter attribute is also defined, then the lesser value of the two attributes, SessionDuration or SessionNotOnOrAfter, establishes the maximum duration of the console session” See this for details
Interesting I'm using Google Workspace and there seems that there isn't option to change session NotOnOrAfter (or any saml assertions), am I missing something? Or, maybe there is a way to override that value on AWS side?
If I'm testing the flow and follow the saml response I see this POST request:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://us-east-2.signin.aws.amazon.com/platform/saml/acs/XXXXXX" ID="XXXXXX" InResponseTo="XXXXXX" IssueInstant="2023-06-05T06:29:21.870Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=C036z40fn</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="XXXXX" IssueInstant="2023-06-05T06:29:21.870Z" Version="2.0">
<saml2:Issuer>https://accounts.google.com/o/saml2?idpid=XXXXXX</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#XXXXXX">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>XXXXXX</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>XXXXXX</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
<ds:X509Certificate>XXXXXX</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">XXXXXX</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="XXXXXX" NotOnOrAfter="2023-06-05T06:34:21.870Z" Recipient="https://us-east-2.signin.aws.amazon.com/platform/saml/acs/XXXXXX" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2023-06-05T06:24:21.870Z" NotOnOrAfter="2023-06-05T06:34:21.870Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://us-east-2.signin.aws.amazon.com/platform/saml/XXXXXX</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2023-06-05T06:16:04.000Z" SessionIndex="XXXXXX">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
(I replaced any identifier with XXXXXX)
So the NoOnOrAfter
is very short - this cause the aws cli to set the duration to the minimum 1 hour?
Relevant content
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
Ok. Then did you check on Google side as it is the identity provider? See https://support.google.com/a/answer/7576830?hl=en Maybe the session duration configured on Google side has impact? See in particular the section explicitly mentioning 1h-duration for admin session.