Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Single Logout (SLO) support for IAM Identity Center with Entra ID SSO

0

It's my understanding that AWS Identity Center doesn't support single logout (SLO) when Entra ID is the Identity source. I was very surprised to find this considering most other Service Providers provide this feature now (although in the past this was a very mixed bagged with SAML). To be clear I'm talking a Service provider initiated logout (SSO enabled AWSAdministratorAccess Portal) that returns to the Identity Provider (Entra ID). Is there an existing enhancement request our organization can add our voice to for this request?

Is the session duration considered the mitigating control for lack of a single logout?

Thanks

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
asked a year ago417 views
1 Answer
0

You are correct in your understanding that AWS IAM Identity Center does not support Single Logout (SLO) when using external identity providers like Microsoft Entra ID (formerly Azure AD) as the identity source. This limitation applies to both identity provider-initiated and service provider-initiated logout scenarios.

IAM Identity Center does not support SAML Single Logout initiated by an identity provider that acts as the identity source. Additionally, it does not send SAML Single Logout requests to SAML applications that use IAM Identity Center as an identity provider.

Regarding an enhancement request for this feature, AWS does not publicly disclose information about specific enhancement requests or future product roadmaps. However, you can submit feedback or feature requests through your AWS account team or AWS Support if you have an active support plan.

As for mitigating controls, while session duration is not specifically designed as a mitigation for the lack of Single Logout, it does provide some level of security control. IAM Identity Center maintains two types of sessions:

  1. Sign-in sessions: These can last up to 90 days.
  2. Application sessions: These have a 1-hour lifetime and are automatically refreshed.

When a user is disabled or deleted, they are immediately prevented from creating new sign-in sessions. However, existing sessions can be used for up to an hour. After the sign-in session expires, users can no longer initiate new application or IAM role sessions, but existing sessions can be used for up to an hour.

It's worth noting that you can configure session duration for the AWS access portal and IAM Identity Center integrated applications. The session duration can be set between 15 minutes and 90 days. Additionally, you have the ability to view and delete active AWS access portal sessions for IAM Identity Center users.

While these session management features provide some control, they are not a direct replacement for Single Logout functionality. Organizations should consider these limitations when designing their overall security strategy and may need to implement additional processes or controls to manage user sessions effectively.
Sources
Authentication in IAM Identity Center - AWS IAM Identity Center
AWS IAM Identity Center - AWS Prescriptive Guidance

answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content