SessionDurationAttribute does not work when signing in to QuickSight with SAML 2.0 federation

0

I signed in to QuickSight by POST a SAMLResponse with a SessionDurationAttribute. Then I closed the browser and waited for the set time. I accessed https://quicksight.aws.amazon.com in my browser again. I expected to see a session timeout message, but I got the QuickSight console screen. Any other settings required?

HTTP request.

POST https://signin.aws.amazon.com/saml HTTP/1.1
Content-Type: application/x-www-form-urlencoded

SAMLResponse=PHNhbWxwOlJlc...&RelayState=https://quicksight.aws.amazon.com

Other information.

  • The max session duration for the role specified in RoleAttribute is 1 hour.
  • After closing the browser and the time set in the SessionDurationAttribute has passed, I went to the AWS Management Console. Then I got a session timeout message.
  • Accessing https://quicksight.aws.amazon.com 12 hours after closing the browser resulted in a session timeout message.
1 Answer
0

Hi!

I understand that you have a concern about the behavior you're experiencing with the SessionDurationAttribute when signing into QuickSight using SAML 2.0 federation.

Please Kindly Note that QuickSight uses the AWS sign-in page to federate users into QuickSight, and while the maximum session duration for a role can be set to 1 hour, the session duration for QuickSight is not bound by the AWS Management Console session. This means that once you have authenticated through the sign-in page and been federated into QuickSight, the QuickSight session can continue beyond the session duration specified for the AWS Management Console. AWS takes session security seriously, and after inactivity for a certain period, QuickSight prompts the user to either extend the session or sign out. If no action is taken on this prompt, then QuickSight automatically signs the user out.

In the case you're describing, when you're accessing QuickSight 12 hours after closing the browser, it's behaving as expected by presenting a session timeout message. If you want to ensure that you or other users are automatically signed out of QuickSight after a certain duration, regardless of activity, I would recommend considering a QuickSight session policy. QuickSight session policies can be used to define a maximum session duration for QuickSight users.

Please note that configuring a QuickSight session policy will impact all users (if you have more than one) in your AWS account, so please carefully review the settings before implementing the policy.

If you have any further questions or need assistance setting up a QuickSight session policy, don't hesitate to ask.

Best Regards,

Victor https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session https://docs.aws.amazon.com/quicksight/latest/user/security_iam_concepts.html

HDVALI
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions