<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007478ugCAAOkta Classic EngineSingle Sign-OnAnswered2024-03-25T16:17:41.000Z2021-07-16T05:24:36.000Z2021-07-27T06:22:58.000Z

qqxb8 (qqxb8) asked a question.

Edited July 27, 2021 at 6:22 AM
Session Timeout for AWS Integration

Dear community,

We've got a similar issue as

https://support.okta.com/help/s/question/0D50Z00008C3jXU/session-timeout-for-aws-integration?language=en_US

… where a session timeout for the AWS App isn't configurable.

But the SessionDuration has to be set on the call from Okta to AWS.

So it has to be configurable on Okta side

 

We've followed the integration guide:

https://help.okta.com/en/prod/Content/Topics/Miscellaneous/References/OktaAWSMulti-AccountConfigurationGuide.pdf

 

In the App settings, there is no parameter for SessionDuration, which could be set.

 

 

The request from Okta to AWS looks something like:

 

https://signin.aws.amazon.com/federation?Action=getSigninToken&Session=%7B%22sessionId%22%3A%22ASIAEXAMPLEMD

LUUAEYQ%22%2C%22sessionKey%22%3A%22tpSl9thxr2PkEXAMPLETAnVLVGdwC5zXtGDr

%2FqWi%22%2C%22sessionToken%22%3A%22AQoDYXdz%EXAMPLE&SessionDuration=43200

 

… where the SessionDuration needs to be configurable, so that we can extend this beyond the default one hour (and set this to our desirable 12 hours instead).

 

 

Just to clarify upfront: We're NOT using AWS SSO but the "AWS Multi-Account

Configuration".

 

The link to the 2016.46 release (https://developer.okta.com/docs/release-notes/2016/*platform-bugs-fixed-4) also doesn't seem to help much.

 

Has anybody figured this out yet? How to extend the session timeout?

 

 

 

  • 3 answers
  • 5.33K views

  • qqxb8 (qqxb8)

    We've opened a case with AWS support and they helped us finding the correct settings within Okta.

    I hope this is gonna help others as well:

     

    ------>------>------>------> AWS Support answer below ------>------>------>------>

     

    I would like to mention that when we federate into AWS account by using the Console URL constructed with AssumeRoleWithSAML API via your external IdP (Okta in your case), the session duration value is calculated based on the SessionDuration HTML parameter in the URL. By default, the session is valid for 1 hour[1]. However, you can customize the session duration using this Session Duration attribute. This value needs to be sent from your IdP in the SAML assertion during user authentication as below to set the session duration to customized value[2].

     

    <Attribute Name="https://aws.amazon.com/SAML/Attributes/SessionDuration ">

    <AttributeValue>7200</AttributeValue>

    </Attribute>

     

    This attribute can be configured in your AWS SAML application's page under your IdP. Please follow the below steps to configure the Session duration value in Okta.

     

    1. Sign into your Okta Admin Console and navigate to your application's page.

    2. Select the Sign On tab for the AWS Account Federation app, then choose 'Sign on' tab and click Edit.

    3. Search for 'Session Duration' option under 'Advanced Sign-on Settings' and enter the required session duration value as per your requirement.

    Note: The duration value is an integer representing the number of seconds for the session. The value can range from 900 seconds (15 minutes) to 43200 seconds (12 hours).

    4. Click on Save to save your configuration.

     

    After making the above changes, please try signing into your AWS account and check if the session is valid for the configured duration.

     

    References:

    =========

    [1] Using IAM roles :

    https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html

     

    [2] Configuring SAML assertions for the authentication response

    https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-session-duration

     

     

    Expand Post
    Selected as Best

  • User15730551722677923586 (Vendor Management)

    My name is Daniel and I'm happy to assist you in this matter today.

     

    The first link you've got there is 5 years old. The second link actually has this resolution embedded within:

     

    To set the session duration

    1. Open the AWS SSO console.
    2. Choose AWS accounts.
    3. Choose the Permission sets tab.
    4. Choose the name of the permission set where you want to change the new session duration time.
    5. On the Permissions tab, under the General section, choose Edit.
    6. Next to Session duration, choose a new session length value, and then choose Continue.
    7. Select the AWS accounts in the list that you want the new session duration value to apply to, and then choose Reprovision.

     

    https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html

     

    Expand Post

  • qqxb8 (qqxb8)

    We've opened a case with AWS support and they helped us finding the correct settings within Okta.

    I hope this is gonna help others as well:

     

    ------>------>------>------> AWS Support answer below ------>------>------>------>

     

    I would like to mention that when we federate into AWS account by using the Console URL constructed with AssumeRoleWithSAML API via your external IdP (Okta in your case), the session duration value is calculated based on the SessionDuration HTML parameter in the URL. By default, the session is valid for 1 hour[1]. However, you can customize the session duration using this Session Duration attribute. This value needs to be sent from your IdP in the SAML assertion during user authentication as below to set the session duration to customized value[2].

     

    <Attribute Name="https://aws.amazon.com/SAML/Attributes/SessionDuration ">

    <AttributeValue>7200</AttributeValue>

    </Attribute>

     

    This attribute can be configured in your AWS SAML application's page under your IdP. Please follow the below steps to configure the Session duration value in Okta.

     

    1. Sign into your Okta Admin Console and navigate to your application's page.

    2. Select the Sign On tab for the AWS Account Federation app, then choose 'Sign on' tab and click Edit.

    3. Search for 'Session Duration' option under 'Advanced Sign-on Settings' and enter the required session duration value as per your requirement.

    Note: The duration value is an integer representing the number of seconds for the session. The value can range from 900 seconds (15 minutes) to 43200 seconds (12 hours).

    4. Click on Save to save your configuration.

     

    After making the above changes, please try signing into your AWS account and check if the session is valid for the configured duration.

     

    References:

    =========

    [1] Using IAM roles :

    https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html

     

    [2] Configuring SAML assertions for the authentication response

    https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-session-duration

     

     

    Expand Post
    Selected as Best
This question is closed.
Loading
Session Timeout for AWS Integration