Configure the session duration of the Amazon Web Services access portal and IAM Identity Center integrated applications
The session duration of authentication into the Amazon Web Services access portal and IAM Identity Center integrated applications is the maximum length of time that a user can be signed in without re-authenticating. The default session duration is 8 hours. The IAM Identity Center Administrator can specify a different duration, from a minimum of 15 minutes to a maximum of 90 days. For more information about authentication session duration and user behavior, see Authentication.
The following topics provide information about configuring the session duration of the Amazon Web Services access portal and IAM Identity Center integrated applications.
Topics
Prerequisites and considerations
The following are the prerequisites and considerations for configuring the session duration for the Amazon Web Services access portal and IAM Identity Center integrated applications.
External identity providers
IAM Identity Center uses SessionNotOnOrAfter
attribute from SAML assertions to
help determine how long the session can be valid for.
-
If
SessionNotOnOrAfter
is not passed in a SAML assertion, the duration of an Amazon Web Services access portal session is not impacted by the duration of your external IdP session. For example, if your IdP session duration is 24 hours and you set an 18-hour session duration in IAM Identity Center, your users must re-authenticate in the Amazon Web Services access portal after 18 hours. -
If
SessionNotOnOrAfter
is passed in a SAML assertion, the session duration value is set to the shorter of the Amazon Web Services access portal session duration and your SAML IdP session duration. If you set a 72-hour session duration in IAM Identity Center and your IdP has a session duration of 18 hours, your users will have access to Amazon resources for the 18 hours defined in your IdP. -
If the session duration of your IdP is longer than the one set in IAM Identity Center, your users will be able to start a new IAM Identity Center session without re-entering their credentials, based on their still-valid login session with your IdP.
Note
If you're using Active Directory as an identity source for IAM Identity Center, session management isn't supported.
Amazon CLI and SDK sessions
If you're using the Amazon Command Line Interface, Amazon Software Development Kits (SDKs), or other Amazon development tools to access Amazon services programmatically, the following prerequisites must be met to set session duration for the Amazon Web Services access portal and the IAM Identity Center integrated applications.
-
You must configure the Amazon Web Services access portal session duration in the IAM Identity Center console.
-
You must define a profile for single sign-on settings in your shared Amazon config file. This profile is used to connect to the Amazon Web Services access portal. We recommend that you use the SSO token provider configuration. With this configuration, your Amazon SDK or tool can automatically retrieve refreshed authentication tokens. For more information, see SSO token provider configuration
in the Amazon SDK and Tools Reference Guide. -
Users must run a version of the Amazon CLI or an SDK that supports session management.
Minimum versions of the Amazon CLI that support session management
Following are the minimum versions of the Amazon CLI that support session management.
-
Amazon CLI V2 2.9 or later
-
Amazon CLI V1 1.27.10 or later
For information about how to install or update the latest Amazon CLI version, see Installing or updating the latest version of the Amazon CLI.
If your users are running the Amazon CLI, if you refresh your permission set just before the IAM Identity Center session is set to expire and the session duration is set to 20 hours while the permission set duration is set to 12 hours, the Amazon CLI session runs for the maximum of 20 hours plus 12 hours for a total of 32 hours. For more information about the IAM Identity Center CLI, see Amazon CLI Command Reference.
Minimum versions of SDKs that support IAM Identity Center session management
Following are the minimum versions of the SDKs that support IAM Identity Center session management.
SDK | Minimum version |
---|---|
Python | 1.26.10 |
PHP | 3.245.0 |
Ruby | aws-sdk-core 3.167.0 |
Java V2 | Amazon SDK for Java v2 (2.18.13) |
Go V2 | Whole SDK: release-2022-11-11 and specific Go modules: credentials/v1.13.0, config/v1.18.0 |
JS V2 | 2.1253.0 |
JS V3 | v3.210.0 |
C++ | 1.9.372 |
.NET | v3.7.400.0 |
How to configure the session duration
Use the following procedure to configure the session duration of the Amazon Web Services access portal and IAM Identity Center integrated applications.
-
Open the IAM Identity Center console
. -
Choose Settings.
-
On the Settings page, choose the Authentication tab.
-
Under Authentication, next to Session settings, choose Configure. A Configure session settings dialog box appears.
-
In the Configure session settings dialog box, choose the maximum session duration in minutes, hours, and days for your users by selecting the drop down arrow. Choose a the length for the session, and then choose Save. You return to the Settings page.
How to extend the session duration for Amazon Q Developer
If your developers use Amazon Q Developer as part of an integrated development environment (IDE), you can set the session duration for Amazon Q Developer to 90 days. Depending on when you enabled IAM Identity Center, extended session duration for Amazon Q Developer might be enabled by default. This extended session doesn’t affect the session duration of the Amazon Web Services access portal or other IAM Identity Center integrated applications.
Note
Amazon Q Developer is accessible from consoles set to commercial Amazon Web Services Regions that are enabled by default. If your IAM Identity Center instance is located in a Region where Amazon Q Developer isn’t currently accessible, enabling 90 day extended session duration won’t override the default setting. This means that your session duration remains unchanged, regardless of whether you enable 90 day extended session duration or not. For information, see Supported Regions for Amazon Q Developer.
Enable or disable 90 day extended session duration for Amazon Q Developer.
-
Open the IAM Identity Center console
. -
Choose Settings.
-
On the Settings page, choose the Authentication tab.
-
Under Authentication, next to Session settings, choose Configure. A Configure session settings dialog box appears.
-
In the Configure session settings dialog box, select the checkbox for Enable extended sessions for Amazon Q Developer. Deselect the checkbox to disable extended session duration.
-
Choose Save to return to the Settings page.