Skip to content

Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery

Define a custom session duration (Microsoft variant)

By default, the temporary credentials that are issued by AWS Identity and Access Management (IAM) for SAML federation are valid for 1 hour. In this exercise, you will learn how to configure a custom session duration up to twelve hours long. Many customers utilize longer session durations to prevent work interruptions caused by session expirations, and to better align with existing organizational standards for credential lifespan.

Prerequisites

The following list identifies the prerequisites for this exercise. If you have not completed these tasks, please take the time to do so now.

  • Successful completion of all steps from the Microsoft version of the first hour exercise. If you are having trouble with the first hour exercise, please seek help from one of the AWS workshop facilitators.

Update AD FS Configuration

To define a custom session duration you will populate an additional SAML attribute, SessionDuration, within the AD FS configuration.

Login to AD FS via RDP

Log in using RDP to your AD FS instance using the public IP address. You can obtain the public IP address from the Output tab from the FederationWorkshopADFS CloudFormation stack you deployed in the first exercise. Log in using the EXAMPLE\Administrator credential.

ADFS Public IP

Note: Recall that the password for Example\Administrator has been set to the password you provided in the AdminPassword input parameter during the 1st hour exercise.

Update AWS claim rules

To get started updating the claim rule, choose the Start menu, type ad fs, and choose AD FS Management.

Image

Choose Relying Party Trusts, then choose signin.aws.amazon.com, and finally choose Edit Claim Rules as shown in the following screenshot.

AD FS Config

Choose Add Rule to configure a new rule, and then choose Send claims using a custom rule. Finally, choose Next.

ADFS Configuration

In the Claim rule name box, type Session Duration. In the Custom rule box, enter the following, and then choose Finish.

=> issue(Type = "https://aws.amazon.com/SAML/Attributes/SessionDuration", Value = "28800");

AD FS Config

This custom rule creates a new attribute using a static value within the SAML assertion according to the name that AWS expects.

Note: This example uses 28,800 seconds (or 8 hours), but you can specify your own preferred duration, ranging from 15 minutes to 12 hours.

You now see your new claim rule following the claim rules you configured in the earlier exercises. Choose OK to finalize your new configurations.

Testing

You are now ready to test your custom session duration. To do so, open a new browser window, and open the SAML tracer add on. We'll use SAML tracer to inspect the contents of the SAML assertions as they flow from the IdP to AWS, which allows you to see the results of your configurations and understand the information that AWS is consuming from your identity provider. See the following screenshot for help enabling SAML tracer.

Enable SAML Tracer

With SAML tracer enabled, switch back to the main browser window and enter the IdP initiated login URL for AD FS.

https://idp1.example.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices

After AD FS returns the login page, log in using alice's credentials.

Note: Recall that alice's password has been set to a random value exposed as an output variable in the 1st hour CloudFormation template.

Shibboleth Login

After you log in, you see the AWS role chooser page. Before making your selection, switch back to the SAML tracer window, and scroll upwards until you find the entry for https://signin.aws.amazon.com/saml. Choose that entry, and select the SAML tab in the lower pane. As you look through the assertion, look for the <AttributeStatement>. This allows you to see how the configurations you applied above translate into the additional SessionDuration SAML attribute. See the following screenshot for reference.

SAML Tracer

Note: At present, custom session durations only apply to the AWS Management Console. They do not apply to CLI/API credentials retrieved using the AssumeRoleWithSAML API call that you used in the initial exercise.

Key take-aways

In summary, there are two key take-aways from this use case:

  • AWS allows your federated users to work in the AWS Management Console for up to 12 hours by defining a custom session duration.
  • Custom session duration functionality does not currently apply to temporary credentials retrieved using the CLI/API.

Exercise complete

Congratulations! You have successfully completed the define custom session duration for SAML users advanced use case.

With this use case complete, you are now ready to continue your journey through more of the advanced use cases. To continue, return to the index of advanced use cases.