Session duration and STS token validity depend on your logon method. Adjust the relevant limiting factors to extend them.
RAM user logon
-
Limiting factors
When a RAM user logs on with a username and password, the session duration is limited only by the Login session duration setting in the RAM security settings.
-
How to adjust
-
Console: Adjust the Login session duration in the RAM security settings. Manage RAM user security settings.
-
API: Call the SetSecurityPreference operation and set the LoginSessionDuration parameter.
-
User SSO
-
Limiting factors
When a user logs on via user-based SSO, the session duration is limited only by the Login session duration setting in the RAM security settings.
-
How to adjust
-
Console: Adjust the Login session duration in the RAM security settings. Manage RAM user security settings.
-
API: Call the SetSecurityPreference operation and set the LoginSessionDuration parameter.
-
Role SSO
SAML role SSO
Console logon
-
Limiting factors
When you log on to the console via role-based SSO, the session duration is limited by:
-
The
SessionDurationattribute in the SAML assertion. -
The
SessionNotOnOrAfterattribute of theAuthnStatementelement in the SAML assertion. -
The Login session duration in the RAM security settings.
-
The maximum session duration of the assumed role.
The shortest value takes effect.
-
-
How to adjust
Set all values to at least your desired duration:
-
Adjust the value of the
SessionDurationattribute in the SAML assertion.Configure in your IdP.
-
Adjust the value of the
SessionNotOnOrAfterattribute of theAuthnStatementelement in the SAML assertion.Configure in your IdP.
-
Adjust the Login session duration in the RAM security settings.
-
Console: Adjust the Login session duration in the RAM security settings. Manage RAM user security settings.
-
API: Call the SetSecurityPreference operation and set the LoginSessionDuration parameter.
-
-
Adjust the maximum session duration of the assumed role.
-
Console: Adjust the maximum session duration for the RAM role. Set the maximum session duration for a RAM role.
-
API: Call the CreateRole operation and set the MaxSessionDuration parameter, or call the UpdateRole operation and set the NewMaxSessionDuration parameter.
-
-
Programmatic access
-
Limiting factors
When you call AssumeRoleWithSAML, the returned STS token validity is limited by:
-
The
SessionNotOnOrAfterattribute of theAuthnStatementelement in the SAML assertion. -
The maximum session duration of the assumed role.
-
The DurationSeconds parameter specified in the AssumeRoleWithSAML call.
If DurationSeconds is omitted, the default applies.
The shortest value takes effect.
-
-
How to adjust
Set all values to at least your desired duration:
-
Adjust the value of the
SessionNotOnOrAfterattribute of theAuthnStatementelement in the SAML assertion.Configure in your IdP.
-
Adjust the maximum session duration of the assumed role.
-
Console: Adjust the maximum session duration for the RAM role. Set the maximum session duration for a RAM role.
-
API: Call the CreateRole operation and set the MaxSessionDuration parameter, or call the UpdateRole operation and set the NewMaxSessionDuration parameter.
-
-
Set the DurationSeconds parameter when you call the AssumeRoleWithSAML operation.
-
OIDC role SSO
-
Limiting factors
When you call AssumeRoleWithOIDC, the returned STS token validity is limited by:
-
The maximum session duration of the assumed role.
-
The DurationSeconds parameter specified in the AssumeRoleWithOIDC call.
If DurationSeconds is omitted, the default applies.
The shortest value takes effect.
-
-
How to adjust
Set both values to at least your desired duration:
-
Adjust the maximum session duration of the assumed role.
-
Console: Adjust the maximum session duration for the RAM role. Set the maximum session duration for a RAM role.
-
API: Call the CreateRole operation and set the MaxSessionDuration parameter, or call the UpdateRole operation and set the NewMaxSessionDuration parameter.
-
-
Set the DurationSeconds parameter when you call the AssumeRoleWithOIDC operation.
-
Assuming a RAM role
Switching identity in the console
-
Limiting factors
When you assume a RAM role by switching identity in the console, session duration is limited by:
-
The Login session duration in the RAM security settings.
-
The maximum session duration of the assumed role.
The shortest value takes effect.
-
-
How to adjust
Set both values to at least your desired duration:
-
Adjust the Login session duration in the RAM security settings.
-
Console: Adjust the Login session duration in the RAM security settings. Manage RAM user security settings.
-
API: Call the SetSecurityPreference operation and set the LoginSessionDuration parameter.
-
-
Adjust the maximum session duration of the assumed role.
-
Console: Adjust the maximum session duration for the RAM role. Set the maximum session duration for a RAM role.
-
API: Call the CreateRole operation and set the MaxSessionDuration parameter, or call the UpdateRole operation and set the NewMaxSessionDuration parameter.
-
-
Programmatic access
-
Limiting factors
When a RAM user calls AssumeRole, the returned STS token validity is limited by:
-
The maximum session duration of the assumed role.
-
The DurationSeconds parameter specified in the AssumeRole call.
If DurationSeconds is omitted, the default applies.
The shortest value takes effect.
-
-
How to adjust
Set both values to at least your desired duration:
-
Adjust the maximum session duration of the assumed role.
-
Console: Adjust the maximum session duration for the RAM role. Set the maximum session duration for a RAM role.
-
API: Call the CreateRole operation and set the MaxSessionDuration parameter, or call the UpdateRole operation and set the NewMaxSessionDuration parameter.
-
-
Set the DurationSeconds parameter when you call the AssumeRole operation.
-
Related topics
Basic concepts covers RAM users, RAM roles, user-based SSO, and role-based SSO.