How do I modify the validity period of a logon session and a Security Token Service (STS) token? - Resource Access Management

This topic describes the factors that limit the validity period of a logon session and a Security Token Service (STS) token in different scenarios, and the methods for modifying these periods.

RAM user logon

Limiting factors
The session duration for a Resource Access Management (RAM) user who logs on using a username and password is determined solely by the Logon Session Expiration Time in the security policy for the RAM user.
Modification methods
- Console: You can adjust the Logon Session Expiration Time in the security policy for the RAM user. For more information, see Manage the security settings of RAM users.
- API: You can set the LoginSessionDuration parameter when you call the SetSecurityPreference operation.

User-based SSO

Limiting factors
The session duration for a user-based SSO logon is determined solely by the Logon Session Expiration Time in the security policy for RAM users.
Modification methods
- Console: You can adjust the Logon Session Expiration Time in the security policy for the RAM user. For more information, see Manage the security settings of RAM users.
- API: You can set the LoginSessionDuration parameter when you call the SetSecurityPreference operation.

Role-based SSO

SAML-based role SSO

Console logon

Limiting factors
When you log on to the console using role-based SSO, the logon session duration is limited by the following factors:
- The SessionDuration property in the SAML assertion.
  For more information, see SAML response for role-based SSO.
- The SessionNotOnOrAfter property of the AuthnStatement element in the SAML assertion.
  For more information, see SAML response for role-based SSO.
- The Logon Session Expiration Time in the security policy for RAM users.
  For more information, see Manage the security settings of RAM users.
- The maximum session duration of the assumed RAM role.
  For more information, see Set the maximum session duration for a RAM role.
The final logon session duration is the minimum of the preceding values.
Modification methods
Because the final logon session duration is the minimum of the configured values, you must adjust each configuration to be greater than or equal to the target duration. The modification methods are as follows:
- Adjust the value of the SessionDuration property in the SAML assertion.
  The specific operation depends on your IdP configuration. For more information, see the documentation for your IdP.
- Adjust the value of the SessionNotOnOrAfter property of the AuthnStatement element in the SAML assertion.
  The specific operation depends on your IdP configuration. For more information, see the documentation for your IdP.
- Adjust the Logon Session Expiration Time in the security policy for RAM users.
  - Console: You can adjust the Logon Session Expiration Time in the security policy for the RAM user. For more information, see Manage the security settings of RAM users.
  - API: You can set the LoginSessionDuration parameter when you call the SetSecurityPreference operation.
- Adjust the maximum session duration of the assumed RAM role.
  - Console: You can adjust the maximum session duration of the RAM role. For more information, see Set the maximum session duration for a RAM role.
  - You can call CreateRole and set the MaxSessionDuration parameter, or call UpdateRole and set the NewMaxSessionDuration parameter.

Programmatic access

Limiting factors
The validity period of an STS token that you obtain by calling the AssumeRoleWithSAML operation is limited by the following factors:
- The SessionNotOnOrAfter property of the AuthnStatement element in the SAML assertion.
  For more information, see SAML response for role-based SSO.
- The maximum session duration of the assumed RAM role.
  For more information, see Set the maximum session duration for a RAM role.
- The DurationSeconds parameter specified when you call the AssumeRoleWithSAML operation.
  If the DurationSeconds parameter is empty, the default value is used.
The final validity period of the STS token is the minimum of the preceding values.
Adjustment methods
The final validity period of an STS token is determined by the minimum configured value. Therefore, you must adjust each configuration to meet or exceed the target duration. The modification methods are as follows:
- Adjust the value of the SessionNotOnOrAfter property of the AuthnStatement element in the SAML assertion.
  The specific operation depends on your IdP configuration. For more information, see the documentation for your IdP.
- Adjust the maximum session duration of the assumed RAM role.
  - Console: You can adjust the maximum session duration of the RAM role. For more information, see Set the maximum session duration for a RAM role.
  - You can call CreateRole and set the MaxSessionDuration parameter, or call UpdateRole and set the NewMaxSessionDuration parameter.
- Set the DurationSeconds parameter when you call the AssumeRoleWithSAML operation.

OIDC-based role SSO

Limiting factors
The validity period of an STS token that you obtain by calling the AssumeRoleWithOIDC operation is limited by the following factors:
- The maximum session duration of the assumed RAM role.
  For more information, see Set the maximum session duration for a RAM role.
- The DurationSeconds parameter specified when you call the AssumeRoleWithOIDC operation.
  If the DurationSeconds parameter is empty, the default value is used.
The final validity period of the STS token is the minimum of the preceding values.
Modification methods
Because the final validity period of the STS token is the minimum of the configured values, you must adjust each configuration to be greater than or equal to the target duration. The modification methods are as follows:
- Adjust the maximum session duration of the assumed RAM role.
  - Console: You can adjust the maximum session duration of the RAM role. For more information, see Set the maximum session duration for a RAM role.
  - You can call CreateRole and set the MaxSessionDuration parameter, or call UpdateRole and set the NewMaxSessionDuration parameter.
- Set the DurationSeconds parameter when you call the AssumeRoleWithOIDC operation.

RAM role assuming

Switching identities in the console

Limiting factors
When you assume a RAM role by switching your identity in the console, the duration of the new logon session is limited by the following factors:
- The Logon Session Expiration Time in the security policy for RAM users.
  For more information, see Manage the security settings of RAM users.
- The maximum session duration of the assumed RAM role.
  For more information, see Set the maximum session duration for a RAM role.
The final logon session duration is the minimum of the preceding values.
Modification methods
Because the final logon session duration is the minimum of the configured values, you must adjust each configuration to be greater than or equal to the target duration. The modification methods are as follows:
- Adjust the Logon Session Expiration Time in the security policy for RAM users.
  - Console: You can adjust the Logon Session Expiration Time in the security policy for the RAM user. For more information, see Manage the security settings of RAM users.
  - API: You can set the LoginSessionDuration parameter when you call the SetSecurityPreference operation.
- Adjust the maximum session duration of the assumed RAM role.
  - Console: You can adjust the maximum session duration of the RAM role. For more information, see Set the maximum session duration for a RAM role.
  - You can call CreateRole and set the MaxSessionDuration parameter, or call UpdateRole and set the NewMaxSessionDuration parameter.

Programmatic access

Limiting factors
The validity period of an STS token that a RAM user obtains by calling the AssumeRole operation is limited by the following factors:
- The maximum session duration of the assumed RAM role.
  For more information, see Set the maximum session duration for a RAM role.
- The DurationSeconds parameter specified when you call the AssumeRole operation.
  If the DurationSeconds parameter is empty, the default value is used.
The final validity period of the STS token is the minimum of the preceding values.
Modification methods
Because the final validity period of the STS token is the minimum of the configured values, you must adjust each configuration to be greater than or equal to the target duration. The modification methods are as follows:
- Adjust the maximum session duration of the assumed RAM role.
  - Console: You can adjust the maximum session duration of the RAM role. For more information, see Set the maximum session duration for a RAM role.
  - You can call CreateRole and set the MaxSessionDuration parameter, or call UpdateRole and set the NewMaxSessionDuration parameter.
- Set the DurationSeconds parameter when you call the AssumeRole operation.

References

For more information about concepts such as RAM users, RAM roles, user-based SSO, and role-based SSO, see Basic Concepts.