Resource Access Management:How do I modify the validity period of a logon session or an STS token?

RAM user-based logon

• Validity period of a logon session

  If you use the username-password logon method to log on to the Alibaba Cloud Management Console as a Resource Access Management (RAM) user, the validity period of the logon session is determined by the Logon Session Validity Period parameter that is displayed on the Security Settings tab of the RAM console.

• How to modify the validity period

  You can log on to the RAM console or call an operation to modify the value of the Logon Session Validity Period parameter. For more information, see Manage security settings of RAM users.

User-based SSO

• Validity period of a logon session

  If you log on to the Alibaba Cloud Management Console by using user-based single sign-on (SSO), the validity period of the logon session is determined by the Logon Session Validity Period parameter that is displayed on the Security Settings tab of the RAM console.

• How to modify the validity period

  You can log on to the RAM console or call an operation to modify the value of the Logon Session Validity Period parameter. For more information, see Manage security settings of RAM users.

Role-based SSO by using SAML

Console-based logon

• Validity period of a logon session

  If you log on to the Alibaba Cloud Management Console by using role-based SSO, the validity period of the logon session is affected by the following items:

  • The value of the SessionDuration attribute in the SAML assertion

    For more information, see SAML response for role-based SSO.

  • The value of the SessionNotOnOrAfter attribute of the AuthnStatement element in the SAML assertion

    For more information, see SAML response for role-based SSO.

  • The value of the Logon Session Validity Period parameter that is displayed on the Security Settings tab of the RAM console

    For more information, see Manage security settings of RAM users.

  • The maximum session duration of the assumed RAM role

    For more information, see Specify the maximum session duration for a RAM role.

  The actual validity period of the logon session is determined by the smallest value among the preceding items.

• How to modify the validity period

  You must modify the value of each item to a value that is no smaller than the required validity period. The following list describes the methods to modify the value of each item:

  • The value of the SessionDuration attribute in the SAML assertion

    The method to modify the value of the SessionDuration attribute varies based on the configurations of different identity providers (IdPs). For more information, see the documentation of each IdP.

  • The value of the SessionNotOnOrAfter attribute of the AuthnStatement element in the SAML assertion

    The method to modify the value of the SessionNotOnOrAfter attribute varies based on the configurations of different IdPs. For more information, see the documentation of each IdP.

  • The value of the Logon Session Validity Period parameter that is displayed on the Security Settings tab of the RAM console

    You can log on to the RAM console or call an operation to modify the value of the Logon Session Validity Period parameter. For more information, see Manage security settings of RAM users.

  • The maximum session duration of the assumed RAM role

    You can log on to the RAM console or call an operation to modify the maximum session duration of the assumed RAM role. For more information, see Specify the maximum session duration for a RAM role.

Programmatic access

• Validity period of an STS Token

  If you obtain a Security Token Service (STS) token by calling the AssumeRoleWithSAML operation, the validity period of the STS Token is affected by the following items:

  • The value of the SessionNotOnOrAfter attribute of the AuthnStatement element in the SAML assertion

    For more information, see SAML response for role-based SSO.

  • The maximum session duration of the assumed RAM role

    For more information, see Specify the maximum session duration for a RAM role.

  • The value of the DurationSeconds parameter that you specified when you call the AssumeRoleWithSAML operation

    If the DurationSeconds parameter is not specified, the default value is used. For more information, see AssumeRoleWithSAML.

  The actual validity period of the STS token is determined by the smallest value among the preceding items.

• How to modify the validity period

  You must modify the value of each item to a value that is no smaller than the required validity period. The following list describes the methods to modify the value of each item:

  • The value of the SessionNotOnOrAfter attribute of the AuthnStatement element in the SAML assertion

    The method to modify the value of the SessionNotOnOrAfter attribute varies based on the configurations of different IdPs. For more information, see the documentation of each IdP.

  • The maximum session duration of the assumed RAM role

    You can log on to the RAM console or call an operation to modify the maximum session duration of the assumed RAM role. For more information, see Specify the maximum session duration for a RAM role.

  • The value of the DurationSeconds parameter that you specified when you call the AssumeRoleWithSAML operation

    For more information, see AssumeRoleWithSAML.

Implement OIDC-based SSO

• Validity period of an STS Token

  If you obtain an STS token by calling the AssumeRoleWithOIDC operation, the validity period of the STS Token is affected by the following items:

  • The maximum session duration of the assumed RAM role

    For more information, see Specify the maximum session duration for a RAM role.

  • The value of the DurationSeconds parameter that you specified when you call the AssumeRoleWithOIDC operation

    If the DurationSeconds parameter is not specified, the default value is used. For more information, see AssumeRoleWithOIDC.

  The actual validity period of the STS token is determined by the smaller value between the preceding items.

• How to modify the validity period

  You must modify the value of each item to a value that is no smaller than the required validity period. The following list describes the methods to modify the value of each item:

  • The maximum session duration of the assumed RAM role

    You can log on to the RAM console or call an operation to modify the maximum session duration of the assumed RAM role. For more information, see Specify the maximum session duration for a RAM role.

  • The value of the DurationSeconds parameter that you specified when you call the AssumeRoleWithOIDC operation

    For more information, see AssumeRoleWithOIDC.

RAM role assuming

Console-based identity switching

• Validity period of a logon session

  After you log on to the Alibaba Cloud Management Console and switch your logon identity to a RAM role, the validity period of a logon session is affected by the following items:

  • The value of the Logon Session Validity Period parameter that is displayed on the Security Settings tab of the RAM console

    For more information, see Manage security settings of RAM users.

  • The maximum session duration of the assumed RAM role

    For more information, see Specify the maximum session duration for a RAM role.

  The actual validity period of the logon session is determined by the smaller value between the preceding items.

• How to modify the validity period

  You must modify the value of each item to a value that is no smaller than the required validity period. The following list describes the methods to modify the value of each item:

  • The value of the Logon Session Validity Period parameter that is displayed on the Security Settings tab of the RAM console

    You can log on to the RAM console or call an operation to modify the value of the Logon Session Validity Period parameter. For more information, see Manage security settings of RAM users.

  • The maximum session duration of the assumed RAM role

    You can log on to the RAM console or call an operation to modify the maximum session duration of the assumed RAM role. For more information, see Specify the maximum session duration for a RAM role.

Programmatic access

• Validity period of an STS Token

  If you obtain an STS token by calling the AssumeRole operation as a RAM user, the validity period of the STS Token is affected by the following items:

  • The maximum session duration of the assumed RAM role

    For more information, see Specify the maximum session duration for a RAM role.

  • The value of the DurationSeconds parameter that you specified when you call the AssumeRole operation

    If the DurationSeconds parameter is not specified, the default value is used. For more information, see AssumeRole.

  The actual validity period of the STS token is determined by the smaller value between the preceding items.

• How to modify the validity period

  You must modify the value of each item to a value that is no smaller than the required validity period. The following list describes methods of modifying the value of each item:

  • The maximum session duration of the assumed RAM role

    You can log on to the RAM console or call an operation to modify the maximum session duration of the assumed RAM role. For more information, see Specify the maximum session duration for a RAM role.

  • The value of the DurationSeconds parameter that you specified when you call the AssumeRole operation

    For more information, see AssumeRole.