This topic describes the validity period of a logon session or an STS token in different scenarios and how to modify the validity period.

RAM user-based logon

  • Validity period of a logon session

    If you use the username-password logon method to log on the Alibaba Cloud Management Console as a Resource Access Management (RAM) user, the validity period of the logon session is determined by the Logon Session Validity Period parameter that is displayed on the Security Settings tab of the RAM console.

  • How to modify the validity period

    You can log on to the RAM console or call an operation to modify the value of the Logon Session Validity Period parameter. For more information, see Configure security policies for RAM users.

User-based SSO

  • Validity period of a logon session

    If you log on the Alibaba Cloud Management Console by using user-based single sign-on (SSO), the validity period of the logon session is determined by the Logon Session Validity Period parameter that is displayed on the Security Settings tab of the RAM console.

  • How to modify the validity period

    You can log on to the RAM console or call an operation to modify the value of the Logon Session Validity Period parameter. For more information, see Configure security policies for RAM users.

Role-based SSO by using SAML

Console-based logon

  • Validity period of a logon session

    If you log on the Alibaba Cloud Management Console by using role-based SSO, the validity period of the logon session is affected by the following items:

    The actual validity period of the logon session is determined by the smallest value among the preceding items.

  • How to modify the validity period

    You must modify the value of each item to a value that is no smaller than the required validity period. The following list describes the methods to modify the value of each item:

    • The value of the SessionDuration attribute in the SAML assertion

      The method to modify the value of the SessionDuration attribute varies based on the configurations of different identity providers (IdPs). For more information, see the documentation of each IdP.

    • The value of the SessionNotOnOrAfter attribute of the AuthnStatement element in the SAML assertion

      The method to modify the value of the SessionNotOnOrAfter attribute varies based on the configurations of different IdPs. For more information, see the documentation of each IdP.

    • The value of the Logon Session Validity Period parameter that is displayed on the Security Settings tab of the RAM console

      You can log on to the RAM console or call an operation to modify the value of the Logon Session Validity Period parameter. For more information, see Configure security policies for RAM users.

    • The maximum session duration of the assumed RAM role

      You can log on to the RAM console or call an operation to modify the maximum session duration of the assumed RAM role. For more information, see Specify the maximum session duration for a RAM role.

Programmatic access

  • Validity period of an STS Token

    If you obtain a Security Token Service (STS) token by calling the AssumeRoleWithSAML operation, the validity period of the STS Token is affected by the following items:

    • The value of the SessionNotOnOrAfter attribute of the AuthnStatement element in the SAML assertion

      For more information, see SAML response for role-based SSO.

    • The maximum session duration of the assumed RAM role

      For more information, see Specify the maximum session duration for a RAM role.

    • The value of the DurationSeconds parameter that you specified when you call the AssumeRoleWithSAML operation

      If the DurationSeconds parameter is not specified, the default value is used. For more information, see AssumeRoleWithSAML.

    The actual validity period of the STS token is determined by the smallest value among the preceding items.

  • How to modify the validity period

    You must modify the value of each item to a value that is no smaller than the required validity period. The following list describes the methods to modify the value of each item:

    • The value of the SessionNotOnOrAfter attribute of the AuthnStatement element in the SAML assertion

      The method to modify the value of the SessionNotOnOrAfter attribute varies based on the configurations of different IdPs. For more information, see the documentation of each IdP.

    • The maximum session duration of the assumed RAM role

      You can log on to the RAM console or call an operation to modify the maximum session duration of the assumed RAM role. For more information, see Specify the maximum session duration for a RAM role.

    • The value of the DurationSeconds parameter that you specified when you call the AssumeRoleWithSAML operation

      For more information, see AssumeRoleWithSAML.

Implement OIDC-based SSO

  • Validity period of an STS Token

    If you obtain an STS token by calling the AssumeRoleWithOIDC operation, the validity period of the STS Token is affected by the following items:

    • The maximum session duration of the assumed RAM role

      For more information, see Specify the maximum session duration for a RAM role.

    • The value of the DurationSeconds parameter that you specified when you call the AssumeRoleWithOIDC operation

      If the DurationSeconds parameter is not specified, the default value is used. For more information, see AssumeRoleWithOIDC.

    The actual validity period of the STS token is determined by the smaller value between the preceding items.

  • How to modify the validity period

    You must modify the value of each item to a value that is no smaller than the required validity period. The following list describes the methods to modify the value of each item:

    • The maximum session duration of the assumed RAM role

      You can log on to the RAM console or call an operation to modify the maximum session duration of the assumed RAM role. For more information, see Specify the maximum session duration for a RAM role.

    • The value of the DurationSeconds parameter that you specified when you call the AssumeRoleWithOIDC operation

      For more information, see AssumeRoleWithOIDC.

RAM role assuming

Console-based identity switching

  • Validity period of a logon session

    After you log on to the Alibaba Cloud Management Console and switch your logon identity to a RAM role, the validity period of a logon session is affected by the following items:

    The actual validity period of the logon session is determined by the smaller value between the preceding items.

  • How to modify the validity period

    You must modify the value of each item to a value that is no smaller than the required validity period. The following list describes the methods to modify the value of each item:

    • The value of the Logon Session Validity Period parameter that is displayed on the Security Settings tab of the RAM console

      You can log on to the RAM console or call an operation to modify the value of the Logon Session Validity Period parameter. For more information, see Configure security policies for RAM users.

    • The maximum session duration of the assumed RAM role

      You can log on to the RAM console or call an operation to modify the maximum session duration of the assumed RAM role. For more information, see Specify the maximum session duration for a RAM role.

Programmatic access

  • Validity period of an STS Token

    If you obtain an STS token by calling the AssumeRole operation as a RAM user, the validity period of the STS Token is affected by the following items:

    • The maximum session duration of the assumed RAM role

      For more information, see Specify the maximum session duration for a RAM role.

    • The value of the DurationSeconds parameter that you specified when you call the AssumeRole operation

      If the DurationSeconds parameter is not specified, the default value is used. For more information, see AssumeRole.

    The actual validity period of the STS token is determined by the smaller value between the preceding items.

  • How to modify the validity period

    You must modify the value of each item to a value that is no smaller than the required validity period. The following list describes methods of modifying the value of each item:

    • The maximum session duration of the assumed RAM role

      You can log on to the RAM console or call an operation to modify the maximum session duration of the assumed RAM role. For more information, see Specify the maximum session duration for a RAM role.

    • The value of the DurationSeconds parameter that you specified when you call the AssumeRole operation

      For more information, see AssumeRole.