How to modify the AWS Console timeout with Azure Active Directory SAML

By | March 22, 2018

This article describes how to configure Azure Active Directory as the SAML Identity Provider (IdP) to change the default AWS Console timeout from 1 hour to a different value.

It seems there has been a lot of discussion about how to change the timeout and there is no clear documentation from AWS how to achieve this with Azure AD.  As an example of the confusion, have a look at this discussion thread:

https://forums.aws.amazon.com/message.jspa?messageID=733264

Some good guidance is provided on how to achieve this with ADFS, as described here, but I haven’t yet seen any guidance for Azure AD.

OK, here’s how to do it.  (Note that this assumes you have already configured the AWS Console to work with Azure AD via SAML)

Go to your Azure Portal and open the Single Sign-On blade for your Amazon Web Services Console application.  Under the User Attributes section, select the checkbox to expose other user attributes, as shown below.

1

 

Select the option to add a new attribute.

2

In the Add attribute blade, set the Name value to “SessionDuration” (note that this tag is case sensitive), the Value to the timeout in seconds that you want, and the Namespace to “https://aws.amazon.com/SAML/Attributes“. Then click OK.

3

The net result should look like this:

4

Save the changes and you are ready to go and test the new timeout.

For more information on the SessionDuration attribute, please see the AWS documentation here:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html

Tony

 

2 thoughts on “How to modify the AWS Console timeout with Azure Active Directory SAML

  1. Duncan

    Hi,

    Thanks so much for this! It’s been driving us nuts and this seems to have helped!

    Cheers,

    Duncan

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.