AWS singlesignon documentation change
Summary
Updated terminology from 'IAM Identity Center' to 'IAM Identity Center directory' in headers and links. Revised session expiration language to remove specific timeframes and clarify behavior when users are disabled/deleted.
Security assessment
Changes clarify existing session management behavior but do not address a specific security vulnerability. The updates provide more accurate descriptions of user access persistence after deletion/disablement without introducing new security controls.
Diff
diff --git a/singlesignon/latest/userguide/manage-your-identity-source-considerations.md b/singlesignon/latest/userguide/manage-your-identity-source-considerations.md index ac3b063d7..d8548be5d 100644 --- a//singlesignon/latest/userguide/manage-your-identity-source-considerations.md +++ b//singlesignon/latest/userguide/manage-your-identity-source-considerations.md @@ -5 +5 @@ -Changing between IAM Identity Center and Active DirectoryChanging from IAM Identity Center to an external IdPChanging from an external IdP to IAM Identity CenterChanging from one external IdP to another external IdPChanging between Active Directory and an external IdP +Changing between IAM Identity Center directory and Active DirectoryChanging from IAM Identity Center to an external IdPChanging from an external IdP to IAM Identity CenterChanging from one external IdP to another external IdPChanging between Active Directory and an external IdP @@ -15 +15 @@ Before you change the identity source for IAM Identity Center, review the follow -## Changing between IAM Identity Center and Active Directory +## Changing between IAM Identity Center directory and Active Directory @@ -31 +31 @@ If you choose to not use Active Directory, you must create your users and groups - * Existing user session expiration can take up to two hours – Once the users and groups are deleted from the Identity Center directory, users with active sessions can continue to access the AWS access portal and integrated AWS applications for up to two hours. For information about authentication session duration and user behavior, see [Authentication in IAM Identity Center](./authconcept.html). + * If users are deleted or disabled in the IAM Identity Center console using Identity Store APIs, users with active sessions can continue to access integrated applications and accounts. For information about authentication session duration and user behavior, see [Authentication in IAM Identity Center](./authconcept.html). @@ -52 +52 @@ If you change your identity source from IAM Identity Center to an external ident -If users are deleted or disabled in the IAM Identity Center console, using Identity Store APIs, or SCIM provisioning, users with active sessions can continue to access the AWS access portal and integrated AWS applications for up to two hours. + * If users are deleted or disabled in the IAM Identity Center console using Identity Store APIs, users with active sessions can continue to access integrated applications and accounts. For information about authentication session duration and user behavior, see [Authentication in IAM Identity Center](./authconcept.html). @@ -73 +73 @@ If you change your identity source from an external identity provider (IdP) to I -If users are deleted or disabled in the IAM Identity Center console, using Identity Store APIs, or SCIM provisioning, users with active sessions can continue to access the AWS access portal and integrated AWS applications for up to two hours. + * If users are deleted or disabled in the IAM Identity Center console using Identity Store APIs, users with active sessions can continue to access integrated applications and accounts. For information about authentication session duration and user behavior, see [Authentication in IAM Identity Center](./authconcept.html). @@ -96 +96 @@ These assertions must match the user names in IAM Identity Center when your user -If users are deleted or disabled in the IAM Identity Center console, using Identity Store APIs, or SCIM provisioning, users with active sessions can continue to access the AWS access portal and integrated AWS applications for up to two hours. + * If users are deleted or disabled in the IAM Identity Center console using Identity Store APIs, users with active sessions can continue to access integrated applications and accounts. For information about authentication session duration and user behavior, see [Authentication in IAM Identity Center](./authconcept.html). @@ -117 +117 @@ If you change your identity source from an external IdP to Active Directory, or - * Existing user sessions expiration can take up to two hours – Once the users and groups are deleted from the Identity Center directory, users with active sessions can continue to access the AWS access portal and integrated AWS applications for up to two hours. For information about authentication session duration and user behavior, see [Authentication in IAM Identity Center](./authconcept.html). + * If users are deleted or disabled in the IAM Identity Center console using Identity Store APIs, users with active sessions can continue to access integrated applications and accounts. For information about authentication session duration and user behavior, see [Authentication in IAM Identity Center](./authconcept.html).