AWS Security ChangesHomeSearch

AWS singlesignon documentation change

Service: singlesignon · 2025-08-13 · Documentation low

File: singlesignon/latest/userguide/configure-user-session.md

Summary

Restructured documentation to focus on session duration configuration types and related topics. Removed detailed technical prerequisites and SDK version requirements, replacing them with topic links for different session types and management actions.

Security assessment

The changes reorganize existing session management documentation but don't introduce new security vulnerabilities or fixes. While session duration configuration is a security-adjacent feature, there's no evidence of addressing a specific security flaw. The modifications primarily improve documentation structure by separating concerns into linked topics rather than adding new security controls.

Diff

diff --git a/singlesignon/latest/userguide/configure-user-session.md b/singlesignon/latest/userguide/configure-user-session.md
index 82e1b5edf..fe3db6b6c 100644
--- a//singlesignon/latest/userguide/configure-user-session.md
+++ b//singlesignon/latest/userguide/configure-user-session.md
@@ -5 +5 @@
-Prerequisites and considerations
+# Configure the session duration in IAM Identity Center
@@ -7 +7 @@ Prerequisites and considerations
-# Configure the session duration of the AWS access portal and IAM Identity Center integrated applications
+You can configure the session duration for your workforce users when they use the AWS access portal and applications that work with IAM Identity Center, including Amazon Q Developer. IAM Identity Center provides the following session types: user interactive sessions, user background sessions, and extended sessions for Amazon Q Developer.
@@ -9,56 +9 @@ Prerequisites and considerations
-The IAM Identity Center administrator can configure the session duration for both applications integrated with IAM Identity Center and the AWS access portal. The session duration of authentication into the AWS access portal and IAM Identity Center integrated applications is the maximum length of time that a user can be signed in without re-authenticating. The IAM Identity Center administrator can end an active AWS access portal session and by doing so also end the sessions of integrated applications.
-
-The default session duration is 8 hours. The IAM Identity Center administrator can specify a different duration, from a minimum of 15 minutes to a maximum of 90 days. Custom duration value must be entered in minutes and be between 15 and 10080 minutes (7 days). For more information about authentication session duration and user behavior, see [Authentication in IAM Identity Center](./authconcept.html).
-
-###### Note
-
-Modifying the AWS access portal session duration and ending the AWS access portal sessions have no effect on the AWS Management Console session duration that you define in your permission sets.
-
-The following topics provide information about configuring the session duration of the AWS access portal and IAM Identity Center integrated applications.
-
-## Prerequisites and considerations
-
-The following are the prerequisites and considerations for configuring the session duration for the AWS access portal and IAM Identity Center integrated applications.
-
-### External identity providers
-
-IAM Identity Center uses `SessionNotOnOrAfter` attribute from SAML assertions to help determine how long the session can be valid for. 
-
-  * If `SessionNotOnOrAfter` is not passed in a SAML assertion, the duration of an AWS access portal session is not impacted by the duration of your external IdP session. For example, if your IdP session duration is 24 hours and you set an 18-hour session duration in IAM Identity Center, your users must re-authenticate in the AWS access portal after 18 hours.
-
-  * If `SessionNotOnOrAfter` is passed in a SAML assertion, the session duration value is set to the shorter of the AWS access portal session duration and your SAML IdP session duration. If you set a 72-hour session duration in IAM Identity Center and your IdP has a session duration of 18 hours, your users will have access to AWS resources for the 18 hours defined in your IdP.
-
-  * If the session duration of your IdP is longer than the one set in IAM Identity Center, your users will be able to start a new IAM Identity Center session without re-entering their credentials, based on their still-valid login session with your IdP.
-
-
-
-
-### AWS CLI and SDK sessions
-
-If you're using the AWS Command Line Interface, AWS Software Development Kits (SDKs), or other AWS development tools to access AWS services programmatically, the following prerequisites must be met to set session duration for the AWS access portal and the IAM Identity Center integrated applications.
-
-  * You must [configure the AWS access portal session duration](./user-session-duration-how-to-configure.html) in the IAM Identity Center console. 
-
-  * You must define a profile for single sign-on settings in your shared AWS config file. This profile is used to connect to the AWS access portal. We recommend that you use the SSO token provider configuration. With this configuration, your AWS SDK or tool can automatically retrieve refreshed authentication tokens. For more information, see [SSO token provider configuration](https://docs.aws.amazon.com/sdkref/latest/guide/feature-sso-credentials.html#sso-token-config) in the _AWS SDK and Tools Reference Guide._
-
-  * Users must run a version of the AWS CLI or an SDK that supports session management. 
-
-
-
-
-#### Minimum versions of the AWS CLI that support session management
-
-Following are the minimum versions of the AWS CLI that support session management.
-
-  * AWS CLI V2 2.9 or later
-
-  * AWS CLI V1 1.27.10 or later
-
-
-
-
-For information about how to install or update the latest AWS CLI version, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
-
-If your users are running the AWS CLI, if you refresh your permission set just before the IAM Identity Center session is set to expire and the session duration is set to 20 hours while the permission set duration is set to 12 hours, the AWS CLI session runs for the maximum of 20 hours plus 12 hours for a total of 32 hours. For more information about the IAM Identity Center CLI, see [AWS CLI Command Reference](https://docs.aws.amazon.com/cli/latest/reference/identitystore/index.html#cli-aws-identitystore).
-
-#### Minimum versions of SDKs that support IAM Identity Center session management
+###### Topics
@@ -66 +11 @@ If your users are running the AWS CLI, if you refresh your permission set just b
-Following are the minimum versions of the SDKs that support IAM Identity Center session management.
+  * [User interactive sessions](./user-interactive-sessions.html)
@@ -68,11 +13 @@ Following are the minimum versions of the SDKs that support IAM Identity Center
-SDK | Minimum version  
----|---  
-Python | 1.26.10  
-PHP | 3.245.0  
-Ruby | aws-sdk-core 3.167.0  
-Java V2 | AWS SDK for Java v2 (2.18.13)  
-Go V2 | Whole SDK: release-2022-11-11 and specific Go modules: credentials/v1.13.0, config/v1.18.0  
-JS V2 | 2.1253.0  
-JS V3 | v3.210.0  
-C++ | 1.9.372  
-.NET | v3.7.400.0  
+  * [User background sessions](./user-background-sessions.html)
@@ -80 +15 @@ C++ | 1.9.372
-###### Topics
+  * [Extended sessions for Amazon Q Developer](./90-day-extended-session-duration.html)
@@ -82 +17 @@ C++ | 1.9.372
-  * [How to configure application session duration](./user-session-duration-how-to-configure.html)
+  * [View and end active sessions for your workforce users](./end-active-sessions.html)
@@ -84 +19 @@ C++ | 1.9.372
-  * [ How to extend the session duration for Amazon Q Developer](./90-day-extended-session-duration.html)
+  * [Session duration considerations for using external IdPs, the AWS CLI, and AWS SDKs](./user-session-duration-prereqs-considerations.html)
@@ -95 +30 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Manage sign-in and attribute use for all identity source types
+Certificate expiration status indicators
@@ -97 +32 @@ Manage sign-in and attribute use for all identity source types
-How to configure application session duration
+User interactive sessions