AWS singlesignon documentation change
Summary
Comprehensive restructuring of authentication session documentation, adding details about session types (user interactive, application, background, Amazon Q), session termination methods, access revocation timelines, and security best practices
Security assessment
The changes enhance documentation about session management controls (revocation timelines, IAM role session persistence) and add security best practices sections. While it improves security transparency, there's no evidence of addressing a specific disclosed vulnerability.
Diff
diff --git a/singlesignon/latest/userguide/authconcept.md b/singlesignon/latest/userguide/authconcept.md index 1cf514157..4b0a4f662 100644 --- a//singlesignon/latest/userguide/authconcept.md +++ b//singlesignon/latest/userguide/authconcept.md @@ -5 +5 @@ -Authentication sessions +Types of authentication sessionsWays to end user sessionsWhat happens to user access when you end a sessionSingle logoutBest practices for session management @@ -7 +7 @@ Authentication sessions -# Authentication in IAM Identity Center +# Understanding authentication sessions in IAM Identity Center @@ -9 +9 @@ Authentication sessions -A user signs in to the AWS access portal using their user name. When they do, IAM Identity Center redirects the request to the IAM Identity Center authentication service based on the directory associated with the user email address. Once authenticated, users have single sign-on access to any of the AWS accounts and third-party software-as-a-service (SaaS) applications that show up in the portal without additional sign-in prompts. This means that users no longer need to keep track of multiple account credentials for the various assigned AWS applications that they use on a daily basis. +When a user signs in to the [AWS access portal](./using-the-portal.html), IAM Identity Center creates an authentication session that represents the user’s verified identity. @@ -11 +11 @@ A user signs in to the AWS access portal using their user name. When they do, IA -## Authentication sessions +Once authenticated, the user can access all their assigned AWS accounts, [AWS managed applications](./awsapps.html), and [customer managed applications](./customermanagedapps.html) that administrators have granted them permission to use, without additional sign ins. @@ -13 +13 @@ A user signs in to the AWS access portal using their user name. When they do, IA -There are two types of authentication sessions maintained by IAM Identity Center: one to represent the users’ sign in to IAM Identity Center, and another to represent the users’ access to AWS managed applications, such as Amazon SageMaker AI Studio or Amazon Managed Grafana. Each time a user signs in to IAM Identity Center, a sign in session is created for the duration configured in IAM Identity Center, which can be up to 90 days. For more information, see [Configure the session duration in IAM Identity Center](./configure-user-session.html). Each time the user accesses an application, the IAM Identity Center sign in session is used to create an IAM Identity Center application session for that application. IAM Identity Center application sessions have a refreshable 1-hour lifetime – that is, IAM Identity Center application sessions are automatically refreshed every hour as long as the IAM Identity Center sign in session from which they were obtained is still valid. If the user signs out using the AWS access portal, the user's sign in session ends. The next time application refreshes its session, the application session will end. +## Types of authentication sessions @@ -15 +15 @@ There are two types of authentication sessions maintained by IAM Identity Center -When the user uses IAM Identity Center to access the AWS Management Console or AWS CLI, the IAM Identity Center sign in session is used to obtain an IAM session, as specified in the corresponding IAM Identity Center permission set (more specifically, IAM Identity Center assumes an IAM role, which IAM Identity Center manages, in the target account). IAM sessions persist for the time specified for the permission set, unconditionally. +### User interactive sessions @@ -17 +17,35 @@ When the user uses IAM Identity Center to access the AWS Management Console or A -###### Note +After a user signs in to the AWS access portal, IAM Identity Center creates a user interactive session. This session represents the user's authenticated state within IAM Identity Center and serves as the foundation for creating other session types. User interactive sessions can last for the duration configured in IAM Identity Center, which can be up to 90 days. + +User interactive sessions are the primary authentication mechanism. They end when the user signs out or when an administrator ends their session. The duration of these sessions should be carefully configured based on your organization's security requirements. + +For information about configuring user interactive session duration, see [Configure the session duration in IAM Identity Center](./configure-user-session.html). + +### Application sessions + +Application sessions are the authenticated connections between users and AWS managed applications (such as Amazon Q Developer or Amazon Quick Suite) that IAM Identity Center establishes through single sign-on. + +By default, application sessions have a one hour lifetime, but they're automatically refreshed as long as the underlying user interactive session remains valid. This refresh mechanism provides a seamless experience for users while maintaining security controls. When a user interactive session ends, either through user sign-out or administrator action, the application sessions will end at their next refresh attempt, typically within 30 minutes. + +### User background sessions + +User background sessions are extended-duration sessions designed for applications that need to run processes for hours or days without interruption. Currently, this session type applies primarily to [Amazon SageMaker Studio](https://docs.aws.amazon.com/sagemaker/latest/dg/studio-updated.html), where data scientists might run machine learning training jobs that take many hours to complete. + +For information about configuring user background session duration, see [User background sessions](./user-background-sessions.html). + +### Amazon Q Developer sessions + +You can extend Amazon Q Developer sessions to allow developers using Amazon Q Developer in IDEs to maintain authentication for up to 90 days. This feature reduces login interruptions while you work on code. + +These sessions are independent of other session types and don't affect user interactive sessions or other AWS managed applications. Depending on when you enabled IAM Identity Center, this feature might be enabled by default. + +For information about configuring extended Amazon Q Developer sessions, see [Extended sessions for Amazon Q Developer](./90-day-extended-session-duration.html). + +### IAM Identity Center-created IAM role sessions + +IAM Identity Center creates a different type of session when users access the AWS Management Console or AWS CLI. In these cases, IAM Identity Center uses the sign-in session to obtain an IAM session by assuming an IAM role specified in the user's permission set. + +###### Important + +Unlike application sessions, IAM role sessions operate independently once established. They persist for the duration configured in the permission set, which can be up to 12 hours, regardless of the status of the original sign-in session. This behavior ensures that long-running CLI operations or console sessions aren't unexpectedly ended. + +## Ways to end user sessions in IAM Identity Center @@ -19 +53 @@ When the user uses IAM Identity Center to access the AWS Management Console or A -IAM Identity Center does not support SAML Single Logout initiated by an identity provider that acts as your identity source, and it does not send SAML Single Logout to SAML applications that use IAM Identity Center as an identity provider. +### User-initiated @@ -21 +55 @@ IAM Identity Center does not support SAML Single Logout initiated by an identity -When an IAM Identity Center administrator [deletes](./deleteusers.html) or [disables](./disableuser.html) a user, the user will immediately lose access to the AWS access portal and be prevented from signing back in to start a new application or IAM role session. The user will lose access to existing application sessions within 30 minutes. Any existing IAM role sessions will continue based on the session duration configured in the IAM Identity Center permission set. The maximum session duration can be 12 hours. +When a user signs out of the AWS access portal, the sign-in session ends, preventing the user from accessing any new resources. @@ -23 +57 @@ When an IAM Identity Center administrator [deletes](./deleteusers.html) or [disa -When an IAM Identity Center administrator [revokes a user's session](./end-active-sessions.html) or when a user signs out, the user will immediately lose access to the AWS access portal and be required to sign back in to start a new application or IAM role session. The user will lose access to existing application sessions within 30 minutes. Any existing IAM role sessions will continue based on the session duration configured in the IAM Identity Center permission set. The maximum session duration can be 12 hours. +Existing application sessions, however, don't end instantly. Instead, they will end within approximately 30 minutes, when they attempt their next refresh and find the sign-in session is no longer valid. Existing IAM role sessions continue until they expire based on the permission set configuration, which could be up to 12 hours later. @@ -25 +59 @@ When an IAM Identity Center administrator [revokes a user's session](./end-activ -This table summarizes how user management changes affect access to IAM resources, application sessions, and AWS account sessions. +### Administrator-initiated @@ -27 +61,13 @@ This table summarizes how user management changes affect access to IAM resources -Action | User loses IAM Identity Center access | User cannot create new application sessions | User cannot access existing application sessions | User loses access to existing AWS account sessions +Anyone with IAM Identity Center administrative permissions in your organization, typically IT administrators or security teams, can [end a user's session](./end-active-sessions.html). This action works the same way as if users signed out themselves, allowing administrators to require users to sign in again when needed. This capability is useful when security policies change or when suspicious activity is detected. + +When an IAM Identity Center administrator [deletes a user](./deleteusers.html) or [disables a user’s access](./disableuser.html), the user loses access to the AWS access portal and is prevented from signing back in to start a new application or IAM role session. The user will lose access to existing application sessions within 30 minutes. Any existing IAM role sessions will continue based on the session duration configured in the IAM Identity Center permission set. The maximum session duration can be 12 hours. + +## What happens to user access when you end a session + +This reference provides detailed information about how IAM Identity Center sessions behave when administrative actions are taken. The tables in this section show the duration and effects of user management actions and permission changes on access to the AWS access portal, applications, and AWS account sessions. + +### User management + +This table summarizes how user management changes affect access to AWS resources, application sessions, and AWS account sessions. + +Action | User loses IAM Identity Center access | User can't create new application sessions | User can't access existing application sessions | User loses access to existing AWS account sessions @@ -29,4 +75,4 @@ Action | User loses IAM Identity Center access | User cannot create new applicat -User disabled | Effective immediately | Effective immediately | Within 30 minutes | Within 12 hours or lower. Duration depends on IAM role session expiry duration configured for the permission set. -User deleted | Effective immediately | Effective immediately | Within 30 minutes | Within 12 hours or lower. Duration depends on IAM role session expiry duration configured for the permission set. -User session revoked | User must sign in again to regain access | Effective immediately | Within 30 minutes | Within 12 hours or lower. Duration depends on IAM role session expiry duration configured for the permission set. -User signs out | User must sign in again to regain access | Effective immediately | Within 30 minutes | Within 12 hours or lower. Duration depends on IAM role session expiry duration configured for the permission set. +User's access disabled | Effective immediately | Effective immediately | Within 30 minutes | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set. +User deleted | Effective immediately | Effective immediately | Within 30 minutes | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set. +User session revoked | User must sign in again to regain access | Effective immediately | Within 30 minutes | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set. +User signs out | User must sign in again to regain access | Effective immediately | Within 30 minutes | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set. @@ -34 +80 @@ User signs out | User must sign in again to regain access | Effective immediatel -When an IAM Identity Center administrator [removes application access](./removeaccessfromapp.html), the user will lose access to existing applications. The user's access to existing applications is lost within an hour following application access removal. Any existing IAM role sessions will continue based on the session duration configured in the IAM Identity Center permission set. The maximum session duration can be 12 hours. +### Group membership @@ -36 +82 @@ When an IAM Identity Center administrator [removes application access](./removea -This table summarizes how changes to user permissions and group memberships affect access to IAM Identity Center resources, application sessions, and AWS account sessions. +This table summarizes how changes to user permissions and group memberships affect access to AWS resources, application sessions, and AWS account sessions. @@ -38 +84 @@ This table summarizes how changes to user permissions and group memberships affe -Action | User loses IAM Identity Center access | User cannot create new application sessions | User cannot access existing application sessions | User loses access to existing AWS account sessions +Action | User loses IAM Identity Center access | User can't create new application sessions | User can't access existing application sessions | User loses access to existing AWS account sessions @@ -40,3 +86,3 @@ Action | User loses IAM Identity Center access | User cannot create new applica -Application or AWS account access removed from user | No - User can continue accessing IAM Identity Center | Effective immediately | Within 1 hour | Within 12 hours or lower. Duration depends on IAM role session expiry duration configured for the permission set. -User removed from group that had an assigned application or AWS account | No - User can continue accessing IAM Identity Center | Within 1 hour | Within 2 hours | Within 12 hours or lower. Duration depends on IAM role session expiry duration configured for the permission set. -Application or AWS account access removed from group | No - User can continue accessing IAM Identity Center | Effective immediately | Within 1 hour | Within 12 hours or lower. Duration depends on IAM role session expiry duration configured for the permission set. +Application or AWS account access removed from user | No - User can continue accessing IAM Identity Center | Effective immediately | Within 1 hour | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set. +User removed from group that had an assigned application or AWS account | No - User can continue accessing IAM Identity Center | Within 1 hour | Within 2 hours | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set. +Application or AWS account access removed from group | No - User can continue accessing IAM Identity Center | Effective immediately | Within 1 hour | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set. @@ -46 +92,22 @@ Application or AWS account access removed from group | No - User can continue ac -The AWS access portal and AWS CLI will reflect updated user permissions within 1 hour after you add or remove a user from a group. +The AWS access portal and AWS CLI will reflect updated user permissions within 1 hour after you add or remove a user from that group. + +###### Understanding timing differences + + * Effective immediately – Actions that require immediate re-authentication. + + * Within 30 minutes - 2 hours – Application sessions need time to check with IAM Identity Center and discover any changes. + + * Within 12 hours or less – IAM role sessions operate independently and only end when their configured duration expires. + + + + +## Single logout + +IAM Identity Center doesn't support SAML Single Logout (a protocol that automatically signs users out of all connected applications when they sign out of one) initiated by an identity provider that acts as your [identity source](./manage-your-identity-source.html). Additionally, it doesn't send SAML Single Logout to [SAML 2.0 applications](./customermanagedapps-saml2-oauth2.html) that use IAM Identity Center as an identity provider. + +## Best practices for session management + +Effective session management requires thoughtful configuration and monitoring. Organizations should configure session durations appropriate to their security requirements, generally using shorter durations for sensitive applications and environments. + +Implementing processes to end sessions when users change roles or leave the organization is essential for maintaining security boundaries. Regular review of active sessions should be incorporated into security monitoring practices to detect anomalous behavior that might indicate security issues, such as unusual access patterns, unexpected login times or locations, or access to resources outside normal job functions. @@ -54 +121 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Identity Center directory +Workforce access @@ -56 +123 @@ Identity Center directory -Revoke access for deleted users +Configure session duration