Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery

Define a custom session duration (open-source variant)

By default, the temporary credentials that are issued by AWS Identity and Access Management (IAM) for SAML federation are valid for 1 hour. In this exercise, you will learn how to configure a custom session duration up to twelve hours long. Many customers utilize longer session durations to prevent work interruptions caused by session expirations, and to better align with existing organizational standards for credential lifespan.

Prerequisites

The following list identifies the prerequisites for this exercise. If you have not completed these tasks, please take the time to do so now.

Update Shibboleth Configuration

To define a custom session duration you will populate an additional SAML attribute, SessionDuration, within the Shibboleth configuration.

Login via SSH

To get started, log in using SSH to your Shibboleth instance using the public IP address that you noted in the initial exercise. See directions for how to use SSH according to your client platform.

Connect via SSH

Backup existing configuration

Before you begin, use the following command sequence to quickly backup your existing configurations.

sudo su -
cd /opt/shibboleth-idp/conf/
cp attribute-resolver-ldap.xml attribute-resolver-ldap.xml.customsession
cp attribute-filter.xml attribute-filter.xml.customsession

Edit attribute-resolver.xml

The Shibboleth file which controls the sources and values of attributes is attribute-resolver.xml. Use your favorite text editor to open this file.

vim attribute-resolver.xml

At the end of the file you will find a section entitled Data Connectors. Use the following snippet to add a static data connector immediately following the existing LDAP data connector, as shown in the following screenshot. The static data connector is a Shibboleth mechanism that allows you to configure one or more fixed attributes from a static configuration.

<resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
  <dc:Attribute id="awsSessionDuration">
    <dc:Value>28800</dc:Value>
  </dc:Attribute>
</resolver:DataConnector>

Edit Attribute-resolver.xml

Note: This example uses 28,800 seconds (or 8 hours), but you can specify your own preferred duration, ranging from 15 minutes to 12 hours.

Next, move back up within the file, and find your existing AWS attribute definitions. Use the following snippet to add a new definition for SessionDuration immediately following the definition for RoleSessionName, as shown in the following screenshot. This definition references the static attribute you defined above and names it within the SAML assertion according to the name that AWS expects.

<resolver:AttributeDefinition xsi:type="ad:Simple" id="awsSessionDuration" sourceAttributeID="awsSessionDuration">
  <resolver:Dependency ref="staticAttributes" />
  <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="https://aws.amazon.com/SAML/Attributes/SessionDuration" friendlyName="awsSessionDuration" />
</resolver:AttributeDefinition>

Edit Attribute-resolver.xml

Edit attribute-filter.xml

Finally, we need to tell Shibboleth that it is allowed to send this attribute to AWS. Use your favorite text editor to modify the attribute-filter.xml file where this configuration is defined.

vim attribute-filter.xml

Find the AttributeFilterPolicy element named releaseAWSToAWS that you configured in the initial exercise. Add the following definition after awsRoleSessionName, but inside the close of the AttributeFilterPolicy element, as shown in the following screenshot.

<AttributeRule attributeID="awsSessionDuration">
  <PermitValueRule xsi:type="ANY"/>
</AttributeRule>

Edit attribute-filter.xml

Restart Tomcat

Restart Tomcat to ensure that your changes take effect.

service tomcat8 restart

Restart Tomcat

Testing

You are now ready to test your custom session duration. To do so, open a new browser window, and open the SAML tracer add on. We'll use SAML tracer to inspect the contents of the SAML assertions as they flow from the IdP to AWS, which allows you to see the results of your configurations and understand the information that AWS is consuming from your identity provider. See the following screenshot for help enabling SAML tracer.

Enable SAML Tracer

With SAML tracer enabled, switch back to the main browser window and enter the IdP initiated login URL for Shibboleth.

https://idp1.example.com:8443/idp/profile/SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices

After Shibboleth returns the login page, log in using alice's credentials.

Note: Recall that alice's password has been set to Pass@123.

Shibboleth Login

After you log in, you see the AWS role chooser page. Before making your selection, switch back to the SAML tracer window, and scroll upwards until you find the entry for https://signin.aws.amazon.com/saml. Choose that entry, and select the SAML tab in the lower pane. As you look through the assertion, look for the <saml2:AttributeStatement>. This allows you to see how the configurations you applied above translate into the additional SessionDuration SAML attribute. See the following screenshot for reference.

SAML Tracer

Note: At present, custom session durations only apply to the AWS Management Console. They do not apply to CLI/API credentials retrieved using the AssumeRoleWithSAML API call that you used in the initial exercise.

Key take-aways

In summary, there are two key take-aways from this use case:

Exercise complete

Congratulations! You have successfully completed the define custom session duration for SAML users advanced use case.

With this use case complete, you are now ready to continue your journey through more of the advanced use cases. To continue, return to the index of advanced use cases.