Adjusting the Session Duration / Timeout with AWS federated SSO to Google G-Suite
Overview
Utilizing Google G-Suite SSO for signing into the Amazon Web Services console is accomplished by following the instructions posted on AWS. However, what's not included in those instructions is how to change the default 60 minute session timeout. This document explains how to accomplish this using Google G-Suite single sign-on integration.
Instructions
Login to G-Suite as an administrator
The instructions below require administrator access to the G-Suite account which is already integrated to AWS, per the instructions linked above. In a browser window, login as an administrator before proceeding.
Lookup the existing "role" schema field
The instructions linked above explain how to add the "role" field to a new G-Suite schema called "SSO". (On a side note, I recommend not using "SSO" but rather something more AWS specific, such as "AWS-SSO", since you'll probably end up using G-Suite to SSO into more than just AWS.)
Before you can update the schema you'll need to first retrieve the current "role" field so that it can be included in the update API request.
Open up the Google Directory API schemas: get API page. Enter your G-Suite ID value into the customerId field on the right side of the page, and enter the "SSO" schema name (or "AWS-SSO", etc. if you used a more-specific schema name). Once those values are entered, click the EXECUTE button and the existing field JSON should appear.
Copy the contents inside of "fields" to clipboard, as this will be needed in the next section.
Add an additional schema field
Next, open up the schemas: update API page. On the right side, again enter your G-Suite ID into the customerId field and your schema name into the schemaKey field.
Inside the JSON text box, you'll need to paste the retrieved "role" field information that was copied earlier, inside of the "fields" JSON list. Add a comma after the curly brace so that a second field can be included in the list.
Copy and paste the following values into the second list element:
{
"fieldName": "timeout",
"fieldName": "timeout",
"fieldType": "STRING",
"readAccessType": "ADMINS_AND_SELF",
"multiValued": false
}
}
Ensure that the JSON is well formed and then press EXECUTE. The result should be a 200 response, indicating successful addition of the second field.
Map the new field to the AWS SessionDuration SAML attribute
When the SSO request to AWS is initiated, the SAML request will need to include an additional attribute, called SessionDuration. The instructions linked in the overview will be repeated again, this time for mapping this new attribute to the timeout field added earlier.
Navigate to the G-Suite SAML Apps page. Click the Amazon Web Services app. This will display the configuration settings for this app integration. Expand the Attribute Mapping. Click Add New Mapping.
Enter https://aws.amazon.com/SAML/Attributes/SessionDuration as the attribute. Select "SSO" (or "AWS-SSO", etc) category. Select "timeout". Click Save.
Adjust the timeout value for a G-Suite user
With the plumbing now in place to customize the session timeouts on a per-user basis, the remaining step is to adjust the timeout values for those users which need to have an alternate timeout value, different from the default of 60 minutes.
Navigate to the G-Suite Users page and select a user for which the AWS console timeout will be adjusted. When the user details page shows, expand the Account section.
In the new timeout field, enter a value between 900 (15 minutes) and 28800 (12 hours). The allowed session timeout currently (as of 2017) must fall within that range. Click the Update User button.
Try it out
Logout of any current AWS console session and then login as the user that was adjust in the last instruction step above. Your session will now be logged in for the duration specified as the timeout value (in minutes).
Bulk timeout adjustments
If you need to adjust the timeouts of a large number of users, consider using the Google Directory API via a command line script to accomplish this. For example, a Python developer can utilize the Google Admin API Python Quickstart guide to quickly send a single batch request to Google with the timeout updates for a large number of users.
Need further assistance?
If you would like additional assistance, contact Codesim LLC today!