How do I adjust session durations and STS token validity periods? - Resource Access Management

This topic describes how session durations for the Alibaba Cloud Management Console and the validity periods for Security Token Service (STS) tokens are determined in different scenarios. It also explains how to configure these settings.

RAM user console logon

Limiting factors
When a Resource Access Management (RAM) user logs on to the console with a username and password , the session duration is determined by the Logon Session Duration setting in the RAM security settings.
Modification methods
- Console: Adjust the Logon Session Duration in your account's RAM security settings. For more information, see Manage security settings.
- API: Call the SetSecurityPreference operation and set the LoginSessionDuration parameter.

User-based SSO

Limiting factors
When a user logs on through user-based SSO, the session duration is determined by the Logon Session Duration setting in the RAM security settings.
Modification methods
- Console: Adjust the Logon Session Duration in your account's RAM security settings. For more information, see Manage security settings.
- API: Call the SetSecurityPreference operation and set the LoginSessionDuration parameter.

Role-based SSO

SAML-based SSO

Console access

Limiting factors
When a user logs on to the console through role-based SSO, the session duration is limited by the following settings:
- The SessionDuration attribute in the SAML assertion.
  For more information, see SAML response for role-based SSO.
- The SessionNotOnOrAfter attribute of the AuthnStatement element in the SAML assertion.
  For more information, see SAML response for role-based SSO.
- The Logon Session Duration setting in the RAM security settings.
  For more information, see Manage security settings.
- The maximum session duration of the assumed RAM role.
  For more information, see Set the maximum session duration for a RAM role.
The actual session duration is the minimum value among all of these settings.
Modification methods
To extend the session duration, you must increase the value of all limiting factors to be greater than or equal to your desired duration.
- Configure the SessionDuration attribute in the SAML assertion.
  This is configured in your identity provider (IdP). For instructions, see your IdP's documentation.
- Configure the SessionNotOnOrAfter attribute of the AuthnStatement element in the SAML assertion.
  This is configured in your IdP. For instructions, see your IdP's documentation.
- Configure the Logon Session Duration in the RAM security settings.
  - Console: Adjust the Logon Session Duration in your account's RAM security settings. For more information, see Manage security settings.
  - API: Call the SetSecurityPreference operation and set the LoginSessionDuration parameter.
- Configure the maximum session duration for the RAM role.
  - Console: Adjust the maximum session duration of the RAM role.
  - API: Call the CreateRole operation and set the MaxSessionDuration parameter, or call the UpdateRole operation and set the NewMaxSessionDuration parameter.

Programmatic access

Limiting factors
When you call the AssumeRoleWithSAML operation, the validity period of the returned STS token is limited by the following settings:
- The SessionNotOnOrAfter attribute of the AuthnStatement element in the SAML assertion.
  For more information, see SAML response for role-based SSO.
- The maximum session duration of the assumed RAM role.
  For more information, see Set the maximum session duration for a RAM role.
- The DurationSeconds parameter specified when you call the AssumeRoleWithSAML operation.
  If you do not specify the DurationSeconds parameter, the default value is used.
The actual validity period of the STS token is the minimum value among all of these settings.
Modification methods
To extend the token validity period, you must increase the value of all limiting factors to be greater than or equal to your desired duration.
- Configure the SessionNotOnOrAfter attribute of the AuthnStatement element in the SAML assertion.
  This is configured in your IdP. For instructions, see your IdP's documentation.
- Configure the maximum session duration for the RAM role.
  - Console: Adjust the maximum session duration of the RAM role.
  - API: Call the CreateRole operation and set the MaxSessionDuration parameter, or call the UpdateRole operation and set the NewMaxSessionDuration parameter.
- Specify the DurationSeconds parameter in your call to the AssumeRoleWithSAML operation.

OIDC-based SSO

Limiting factors
When you call the AssumeRoleWithOIDC operation, the validity period of the returned STS token is limited by the following settings:
- The maximum session duration of the assumed RAM role.
  For more information, see Set the maximum session duration for a RAM role.
- The DurationSeconds parameter specified when you call the AssumeRoleWithOIDC operation.
  If you do not specify the DurationSeconds parameter, the default value is used.
The actual validity period of the STS token is the minimum of these two values.
Modification methods
To extend the token validity period, you must increase the value of both limiting factors to be greater than or equal to your desired duration.
- Configure the maximum session duration for the RAM role.
  - Console: Adjust the maximum session duration of the RAM role.
  - API: Call the CreateRole operation and set the MaxSessionDuration parameter, or call the UpdateRole operation and set the NewMaxSessionDuration parameter.
- Specify the DurationSeconds parameter in your call to the AssumeRoleWithOIDC operation.

Assuming a RAM role

Switching identities in the console

Limiting factors
When you switch to a RAM role in the console, the new session's duration is limited by the following settings:
- The Logon Session Duration setting in the RAM security settings.
  For more information, see Manage security settings.
- The maximum session duration of the assumed RAM role.
  For more information, see Set the maximum session duration for a RAM role.
The actual session duration is the minimum of these two values.
Modification methods
To extend the session duration, you must increase the value of both limiting factors to be greater than or equal to your desired duration.
- Configure the Logon Session Duration setting in the RAM security settings.
  - Console: Adjust the Logon Session Duration in your account's RAM security settings. For more information, see Manage security settings.
  - API: Call the SetSecurityPreference operation and set the LoginSessionDuration parameter.
- Configure the maximum session duration for the RAM role.
  - Console: Adjust the maximum session duration of the RAM role.
  - API: Call the CreateRole operation and set the MaxSessionDuration parameter, or call the UpdateRole operation and set the NewMaxSessionDuration parameter.

Programmatic access

Limiting factors
When you call the AssumeRole operation, the validity period of the returned STS token is limited by the following settings:
- The maximum session duration of the assumed RAM role.
  For more information, see Set the maximum session duration for a RAM role.
- The DurationSeconds parameter specified when you call the AssumeRole operation.
  If you do not specify the DurationSeconds parameter, the default value is used.
The actual validity period of the STS token is the minimum of these two values.
Modification methods
To extend the token validity period, you must increase the value of both limiting factors to be greater than or equal to your desired duration.
- Configure the maximum session duration for the RAM role.
  - Console: Adjust the maximum session duration of the RAM role.
  - API: Call the CreateRole operation and set the MaxSessionDuration parameter, or call the UpdateRole operation and set the NewMaxSessionDuration parameter.
- Specify the DurationSeconds parameter in your call to the AssumeRole operation.

References

For more information about concepts such as RAM users, RAM roles, user-based SSO, and role-based SSO, see Basic concepts.