3

I have a rails application and I have implemented AWS Cognito for external federated identities, that working fine.

Now I pass SAML response to get_credentials_for_identity and I get valid response but the credentials I get are valid for 60 minutes only, although I am getting https://aws.amazon.com/SAML/Attributes/SessionDuration attribute with value 43200 in SAML response from external SSO, My question is what I am doing wrong here, why AWS credentials received are not valid for 12 hours as expectation?

Part of SAML Response I am getting

    <saml:Attribute Name=\"https://aws.amazon.com/SAML/Attributes/SessionDuration\">
        <saml:AttributeValue
            xmlns:xs=\"http://www.w3.org/2001/XMLSchema\"
            xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">43200
        </saml:AttributeValue>
    </saml:Attribute>

Guides that I referred are http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html

Sachin Singh
  • 7,107
  • 6
  • 40
  • 80
  • Well this is from the guide you pointed - `The value is an integer representing the number of seconds, and can be a maximum of 43200 seconds (12 hours). If this attribute is not present, then the maximum session duration defaults to one hour (the default value of the DurationSeconds parameter of the AssumeRoleWithSAML API). To use this attribute, you must configure the SAML provider to provide single sign-on access to the AWS Management Console through the console sign-in web endpoint at https://signin.aws.amazon.com/saml` – arjun Oct 13 '17 at 14:33
  • @arjun I am already getting the SessionDuration In SAML response, See updated question – Sachin Singh Oct 13 '17 at 15:51
  • Honestly, I have never worked on AWS cognito. I am just trying to figure out if you have gone through the manual by line. There is more written there, if you can clear that maybe we would know where not to look - `if a SessionNotOnOrAfter attribute is also defined, then the lesser value of the two attributes, SessionDuration or SessionNotOnOrAfter, establishes the maximum duration of the console session.` What about this? – arjun Oct 13 '17 at 18:23
  • Maybe check this out - https://github.com/ironbird-software/aws-cognito-sync-issues - It is written on first call, it issues a temporary token for 1 hour. What is that? There is also a table on token validity on User pools as 1 hour - https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html – arjun Oct 13 '17 at 18:40
  • If all else fails, - https://forums.aws.amazon.com/forum.jspa?forumID=173&start=0 – arjun Oct 13 '17 at 18:42
  • very sad nobody answered. – Sachin Singh Oct 31 '17 at 07:15

1 Answers1

0

The temporary AWS credentials vended by Cognito Federated Identity service always expire in 60 minutes. Cognito does not set the AWS session expiry based on the expiry of SAML assertion or OpenId token.

Chetan Mehta
  • 5,491
  • 1
  • 22
  • 21
  • please checkout what AWS doc says http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html – Sachin Singh Oct 23 '17 at 05:40