Session Duration always one hour - MAC Version 2.21

[waynetaylor]

Hi Team,

I have an IAM role configured in AWS with 4 hours. I then see a default of 1 hour when I login.

My config looks like: account { URL: MyOKTAURL Username: Myuser Provider: Okta MFA: Auto SkipVerify: false AmazonWebservicesURN: urn:amazon:webservices SessionDuration: 14400 Profile: aws-legacy RoleARN: }

Configuration saved for IDP account: aws-legacy

If I login I see token valid for 1 hour. I did a brew upgrade and updated to 2.25 and still see same issues.

[waynetaylor]

Closing ticket out. Found route cause - after reading through tickets here and seeing people put into debug mode I found that SAML Assertion from Okta was returning 3600. I then saw the advanced sign in settings was still 1 hour (didn't know about this until I did some googling).

[cdmadrigal]

@waynetaylor Can you explain a bit more the fix you found? I'm in the same spot. Are you saying that a change needs to be made on the Okta side rather than the saml2aws side of things?

[waynetaylor]

@cdmadrigal - For this to work well there are two places that need configuration

1) In okta - there is an advanced setting - session duration needs to be set to the max value - now not this won't apply to all .e.g if your role says 1 hour you will set get one hour. See this in step 4: https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-Web-Service#A-step4 2) In AWS you need to ensure max duration is set in your role.

The easiest way is to run a login command in --debug mode. e.g :

saml2aws login -a aws-legacy --session-duration=14400 --verbose

You will see your SAML Assertion come back and towards bottom if that is 3600 you know its set to 1 hour. After I had one of our okta admins modify boom everything worked as expected

[CholtonATX]

We use JumpCloud and have newer aws_iam_roles set up for max_session_duration = 14400 # 4 hours. Not sure what combination of factors caused this, but adding --session-durationworked.

Saved my bacon with this one. Cheers.