This article describes how to configure Azure Active Directory as the SAML Identity Provider (IdP) to change the default AWS Console timeout from 1 hour to a different value.
It seems there has been a lot of discussion about how to change the timeout and there is no clear documentation from AWS how to achieve this with Azure AD. As an example of the confusion, have a look at this discussion thread:
Some good guidance is provided on how to achieve this with ADFS, as described here, but I haven’t yet seen any guidance for Azure AD.
OK, here’s how to do it. (Note that this assumes you have already configured the AWS Console to work with Azure AD via SAML)
Go to your Azure Portal and open the Single Sign-On blade for your Amazon Web Services Console application. Under the User Attributes section, select the checkbox to expose other user attributes, as shown below.
Select the option to add a new attribute.
In the Add attribute blade, set the Name value to “SessionDuration” (note that this tag is case sensitive), the Value to the timeout in seconds that you want, and the Namespace to “https://aws.amazon.com/SAML/Attributes“. Then click OK.
The net result should look like this:
Save the changes and you are ready to go and test the new timeout.
For more information on the SessionDuration attribute, please see the AWS documentation here: