# Configure the session duration in IAM Identity Center
<a name="configure-user-session"></a>

You can configure the session duration for your workforce users when they use the AWS access portal and applications that work with IAM Identity Center, including Kiro. IAM Identity Center provides the following session types: user interactive sessions, user background sessions, and extended sessions for Kiro.

**Topics**
+ [

# User interactive sessions
](user-interactive-sessions.md)
+ [

# User background sessions
](user-background-sessions.md)
+ [

# Extended sessions for Kiro
](90-day-extended-session-duration.md)
+ [

# View and end active sessions for your workforce users
](end-active-sessions.md)
+ [

# Session duration considerations for using identity sources, the AWS CLI, and AWS SDKs
](user-session-duration-prereqs-considerations.md)

# User interactive sessions
<a name="user-interactive-sessions"></a>

User interactive sessions are sessions tied to a user's sign-in to the AWS access portal or access to [AWS managed applications](awsapps.md). The session duration of authentication into the AWS access portal and applications is the maximum length of time that a user can be signed in without re-authenticating. If you end an active AWS access portal session, this also ends any sessions for these managed applications.

The default session duration for user interactive sessions is 8 hours. You can specify a different duration, from a minimum of 15 minutes to a maximum of 90 days. Custom duration values must be entered in minutes and be between 15 minutes and 129,600 minutes (90 days). For more information, see [Understanding authentication sessions in IAM Identity Center](authconcept.md).

For considerations such as how IAM Identity Center identity sources might affect the user interactive session duration, see [Session duration considerations for using identity sources, the AWS CLI, and AWS SDKs](user-session-duration-prereqs-considerations.md). 

**To configure the duration of a user interactive session**

1. Open the IAM Identity Center console.

1. Choose **Settings**.

1. On the **Settings** page, choose the **Authentication** tab.

1. Under **Authentication**, next to **Session duration**, choose **Configure**. A **Configure session duration** dialog box appears.

1. In the **Configure session duration** dialog box, under **User interactive sessions**, choose the maximum session duration for your users by selecting the drop-down arrow. Choose the length for the session, and then choose **Save**.
**Note**  
Changes to session duration apply only to new sessions. Current sessions keep their original duration.

1. You are returned to the **Authentication** tab. A green notification message appears above the tab indicates that the session settings were updated successfully.

# User background sessions
<a name="user-background-sessions"></a>

User background sessions allow a user to initiate a long-running job on an AWS managed application such as [Amazon SageMaker Studio](https://docs.aws.amazon.com//sagemaker/latest/dg/studio-updated.html), without that user having to remain signed in while the job runs. The job runs immediately and uses the [trusted identity propagation](trustedidentitypropagation-overview.md) capability of IAM Identity Center to ensure that the user's permissions are maintained while the job is run in the background. The job can continue to run even if the user turns off their computer, their IAM Identity Center sign-in session expires, or the user signs out of the AWS access portal. This capability enables data scientists, machine learning engineers, and others to start analytics and machine learning workflows that run in the background without active user involvement.

User background sessions are enabled by default for supported AWS managed applications such as Amazon SageMaker Studio. To use this capability, however, you must enable trusted identity propagation in Amazon SageMaker Studio when you create or update a domain. For more information, see [Enable trusted identity propagation in your Amazon SageMaker AI domain](https://docs.aws.amazon.com//sagemaker/latest/dg/trustedidentitypropagation-setup.html#trustedidentitypropagation-setup-enable).

The default session duration for user background sessions is 7 days. You can specify a different duration, from a minimum of 15 minutes to a maximum of 90 days. Custom duration values must be entered in minutes and be between 15 minutes and 129,600 minutes (90 days). 

Keep in mind the following considerations for user background sessions:
+ A user background session can be created only when a user manually initiates a job in Amazon SageMaker Studio. This capability is not supported for automated, scheduled workflows.
+ For a list of AWS Regions that support user background sessions, see [Supported AWS Regions](https://docs.aws.amazon.com//sagemaker/latest/dg/trustedidentitypropagation-compatibility.html#trustedidentitypropagation-compatibility-supported-regions). 
+ You can view user background sessions in CloudTrail. For information, see [Identifying user background session details](sso-cloudtrail-use-cases.md#identifying-user-background-session-details).
+ You can also end active sessions for a user in your organization. For information, see [End active sessions for your workforce users](end-active-sessions.md).

**To configure the duration of a user background session**

1. Open the IAM Identity Center console.

1. Choose **Settings**.

1. On the **Settings** page, choose the **Authentication** tab.

1. Under **Authentication**, next to **Session duration**, choose **Configure**. The **Configure session duration** dialog box appears.

1. In the **Configure session duration** dialog box, if the **Enable user background sessions** check box is not already selected, select it. Clear the check box to disable user background sessions.
**Note**  
Current sessions are not affected if you disable user background sessions.

1. Under **User background sessions**, choose the maximum session duration by selecting the drop-down arrow. Choose the length for the session, and then choose **Save**.
**Note**  
Changes to session duration apply only to new sessions. Current sessions keep their original duration.

1. You are returned to the **Authentication** tab. A green notification message appears above the tab indicates that the session settings were updated successfully.

**Note**  
A customer managed application can't create a user background session.

# Extended sessions for Kiro
<a name="90-day-extended-session-duration"></a>

If your developers use Kiro as part of an integrated development environment (IDE), you can set the session duration for Kiro to 90 days. Depending on when you enabled IAM Identity Center, extended session duration for Kiro might be enabled by default. This extended session doesn't affect the session duration of the AWS access portal or other AWS managed applications.

For considerations such as how IAM Identity Center identity sources might affect the extended session duration, see [Session duration considerations for using identity sources, the AWS CLI, and AWS SDKs](user-session-duration-prereqs-considerations.md).

**Note**  
Kiro is accessible from consoles set to commercial AWS Regions that are enabled by default. If your IAM Identity Center instance is located in a Region where Kiro isn't currently accessible, enabling 90 day extended session duration won't override the default setting. This means that your session duration remains unchanged, whether you enable 90 day extended session duration or not. For information, [Supported AWS Regions for Kiro](https://docs.aws.amazon.com//amazonq/latest/qdeveloper-ug/regions.html).

**To extend a session for Kiro**

1. Open the IAM Identity Center console.

1. Choose **Settings**.

1. On the **Settings** page, choose the **Authentication** tab.

1. Under **Authentication**, next to **Session duration**, choose **Configure**. A **Configure session duration** dialog box appears.

1. In the **Configure session duration** dialog box, select the **Enable extended sessions for Kiro** check box. Clear the check box to disable extended session sessions for Kiro.

1. Choose **Save** to return to the **Settings** page.

# View and end active sessions for your workforce users
<a name="end-active-sessions"></a>

As an IAM Identity Center administrator, you can view the list of your workforce users' active sessions, and if required, end one or more sessions for a user. For example, you might need to end a user's sessions when:
+ The user no longer requires the sessions.
+ The user shouldn't maintain their current authentication state. This can occur when they leave the company or their permissions change.

You can view and end these sessions by using the IAM Identity Center console. Your users can also view and end their own sessions by using the AWS access portal. For information about how your workforce users can view and end their sessions without assistance from an administrator, see [Viewing and ending your active session](end-user-how-to-end-active-sessions-accessportal.md).

**Note**  
Ending an active session for an IAM Identity Center user doesn't end any active IAM role sessions in the AWS Management Console or AWS CLI. For more information, see [Understanding authentication sessions in IAM Identity Center](authconcept.md).

**To end an active session for a workforce user (IAM Identity Center console)**

1. Open the IAM Identity Center console.

1. Choose **Users**.

1. On the **Users** page, choose the username of the user whose sessions you want to manage. This takes you to a page with the user's information.

1. On the user's page, choose the **Active sessions** tab. The number in parentheses next to **Active sessions** indicates the number of active sessions for this user.

1. 

**Search for user background sessions (optional)**

   To search for sessions by the Amazon Resource Name (ARN) of the job that is using the session, in the **Session type** list, choose **User background sessions**, and then enter the job ARN in the search box.
**Note**  
You can only end active sessions that are loaded. If a user has many sessions, choose **Load more active sessions** to display additional sessions.

1. Select the check box next to each session that you want to end, and then choose **End sessions**.

1. A dialog box appears that confirms you are ending active sessions for this user. Review the information, and if you want to continue, type `confirm`, and then choose **End sessions**.

1. You are returned to the user's page. A green notification message appears to indicate that the selected sessions were successfully ended.

# Session duration considerations for using identity sources, the AWS CLI, and AWS SDKs
<a name="user-session-duration-prereqs-considerations"></a>

Following are considerations for configuring the session duration if you use Microsoft Active Directory (AD) or an external identity provider (IdP) as the identity source, or the AWS Command Line Interface, AWS Software Development Kits (SDKs), or other AWS development tools to access AWS services programmatically.

## Microsoft Active Directory, user interactive sessions, and extended sessions for Kiro
<a name="user-session-duration-microsoft-ad"></a>

If you use Microsoft Active Directory (AD) as the identity source and you configure the session duration for user interactive sessions or extended sessions for Kiro, keep the following considerations in mind. 

**Note**  
These considerations do not apply to user background sessions.

Whether you use AWS Managed Microsoft AD or AD Connector configured in AWS Directory Service, the maximum lifetime for user Kerberos tickets defined in Microsoft AD can affect how long user interactive sessions and extended sessions for Kiro are valid. For more information about this setting, see [Maximum lifetime for user ticket](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket) on the Microsoft website.
+ **AWS Managed Microsoft AD**: If you use AWS Managed Microsoft AD configured in AWS Directory Service, the maximum lifetime for user Kerberos tickets is fixed at 10 hours. Therefore, the user interactive session duration is set to the shorter of the IAM Identity Center setting and 10 hours. For example, if you set the user interactive session duration to 12 hours, your users must re-authenticate in the AWS access portal after 10 hours. The same 10-hour limit applies to extended sessions for Kiro.
+ **AD Connector**: If you use AD Connector configured in AWS Directory Service, the maximum lifetime for user Kerberos tickets is defined in Microsoft AD behind the AD Connector. The default value is 10 hours, and it has the same effect on user interactive sessions and extended sessions as for AWS Managed Microsoft AD. Although this limit might be configurable in Microsoft AD, we recommend that you work with your IT administrator to consider the risks, especially because this setting can affect the session duration for other Microsoft AD client applications.

## External identity providers, user interactive sessions, and extended sessions for Kiro
<a name="user-session-duration-external-idps"></a>

If you use an external identity provider (IdP) and you configure the session duration for user interactive sessions or extended sessions for Kiro, keep the following considerations in mind.

**Note**  
These considerations do not apply to user background sessions.

IAM Identity Center uses `SessionNotOnOrAfter` attribute from SAML assertions to help determine how long the session can be valid.
+ If `SessionNotOnOrAfter` is not passed in a SAML assertion, the duration of an AWS access portal (user interactive) session and an extended session is not impacted by the duration of your external IdP session. For example, if your IdP session duration is 24 hours and you set an 18-hour session duration in IAM Identity Center, your users must re-authenticate in the AWS access portal after 18 hours. Similarly, if you set a 90-day extended session for Kiro, your Kiro users need to re-authenticate after 90 days.
+ If `SessionNotOnOrAfter` is passed in a SAML assertion, the session duration value is set to the shorter of the AWS access portal (user interactive) session or extended session duration and your SAML IdP session duration. If you set a 72-hour session duration in IAM Identity Center and your IdP has a session duration of 18 hours, your users will have access to AWS resources for the 18 hours defined in your IdP. Similarly, if you set a 90-day extended session for Kiro, your Kiro users need to re-authenticate in Kiro after 18 hours.
+ If the session duration of your IdP is longer than the one set in IAM Identity Center, your users can start a new IAM Identity Center session without re-entering their credentials, based on their still-valid login session with your IdP.

## AWS CLI and SDK sessions
<a name="user-session-duration-cli-sdks"></a>

If you are using the AWS CLI, AWS SDKs, or other AWS development tools to access AWS services programmatically, the following prerequisites must be met to set session duration for the AWS access portal and the AWS managed applications.
+ You must [configure the AWS access portal session duration](user-interactive-sessions.md) in the IAM Identity Center console.
+ You must define a profile for single sign-on settings in your shared AWS config file. This profile is used to connect to the AWS access portal. We recommend that you use the SSO token provider configuration. With this configuration, your AWS SDK or tool can automatically retrieve refreshed authentication tokens. For more information, see [SSO token provider configuration](https://docs.aws.amazon.com//sdkref/latest/guide/feature-sso-credentials.html#sso-token-config) in the *AWS SDK and Tools Reference Guide*.
+ Users must run a version of the AWS CLI or an SDK that supports session management.

### Minimum versions of the AWS CLI that support session management
<a name="min-supported-cli-session-duration"></a>

Following are the minimum versions of the AWS CLI that support session management.
+ AWS CLI V2 2.9 or later
+ AWS CLI V1 1.27.10 or later

**Note**  
For account access use cases, if your users are running the AWS CLI, if you refresh your permission set just before the IAM Identity Center session is set to expire and the session duration is set to 20 hours while the permission set duration is set to 12 hours, the AWS CLI session runs for the maximum of 20 hours plus 12 hours for a total of 32 hours. For more information about the IAM Identity Center CLI, see [AWS CLI Command Reference.](https://docs.aws.amazon.com/cli/latest/reference/identitystore)

### Minimum versions of SDKs that support IAM Identity Center session management
<a name="min-supported-sdks-session-duration"></a>

Following are the minimum versions of the SDKs that support IAM Identity Center session management.


****  

| SDK | Minimum version | 
| --- | --- | 
| Python | 1.26.10 | 
| PHP | 3.245.0 | 
| Ruby | aws-sdk-core 3.167.0 | 
| Java V2 | AWS SDK for Java v2 (2.18.13) | 
| Go V2 | Whole SDK: release-2022-11-11 and specific Go modules: credentials/v1.13.0, config/v1.18.0 | 
| JS V2 | 2.1253.0 | 
| JS V3 | v3.210.0 | 
| C\$1\$1 | 1.9.372 | 
| .NET | v3.7.400.0 |