AWS Client - Mapping different session duration to each federated AWS IAM Role

Hello everyone,

I am trying to map different values for session duration to each individual AWS IAM Role that I am using keycloak to federate users in to.

However, I am not seeing how I can map that on a per IAM Role basis using a javascript mapper.

Right now, my implementation just uses a static session duration mapper across all the roles, which is not ideal as I want DEV environment account roles to have a longer duration than my PROD environment account roles.

Is this possible? If so, can you give me some advice on how to achieve this?

Could you share your scripted mappers, please? I’m interesting especially about that Session Role and Session Duration. I don’t see reason why it shouldn’t be possible to code business logic for dynamic Session Duration value.

Thanks for reply. I currently have the role mapper code working correctly; it gets all the current user’s groups and then I use those Group names to generate a simple array of role mappings which are returned from that scripted mapper. It is just a simple array of strings; aka the role SAML role mappings in the following form:


HOW do I map different values of session timeouts to these roles, within the session mapper?

From my initial investigation, you can only assign ONE session timeout that applies to ALL the roles. In my case, I do not want that. I want to have different AWS IAM Role session timeouts defined by environment type (dev/stg/prd).

I just don’t know if there is some sort of object/field I am missing or if I can return an array of role names and their session timeout within Script Session Mapper section of the client.

Technically, it is a session duration and it is configured per SAML response. So you need to return exact role with exact session duration only in the SAML response.

In theory you need to pass required env (stg/dev/prd) somehow to the Keycloak (maybe in the SAML request if it is possible) and then use that parameter to create correct session duration value in the session duration mapper and to filter roles in the session role mapper.