**DurationSeconds** (Integer/ Optional): The duration in seconds of the session.
Its default value is 3600.
- **ExternalId** (String/ Optional): A unique Id that might be used when a role is
+ **ExternalId** (String/ Optional): A unique ID that might be used when a role is
assumed in another account.
- **SerialNumber** (String/ Optional): The Id number of the MFA device associated
+ **SerialNumber** (String/ Optional): The ID number of the MFA device associated
with the user making the AssumeRole call.
**TokenCode** (String/ Optional): The value provided by the MFA device, if the
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/<URL of IDP>\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"<URL of IDP> :azp\":\"<azp>\"\}\}\}\]\}"
-A shadow user is created corresponding to every federated user. The user id is derived from the 'sub' field of the incoming web token.
-The user is created in a separate namespace - 'oidc' such that the user id doesn't clash with any other user ids in RGW. The format of the user id
-is - ``<tenant>$<user-namespace>$<sub>`` where user-namespace is 'oidc' for users that authenticate with oidc providers.
+A shadow user is created corresponding to every federated user. The user ID is derived from the ``sub`` field of the incoming web token.
+The user is created in a separate namespace ``oidc`` such that the user ID doesn't clash with any other user IDs in RGW. The format of the user ID
+is ``<tenant>$<user-namespace>$<sub>`` where ``user-namespace`` is ``oidc`` for users that authenticate with OIDC providers.
RGW now supports Session tags that can be passed in the web token to AssumeRoleWithWebIdentity call. More information related to Session Tags can be found here
:doc:`session-tags`.