Reputation: 3155
ADFS 2.0 Session TimeOut in a SSO scenario
We are currently working on an SSO project which uses ADFS 2.0. as an IDP/CP trust. One of the basic requirement w.r.t application design is to re-authenticate user after an idle period (can be anything). After extensive search I found only few implementation (apart from the SharePoint examples) which speaks about WebSSOlifetime and TokenLifeTime settings in ADFS server. I understand WebSSOLifeTime is a Server wide setting (default value:480) and TokenLifeTime is a RP level setting (default value 0 - 10 hours) for token expiry. To randomly test the settings, I changed the WebSSOlifetime value to 5 mins and TokenLifeTime to 3 mins for my RP application. But it didn't trigger the re-authentication after an idle period of 5 minutes(as set in WebSSOlifetime). The RP applications I tested includes - Google apps - ADFS integrated SSO and a single page application to test the claim values. It will be great if someone can post any relevant pointers to the ADFS 2.0 Session maintenance features.
Upvotes: 2
Views: 7802
Answers (1)
Reputation: 3155
I found the solution to this after some sweat. This post in the Stackoverflow did provide me a starting point (Thanks a ton for that ! ). The key parameter that controls the login prompt for IP/STS is the freshness value(which is an optional parameter as mentioned in the Oasis documentation).
This Parameter (set as freshness="0") when included in the federatedAuthentication section of your web.config will prompt the IDP to check the freshness value of the token based on the current time in WCT parameter. After that I found (after lot of testing) that the TokenLifeTime set through shell script come into picture. This (TokenLifeTime) controls the time the user can be active before redirecting him to the login screen.
As you can see in the request URL :
https://XXX/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fXXX%2fXXX&wfresh=0&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fXXX%252fDefault.aspx&wct=2013-02-14T01%3a36%3a17Z
The wfresh and wctx value is passed to the IDP for verification.
I'm still unsure how everything (freshness,TokenLifetime and WebSSOLifetime) sync's up behind the scenes. A good explanation about the background would be very helpful (and of course will add some more reputation :) ).
Upvotes: 2
Related Questions
- ADFS: Error while establishing SSO Connection on windows server 2012
- User is not forced to reauthenticate in ADFS 2.0 after Sharepoint 2010 session expires
- URI Limit being reached in ADFS SSO login loop
- ADFS freshness and session sliding
- ADFS 2.0 time out and relation between Freshness Value,TokenLifetime and WebSSOLifetime parameters
- ADFS 2.0, SSO and SAML 2.0
- Single Sign Out with ADFS and STS
- How to set the timeout properly when federating with the ADFS 2.0
- Single Page Application with ADFS - Timeout Issue
- Where is WIF Security Token timeout coming from?