How do I increase session timeout with W.I.F / SAML tokens / FedAuth cookie

Question

I think the default timeout is something like every half hour.

I'd like to change this to 2 weeks. Anyone got any ideas?

Is this done usually from the STS side or the client side? Is forms authentication getting in the way too, or is that now irrelevant?

Answer 1

The description about persistentSessionLifetime in MSDN is not true. For example, if you set it to 1.6:13:45.0, the cookie will expire after 30 hours (1 day + 6 hours) 13 minutes and 45 seconds +/- the maximumClockSkew from <identityConfiguration>. So the description from MSDN should be like the one from TimeSpan: [-]d.hh:mm:ss.ff. I hope Microsoft changes the wrong description.

Answer 2

If the cookie is timing out you can also look at using sliding sessions in your WIF application.

This means that the cookie will continue to be re-established while the user is "using" the application.

http://www.cloudidentity.com/blog/2013/05/08/sliding-sessions-for-wif-4-5/

Answer 3

I just fixed this myself, persistentCookiesOnPassiveRedirects needs to be enabled on the RP

In your web.config you need:

<microsoft.identityModel>
      <federatedAuthentication>
        <wsFederation
            persistentCookiesOnPassiveRedirects="true" />
        <cookieHandler 
          persistentSessionLifetime="60.0:0:0" />
      </federatedAuthentication>
</microsoft.identityModel>

Answer 4

The timeout for the FedAuth token may be managed in the web.config for the claims-aware application. An example with documentation may be found here. Keep in mind, though, that there is the STS-side of the coin and that the timeout may need to be increased there as well to prevent the user from having to sign-in again when moving from one application to another after an extended period.