locked
Default token lifetime for relying party trusts? RRS feed

Answers

  • In ADFS you always use the system through some configured Claims Provider Trust. After all the rules of the respective claims provider trusts have been processed a security token is generated with the resulting claims for the ADFS STS itself. Consider this the IdP (Identity Provider) security token. That IdP security token has a default lifetime of 480 minutes. In the GUI (federation service properties, general TAB) you will see the Web SSO Lifetime. That same value can be seen through PowerShell by using the CMDlet Get-ADFSProperties and look at the "SsoLifetime" property.

    Based upon the application you are trying to access, the claims rules configured on the relying party trust that represents the application, will be processed while having the IdP security token with claims as the input. The output after processing the claims rules relying party trust will be another security token with claims. This is the security token that will be used for the application (or upstream STS if applicable). Consider this the SP (Service Provider) security token. That SP security token has a default lifetime of 60 minutes. You cannot view or change this value through the GUI. The lifetime of the SP security token can be seen through PowerShell by using the CMDlet Get-ADFSRelyingPartyTrust "<RP Trust Name>" and look at the "TokenLifetime" property. The value specified is measured in minutes. When the specified value is 0 (zero) it defaults to the value of 60 minutes.

    You can see through Fiddler it is 60 minutes after accessing some application, for which the relying party trust is configured with the default value (0). Fiddler will not specify the lifetime, it will specify the creation time and the expiration time. The difference is of course the token lifetime.

    -<t:RequestSecurityTokenResponse>
    -<t:Lifetime>
     <wsu:Created>2013-09-06T06:40:36.824Z</wsu:Created>
     <wsu:Expires>2013-09-06T07:40:36.824Z</wsu:Expires>
     </t:Lifetime>
    -<wsp:AppliesTo>
    -<wsa:EndpointReference>
     <wsa:Address>urn:application:Sharepoint2010</wsa:Address>
     </wsa:EndpointReference>
     </wsp:AppliesTo>
    -<t:RequestedSecurityToken>
    -<saml:Assertion MajorVersion="1"MinorVersion="1"AssertionID="_d20ccc5d-cf88-4a90-b304-1736ffe484f0"Issuer="urn:federation:adfs"IssueInstant="2013-09-06T06:40:36.839Z">
    -<saml:Conditions NotBefore="2013-09-06T06:40:36.824Z"NotOnOrAfter="2013-09-06T07:40:36.824Z">
    -<saml:AudienceRestrictionCondition>
     <saml:Audience>urn:application:Sharepoint2010</saml:Audience>
     </saml:AudienceRestrictionCondition>
     </saml:Conditions>
    -<saml:AttributeStatement>
    -<saml:Subject>
    -<saml:SubjectConfirmation>


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

    • Marked as answer by jadedpuppy Friday, September 6, 2013 2:25 PM
    Friday, September 6, 2013 7:00 AM

All replies

  • As far as I'm aware, the settings in that SO article you referenced are corrrect.

    • WebSSOLifetime – Server wide timeout parameter – Default value = 480 mins
    • TokenLifetime – This is configured for each Relying party – Default value = 10 hours

    You can easily check the ADFS setting by going to the home page of the ADFS MMC and clicking "Edit Federation Service Properties".

    The SO article explains the WebSSOLifetime scenario:

    "With the above settings, In order to prompt a user to re-authenticate, we require WebSSOLifetime to be lower than the TokenLifetime."


    • Edited by nzpcmad1 Thursday, September 5, 2013 11:54 PM Format
    Thursday, September 5, 2013 11:54 PM
  • In ADFS you always use the system through some configured Claims Provider Trust. After all the rules of the respective claims provider trusts have been processed a security token is generated with the resulting claims for the ADFS STS itself. Consider this the IdP (Identity Provider) security token. That IdP security token has a default lifetime of 480 minutes. In the GUI (federation service properties, general TAB) you will see the Web SSO Lifetime. That same value can be seen through PowerShell by using the CMDlet Get-ADFSProperties and look at the "SsoLifetime" property.

    Based upon the application you are trying to access, the claims rules configured on the relying party trust that represents the application, will be processed while having the IdP security token with claims as the input. The output after processing the claims rules relying party trust will be another security token with claims. This is the security token that will be used for the application (or upstream STS if applicable). Consider this the SP (Service Provider) security token. That SP security token has a default lifetime of 60 minutes. You cannot view or change this value through the GUI. The lifetime of the SP security token can be seen through PowerShell by using the CMDlet Get-ADFSRelyingPartyTrust "<RP Trust Name>" and look at the "TokenLifetime" property. The value specified is measured in minutes. When the specified value is 0 (zero) it defaults to the value of 60 minutes.

    You can see through Fiddler it is 60 minutes after accessing some application, for which the relying party trust is configured with the default value (0). Fiddler will not specify the lifetime, it will specify the creation time and the expiration time. The difference is of course the token lifetime.

    -<t:RequestSecurityTokenResponse>
    -<t:Lifetime>
     <wsu:Created>2013-09-06T06:40:36.824Z</wsu:Created>
     <wsu:Expires>2013-09-06T07:40:36.824Z</wsu:Expires>
     </t:Lifetime>
    -<wsp:AppliesTo>
    -<wsa:EndpointReference>
     <wsa:Address>urn:application:Sharepoint2010</wsa:Address>
     </wsa:EndpointReference>
     </wsp:AppliesTo>
    -<t:RequestedSecurityToken>
    -<saml:Assertion MajorVersion="1"MinorVersion="1"AssertionID="_d20ccc5d-cf88-4a90-b304-1736ffe484f0"Issuer="urn:federation:adfs"IssueInstant="2013-09-06T06:40:36.839Z">
    -<saml:Conditions NotBefore="2013-09-06T06:40:36.824Z"NotOnOrAfter="2013-09-06T07:40:36.824Z">
    -<saml:AudienceRestrictionCondition>
     <saml:Audience>urn:application:Sharepoint2010</saml:Audience>
     </saml:AudienceRestrictionCondition>
     </saml:Conditions>
    -<saml:AttributeStatement>
    -<saml:Subject>
    -<saml:SubjectConfirmation>


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

    • Marked as answer by jadedpuppy Friday, September 6, 2013 2:25 PM
    Friday, September 6, 2013 7:00 AM