locked
SSO Timeout RRS feed

  • Question

  • I'm looking for some input on how to extend the ADFS session timeout in certain scenarios.  Here's the scenario...

    ADFS SSO timeout is set for 1 hour. 

    1.  User is authenticates via ADFS and is logged into Application A

    2.  User is actively using Application A for 2 hours.

    3.  User accesses Application B and must now re-authenticate since the ADFS timeout has expired.  Ideally, we would like the user to be SSOd into Application B.

    Does anyone have a good solution to this problem to extend the ADFS session when a user is actively working with an application?  Possibly have the application notify ADFS to extend the session.  Maybe there is something in WS-Fed or SAML that could do this???  I know it's cookie based so the first thing that popped into my head was a hidden iframe but that feels hacky.  I'm looking for a more standards based solution.  If the answer is "No" because of security reasons that is acceptable. 



    Wednesday, May 4, 2011 3:37 PM

All replies

  • ADFS 2 has a powershell command that will allow you to modify the SSO Lifetime property.  If you call Get-AdfsProperties you will see a property SsoLifetime and I believe the default is 480.  You can use Set-AdfsProperties (http://technet.microsoft.com/en-us/library/ee892317.aspx) to update it.  I believe it's set in minutes, but I haven't actually found any documentation on it that specifies what it is.


    Developer Security MVP | http://www.steveonsecurity.com
    Wednesday, May 4, 2011 7:30 PM
  • I know you can modify the SSO timeout in ADFS.  I'm referring to a different scenario as descibed in the previous thread.  Essentially, it's possible that ADFS will timeout before the user times out of the application they are using.  In this case, I would like to "slide" the ADFS timeout. I'm looking for a way for an application to notify ADFS that a user is actively using an application and should therefore extend it's timeout in ADFS. 

    Wednesday, May 4, 2011 10:16 PM
  • What previous thread?

    There is no official way, as WS-Fed Passive doesn't support the renew behavior.  The iframe route isn't a terrible idea, but it's a bit cumbersome.  One thing you could do is create an Http Handler that returns a transparent 1x1 pixel image, which extends the lifetime of the ADFS cookies.  Then stick a pointer to it on the bottom of your site's master page.  It seems like there should be a simpler route.

    I wonder if just pointing to an image hosted within the ADFS site will extend the cookies.


    Developer Security MVP | http://www.steveonsecurity.com
    Wednesday, May 4, 2011 10:42 PM
  • I was referring to the original post.  That's a good idea about the image and a handler.  I might give that a shot. 
    • Proposed as answer by MartinDJ Sunday, June 19, 2011 7:54 AM
    • Unproposed as answer by MartinDJ Sunday, June 19, 2011 7:54 AM
    Wednesday, May 4, 2011 11:36 PM
  • We have same requirement as Shawn.  We cannot seem to extend the lifetime of the ADFS cookies.  Has anyone been able to get either the iframe or http handler approach working?  Any alternative solutions?
    Friday, October 14, 2011 5:13 AM
  • According to Microsoft it s in min: https://technet.microsoft.com/en-us/library/gg188586%28v=crm.6%29.aspx
    Monday, May 23, 2016 11:14 PM