I’m developing web application using ASP.NET MVC + WCF secured by WIF. I’m using active STS.
I have a problem with situation where BootstrapToken expired but SessionSecurityToken is still valid because of sliding expiration. I got exception:
ID3242: The security token could not be authenticated or authorized.
- Can I extend bootstraptoken expiration time?
- Is it valid behavior of SAM that it doesn’t check if bootstraptoken inside cookie expired. What is the best place to check that – in the same event where I slid session expiration?
The SAM does not include the bootstrap token in the session cookie. Once the SAM validates it and establishes a session, the bootstrap token is actually discarded by default. So to answer your questions:
Only the identity provider that signed the bootstrap token has control over the token’s lifetime. The SAM cannot change this.
The SAM only validates the bootstrap expiration time during authentication. Once it’s done this and a session is established, the SAM no longer needs the bootstrap token.