We are currently working on an SSO project which uses ADFS 2.0. as an IDP/CP trust. One of the basic requirement w.r.t application design is to re-authenticate user after an idle period (can be anything). After extensive search I found only few implementation (apart from the SharePoint examples) which speaks about WebSSOlifetime and TokenLifeTime settings in ADFS server. I understand WebSSOLifeTime is a Server wide setting (default value:480) and TokenLifeTime is a RP level setting (default value 0 – 10 hours) for token expiry. To randomly test the settings, I changed the WebSSOlifetime value to 5 mins and TokenLifeTime to 3 mins for my RP application. But it didn’t trigger the re-authentication after an idle period of 5 minutes(as set in WebSSOlifetime). The RP applications I tested includes – Google apps – ADFS integrated SSO and a single page application to test the claim values. It will be great if someone can post any relevant pointers to the ADFS 2.0 Session maintenance features.
Share
I found the solution to this after some sweat. This post in the Stackoverflow did provide me a starting point (Thanks a ton for that ! ). The key parameter that controls the login prompt for IP/STS is the freshness value(which is an optional parameter as mentioned in the Oasis documentation).
This Parameter (set as freshness=”0″) when included in the federatedAuthentication section of your web.config will prompt the IDP to check the freshness value of the token based on the current time in WCT parameter. After that I found (after lot of testing) that the TokenLifeTime set through shell script come into picture. This (TokenLifeTime) controls the time the user can be active before redirecting him to the login screen.
As you can see in the request URL :
https://XXX/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fXXX%2fXXX&wfresh=0&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fXXX%252fDefault.aspx&wct=2013-02-14T01%3a36%3a17ZThe wfresh and wctx value is passed to the IDP for verification.
I’m still unsure how everything (freshness,TokenLifetime and WebSSOLifetime) sync’s up behind the scenes. A good explanation about the background would be very helpful (and of course will add some more reputation 🙂 ).