Thursday 22 March 2012

Setting ADFS Token Expiration times.

The SAML token lifetime is set by the token issuer (resource ADFS Server). You may find that this is too short and want to extend it.

Note that the valid session time is set by the ADFS SAML TokenLifeTime and the LogonTokenCacheExpirationWindow in SharePoint.
The SAML TokenLifeTime always needs to be greater than the LogonTokenCacheExpirationWindow in SharePoint.

The formula to apply here is as follows.
Valid Session time = TokenLifeTime - LogonTokenCacheExpirationWindow




To change the session times


On the resource ADFS server
The following script example shows you how to change the lifetime of the SAML token issued by the "SharePoint Adatum Portal" relying party in ADFS to 480 minutes.

Add-PSSnapin Microsoft.ADFS.PowerShell
Set-AdfsRelyingPartyTrust –TargetName "SharePoint Adatum Portal" –TokenLifeTime 480

On the Resource SharePoint Farm
The following script example shows you how to change the LogonTokenCacheExpirationWindow in SharePoint to two minutes.

$ap = Get-SPSecurityTokenServiceConfig
$ap.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 2)
$ap.Update();
IIsreset


SAML Token Expiration in SharePoint on this page is worth a read to understand the principles
http://msdn.microsoft.com/en-us/library/hh446526.aspx


To display the current ADFS relying party trust settings
Set-AdfsRelyingPartyTrust

To display the SharePoint Security Token Service Config
Get-SPSecurityTokenServiceConfig

No comments:

Post a Comment