Note that the valid session time is set by the ADFS SAML TokenLifeTime and the LogonTokenCacheExpirationWindow in SharePoint.
The SAML TokenLifeTime always needs to be greater than the LogonTokenCacheExpirationWindow in SharePoint.
The formula to apply here is as follows.
Valid Session time = TokenLifeTime - LogonTokenCacheExpirationWindow
To change the session times
On the resource ADFS server
The following script example shows you how to change the lifetime of the SAML token issued by the "SharePoint Adatum Portal" relying party in ADFS to 480 minutes.
Add-PSSnapin Microsoft.ADFS.PowerShell
Set-AdfsRelyingPartyTrust –TargetName "SharePoint Adatum Portal" –TokenLifeTime 480
On the Resource SharePoint Farm
The following script example shows you how to change the LogonTokenCacheExpirationWindow in SharePoint to two minutes.
$ap = Get-SPSecurityTokenServiceConfig
$ap.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 2)
$ap.Update();
IIsreset
SAML Token Expiration in SharePoint on this page is worth a read to understand the principles
http://msdn.microsoft.com/en-us/library/hh446526.aspx
To display the current ADFS relying party trust settings
Set-AdfsRelyingPartyTrust
To display the SharePoint Security Token Service Config
Get-SPSecurityTokenServiceConfig
No comments:
Post a Comment