15 comments

ADFS: WebSSOlifetime vs TokenLifetime

Published on Friday, January 6, 2012 in

I’m currently facing an issue I had some issues in the past with an ADFS deployment using ISA as an ADFS Proxy. We use ISA for the following reasons:

  • It allows us to do all kinds of authentication. For instance we are using BE-ID to authenticate users.
  • The customer already has ISA so we save out a server by not using the ADFS Proxy itself.
  • There’s no federation with other IDPs so we don’t have to do any fancy home realm discovery.

Now the problem we were seeing was that whenever the ISA session timed out, the user was presented with the ISA Forms Based Authentication (FBA) logon screen. If the users were to choose another identity, he would still appear as the original user towards the ADFS enabled application.

This makes totally sense as the client also got ADFS tokens and they have other timeouts than those configured on ISA. This post will try to explain some relevant parameters from the ADFS side. I’m not saying the defaults aren’t good, that’s something you’ve got to decide for yourself.

WebSSOLifetime (Default 480 = 8 hours)

This parameter is server-wide. Meaning if you configure it, it’s active for all of the ADFS relying parties. Whenever a user asks a token for a given RP he will have to authenticate to the ADFS service first. Upon communicating with the ADFS service he will receive two tokens: a token which proves who he is (let’s call that the ADFS Token) and a token for the RP (let’s say the RP Token). All in all this seems very much like the TGT and TGS tickets of Kerberos.

Now the WebSSOLifetime timeout determines how long the ADFS token can be used to request new RP Tokens without having to re-authenticate. In other words a user can ask new tokens for this RP, or for other RP’s, and he will not have to prove who he is until the WebSSOLifetime expires the ADFS token.

TokenLifetime (Default 0 (which is 10 hours))

The TokeLifetime is now easy to explain. This parameter is configurable for each RP. Whenever a user receives a RP Token, it will expire at some time. At that time the user will have to go to the ADFS server again an request a new RP token. Depending on whether or not the ADFS Token is still valid or not, he will not have to re-authenticate.

One argument to lower the TokenLifetime could be that you want the claims to be updated faster. With the default whenever some of the Attribute Store info is modified, it might potentially take 10 hours before this change reaches the user in its claims.

I wrote this post because I struggled with this myself and I found not that much information. There’s some information available in the SharePoint 2010 context, but I feel like these parameters aren’t explained enough. I have to admit that the above came clear once I saw one of the ADFS sessions at The Experts Conference of Laura E. Hunter and Brian Puhl. Thanks both for your great sessions!

Related Posts

15 Response to ADFS: WebSSOlifetime vs TokenLifetime

Anonymous
22 June, 2012 21:56

Thanks for the explanation!

Anonymous
09 July, 2012 10:53

Nice one, I have manually been setting the TokenLifetime value to 600, but no I see there is no need!

15 October, 2012 20:52

Great explanation. We've been testing using WebSSOLifetime. Nice to know there is an alternative to the sledgehammer approach.

Anonymous
21 January, 2013 17:32

TokenLifetime (Default 0 (which is 10 hours)) - for me it is showing 1 hour in IE & Google Chrome. Could you please confirm this, if it is not a typo from your side?

29 January, 2013 10:04

Hey, It's been a while since I've went deeper on this. But here's a link to a TechNet article where they also state 10 hours as the default token lifetime.... http://technet.microsoft.com/en-us/library/cc782865(v=ws.10).aspx

Anonymous
04 June, 2013 18:05

Thank you, now it's clear to me

Anonymous
29 January, 2014 16:54

Just to be clear....The default TokenLifetime is 60 MINS not 10 hours in ADFS 2.0. http://technet.microsoft.com/en-us/library/gg188586.aspx
10 hours is for ADFS 1.0 not 2.0 which most people would have implemented.

11 February, 2014 08:19

Thanks for taking the time to post back. You are absolutely right.

02 October, 2015 12:58

Thanks thanks, thanks. :)

Anonymous
23 November, 2017 02:42

Awesome article. Thanks for the very detailed information.

Anonymous
02 December, 2019 08:29

Awesome, this is so much better than the MSDN doco!

Anonymous
04 May, 2022 05:40

Hey,
I been working on SAML, SAML is not honouring the token lifetime for me.
please find the config below
WebSSOLifetime = 60
RP's Token lifetime = 80
I tried to login after the 60 minutes, it's asking me to re-authenticate.

05 May, 2022 20:34

I would assume that if you just try accessing the relying party that you have a valid token for that one. So it should work. I've been out of the AD FS topic for quite some years. You'll probably get better support in different places.

Anonymous
06 May, 2022 08:23

Thanks Thomas, could you explain the following points. I'm little confused with this token lifetime functionality .

RP Token will expire at some time. At that time the user will have to go to the ADFS server again an request a new RP token. Depending on whether or not the ADFS Token is still valid or not, he will not have to re-authenticate.

06 May, 2022 08:41

That's my understanding. The RP (the application, not "something" on the AD FS server) will keep accepting the RP token until it's expired. At that point the user's browser will be redirected to the AD FS service. If the webSSO token is still valid, a new RP token will be issued "silentely", otherwise the user has to reauthenticate.

But again, I haven't worked with this terminology for years :-)

Add Your Comment