Search code examples
c#adfs2.0sts-securitytokenservicefederation

ADFS 2.0 token expiration time


I am caching a token issued by a ADFS 2.0 on the client and use it several times when calling the service.

In the production environment I want to ensure that the token a client can cache expires after a few minutes. I have read that the token from the ADFS 2.0 expires after 10 hours, but I can't find a place where I can change the expiration time of a token for a relying party.

This is how I currently request a token from the STS:

WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(binding, http://adfs/adfs/services/trust/13/windows");

trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;
WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel();
RequestSecurityToken rst = new RequestSecurityToken(WSTrust13Constants.RequestTypes.Issue);

rst.RequestDisplayToken = true;
rst.AppliesTo = new EndpointAddress("http://*****/IService);
rstr = null;
SecurityToken token = channel.Issue(rst, out rstr);

I have tried setting the WEB SSO time to two minutes, but it does not seem to have any affect.

What is the correct place to configure the expiration time on the ADFS?


Solution

  • You can use the ADFS PowerShell extension module to perform this operation:

    Use:

    Set-AdfsRelyingPartyTrust –TargetName "Relying party name" –TokenLifeTime 5
    

    to set expiration to 5 minutes.

    Remember to load the ADFS PowerShell snap-in first, by running

    Add-PSSnapin Microsoft.Adfs.PowerShell
    

    Further documentation can be found here: http://technet.microsoft.com/en-us/library/adfs2-powershell-basics%28v=ws.10%29.aspx

    http://technet.microsoft.com/en-us/library/adfs2-help-using-windows-powershell%28v=ws.10%29.aspx