Tokens, Logout, Persistence RRS feed

  • Question

  • Hi,

    I'm very new to ADFS, so do excuse me.

    We are using forms authentication only.

    We are setting up access to a relying party that doesn't have a logout facility (i.e., no logout button).
    On first access by a user, the RP sets a persistent cookie expiring in 1 hour (presumably matching the IdP's default Token Lifetime).
    Subsequently, if this cookie has not expired, then the user is granted access without further authentication, and because the cookie is persistent, this includes between browser restarts.

    We have shared PCs, and so this behaviour is not very desirable. The second user may get the first user's access to the RP.

    Do I have any options at all, other than pleading for a logout facility?

    I don't really want to reduce the lifetime too much, as it will be an often-used RP, and I don't want my ADFS servers deluged.

    Is it standard ADFS behaviour for RPs to set persistent cookies with expiry times matching the Token Lifetime?

    Many thanks,

    • Edited by Kevin1927 Wednesday, April 6, 2016 6:01 PM clarification
    Wednesday, April 6, 2016 5:54 PM


All replies

  • ADFS has a server wide token timeout - default 8 hours.

    You can set the RP value individually.

    Normally the RP timeout is greater than the ADFS timeout otherwise the RP will timeout and ADFS will simply issue another token.

    Can you force them to close the browser?

    Refer: ADFS 2.0 time out and relation between Freshness Value,TokenLifetime and WebSSOLifetime parameters.

    Wednesday, April 6, 2016 6:51 PM
  • We can expect users to close the browser, but since the RP's persistent cookie will still be there, it will cause the second user to use the first user's account (without further ADFS authentication).
    Wednesday, April 6, 2016 8:07 PM
  • The application/SP/RP should store a session-based cookie not a persitent one. Your ADFS server will not be "deluged" unless you're running ADFS on an old laptop hidden under your desk :-) Standard is using a session cookie issued by the application/SP/RP that lasts a couple of hours from what I have seen.
    Wednesday, April 6, 2016 8:31 PM
  • Thanks for that. We've got something a little better than an old laptop :-), but we have lots of users (couple of thousand), at least a few hundred will be using it at the same time. I just didn't want them all requesting new tokens every 5 minutes.

    To be honest, a persistent cookie did surprise me, and may be a security issue, because the data in the RP is very confidential. When the browser quits, I want the session to go. Failing that, a logout button that deletes the persistent cookie and displays a message (so we can then ask the user to quit the browser).

    The vendor is suggesting that it may be possible to modify settings on the ADFS IdP for the RP, but I haven't yet got to the bottom of whether I can actually influence this sort of thing from there - seems unlikely.

    Wednesday, April 6, 2016 8:57 PM
  • https://technet.microsoft.com/en-us/library/mt148493.aspx

    Thursday, April 7, 2016 10:26 PM
  • Thanks. My understanding of that is that it is for persistence of the ADFS STS's cookies. Since we have no device registration, and KmsiEnabled is false, The STS's won't be setting persistent cookies. It is the persistent RP cookie that is the issue at the moment.
    Friday, April 8, 2016 7:29 AM