locked
ADFS Token Expiration (can I see it?) RRS feed

  • Question

  • Hello. I am trying to find a way to view the auth token that ADFS provides to the browser. I want to be able to see when the token will expire and I will be forced back to the idp for a re-auth. I am undertaking an effort to coordinate the token lifetimes (websso, rp token, etc.) to achieve a balance of user experience and security but I do not know of a way to view the results of the changes I make to the values in ADFS. I have been through this (https://tristanwatkins.com/coordinating-adfs-2012-r2-token-lifetime-logon-prompt-enforce-revocation-session-duration-public-network/) numerous times, but I would like to see the values instead of assuming they work. Any help would be appreciated. Thanks.
    Monday, August 15, 2016 12:48 PM

All replies

  • As long as token encryption is not enabled on the RP, you can always see the content of the token (that includes its metadata such as validity time) with a Fiddler capture.

    You can also disable JavaScript just before submitting your credentials and you'll be able to see the page containing the token before submitting it to the RP. Then you call view the source and see the source of the page.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, August 15, 2016 3:44 PM
  • Thanks. I set websso lifetime and rp token lifetime to 2 minutes. I see in the source (using js option), that the token expires in 2 minutes, however, I do not redirected back to the adfs sign-in page after the 2 minute expiration. Any ideas? Thanks.
    Monday, August 15, 2016 5:02 PM
  • Well, it is the call to the app to redirect you after this time. What test app are you using?

    Generally, the apps craft a bootstrap cookie to keep the context of your session. This cookie should be discarded by the app after the tokenLifetime and then the user should be redirected to either the STS or an error on the app of the app does not handle this scenario (which would be pretty poor coding...).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Monday, August 15, 2016 9:54 PM
  • Office 365. I am looking to restrict session lifetime for external users (through the WAP). I have adjusted websso lifetime, rp token lifetime, and wap token lifetime down to 2 minutes however, the session never gets redirected to the login page.
    Monday, August 15, 2016 10:27 PM
  • Ah, the story is a little bit different with Azure AD (Office 365 products are trusting Azure AD and your ADFS is trusting Azure AD). Azure AD SSO time is 60 minutes regardless of what you have set on the RP level. For the moment, only Azure AD B2C allow to customize it: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-token-session-sso/#token-lifetimes-configuration

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, August 16, 2016 2:44 PM
  • I'll settle for the 60 minutes but that does not seem to work either. I adjusted the websso lifetime and the RP token lifetime to 60 minutes, but I never get prompted again.
    Tuesday, August 16, 2016 8:35 PM
  • What do you mean to settle for 60 minutes? You can set the value you want, just that ADFS does not trust Office 365. ADFS trusts Azure AD. And Azure AD gives you token to access to the different apps in Office 365. And those are valid for 60 minutes. But, Azure AD also has this notion of refresh token. This refresh token is valid for 14 days. But each time you successfully refresh your token, your refresh token life time is again valid for 14 days (sliding window), up to 90 days. See here: http://www.cloudidentity.com/blog/2015/03/20/azure-ad-token-lifetime/

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 18, 2016 2:56 AM