locked
AD FS 4.0 Refresh tokens and external Claims Provider Trusts RRS feed

  • Question

  • Hi,

    I have a native app / Web API configured as application group in AD FS 4.0. When I login with Active Directory account AD FS issues access token, refresh token and id token but when I login with different identity provider (configured as Claims Provider Trust) AD FS issues only access token, there is no refresh token.

    I changed token lifetime settings for Web API, e.g. from default 60 minutes to 5 minutes and then AD FS issues refresh token that is valid for 55 minutes (60 - 5) but when token lifetime is 60 or more minutes, there is no refresh token.

    Is there any way to configure AD FS 4.0 to issue refresh tokens when authentication is done through Claims Provider Trust?

    Thanks,
    Bojan

    Wednesday, May 23, 2018 11:41 AM

Answers

  • Hi Bojan,

    look at validity of token issued by 3rd party claims provider. In our case, we had 3rd party IdP federated via SAML2, and SAML token issued by 3rd party was valid for 1 hour only.

    Seems that ADFS respects the token lifetime set by authenticating IdP and does not allow to extend access token validity beyond it.

    Regards,

    Jiri


    Thursday, November 1, 2018 1:56 PM

All replies

  • Hi Bojan,

    look at validity of token issued by 3rd party claims provider. In our case, we had 3rd party IdP federated via SAML2, and SAML token issued by 3rd party was valid for 1 hour only.

    Seems that ADFS respects the token lifetime set by authenticating IdP and does not allow to extend access token validity beyond it.

    Regards,

    Jiri


    Thursday, November 1, 2018 1:56 PM
  • Hi Jiri,

    We are having the same issue , in which case the user (external idp user) will have to be forced log out upon the access token expirty ?. since there is no way for adfs to validate if the user is active ?. any other way to implement this ?. Like broker based sso etc


    Imran Makhdoom

    Thursday, February 7, 2019 10:01 AM