Application inactivity - ADFS signout RRS feed

  • Question

  • hi all,

    we have a in-house developed application that is configured to authenticate with ADFS 4.0.  We have our RP tokenlifetime configured for 5 mins and the webssotoken lifetime for 4 hours. 

    We have a requirement to re-authenticate the user after 5 minutes of application inactivity. 

    From my understanding the tokenlifetime and webssotokenlifetime will re-prompt for authentication even if the user is still active. 

    how can we configure the application in a way to re-prompt for authentication when the user has been inactive for 5 minutes. 


    Wednesday, January 2, 2019 1:26 PM

All replies

  • Since you are the developer, you can implement that at the application level.

    You can detect activity (JavaScript or other ways on the server side I guess) and redirect the user to the Log-Out endpoint of your application (different options here depending on your federation protocol). Note that if you do that, there is no reason to keep a 5 minutes token lifetime (which if you are using WS-Fed or SAML is surely quite disruptive for the end users - unless it is a single page and there is not much to do/browse, but in that case OAuth might be a better fit).

    In ADFS, you can configure inactivity timeout only for application accessed through a WAP (it is a WAP setting)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, January 4, 2019 1:56 PM
  • thank you for your reply Pierre. 

    We are actually using SAML, we thought of invoking the federation logout when the session is idle but I was not sure it was the best practice to do a federation logout.

    which token lifetime do you mean that I don't need? the RP session token? So in case we go for federation logout, there is no need to reduce the RP token lifetime? 

    Another question here, if we invoke a logout, other applications will also be logged out. I am not sure what is the best practice here. 

    Actually i do have WAP behind a WAF. so the application is access through WAF then WAP.

    So can WAP detect application inactivity and logout the user based on that?


    Friday, January 4, 2019 2:25 PM