Claims-based Authentication Token Expiry

Tokens issued by AD FS 2.0 expire after a default time of 60 minutes. This requires users to be re-authenticated (for internal access) or to sign in again (for IFD access). The token lifetime is set separately for each relying party trust (internal and external).

To check the life time, complete the following steps on the AD FS 2.0 server:

  1. Check the names for the relying party trusts in the AD FS 2.0 Management Console and use the appropriate names in the following steps.
  2. Start Windows Powershell (use Run as Administrator).
  3. In Powershell, type Add-PSSnapin Microsoft.Adfs.Powershell.
  4. To view information for the internal relying party trust, type Get-ADFSRelyingPartyTrust –Name “CRM Internal Claims Relying Party”. Replace CRM Internal Claims Relying Party with the appropriate name for your ADFS configuration.
  5. Review the value for TokenLifetime. The value is measured in minutes.
  6. To change the value, type Set-ADFSRelyingPartyTrust –Targetname “CRM Claims Relying Party” –TokenLifetime newvalue where newvalue is the value in minutes.
  7. Repeat this process for the external (IFD) relying party trust.

It is recommended that the external token lifetime is set to a short expiry time to minimize the risk from users who login and forget to logout. I suggest no more than 8 hours.

Leave a Comment

Your email address will not be published. Required fields are marked *