Sharepoint 2010 – Change SAML Token Lifetime

Yesterday I went trough and interesting analysis with Matias about how is the best way to tweak the SAML Token Lifetime for Sharepoint 2010 web applications using ADFS as a Claims Auth provider.

We have basically three cookies to worry about in this scenario. The Authentication cookie, the Account partner cookie and the SharePoint cookie.  The Account partner cookie is the one that bypasses the home realm discovery page when we hit ADFS and is not involved in this scenario.

The Authentication cookie has two associated lifetimes, the SSOLifeTime and the TokenLifetime for an specific Relying Party. You can change the TokenLifetime using the following powershell script.

Add-PSSnapin Microsoft.ADFS.Powershell

Set-ADFSRelyingPartyTrust -TargetName “Relying Party Common Name” -TokenLifeTime 15

On the Sharepoint side there is also a configuration that needs to be considered which is the LogonTokenCacheExpirationWindow, that value  needs to be understood as a time windows that Sharepoint considers before the SAML token will expire to renew the token. The LogonTokenCacheExpirationWindow needs always to be much less than the TokenLifeTime if both values are similar You basically go back and forth until ADFS stops and gives you the error message “The same client browser session has made ‘6’ requests in the last ‘12’ seconds.”. This is because as soon as Sharepoint received the SAML token for ADFS it knows that the cookie was good for less time than the  LogonTokenCacheExpirationWindow so it went back to ADFS to authenticate again.

We tried different values for this setting and we think that 1 second is enough for that time windows. Making this windows as small as possible will push the management to ADFS.

$sts = Get-SPSecurityTokenServiceConfig

$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1)



Reference: we found this post very useful it will give you a deeper look at the problem.

Leave a Reply