Change the token lifetime for a Federation Service

  • Article

Applies To: Windows Server 2003 R2

Each server that is running the Federation Service component of Active Directory Federation Services (ADFS) issues Security Assertion Markup Language (SAML) tokens. These security tokens are transferred between clients and federation servers within authentication cookies. Authentication cookies can be issued by both the Federation Service and the ADFS Web Agent.

Note

At the Federation Service, the security token in an authentication cookie holds the organization claims for the client. For more information about SAML tokens, see WS-Federation: Passive Requestor Profile (https://go.microsoft.com/fwlink/?LinkId=64813).

After the Federation Service validates the client once, the authentication cookie is written to the client. Further authentication takes place through use of the cookie rather than through repeated authentication of the client credentials. In this way, the authentication cookie facilitates single sign-on (SSO). The period of time that this authentication cookie can be used by the client is configurable in the trust policy of the Federation Service as the "token lifetime."

Note

Authentication cookies are not used by federation server proxies. For more information about federation server proxies, see Federation Service Proxy (https://go.microsoft.com/fwlink/?LinkId=62784).

The default value for token lifetime is 600 minutes, or 10 hours. The minimum value is one minute.

Warning

If you set the token lifetime value too low, the SSO experience of extranet users is degraded. Users will be forced to authenticate again in a forms-based logon as soon as the cookie expires. Only internal corporate users who use integrated authentication will continue to experience single sign-on.

Administrative credentials

To complete this procedure, you must be a member of the Administrators group on the local computer.

To change the token lifetime for a trust policy

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Right-click the Trust Policy node, and then click Properties.

  3. Scroll to the Advanced tab, and then click the Advanced tab.

  4. In Token lifetime (minutes), type or scroll to a new number of minutes, and then click OK.

See Also

Concepts

Change the trust policy refresh period
Change the Windows domain trust cache refresh period
Change the token lifetime for an application