Configuring session token lifetime in WIF with the session authentication module (SAM) and Thinktecture IdentityModel

February 14, 2013

For browser-based (passive) applications when federating, session token lifetime in WIF (by default) is controlled by one of two factors: 1) original token lifetime from the STS, or 2) the configured session token lifetime for the RP (in the session security token handler). The resultant session token lifetime is the shorter of the two values. The configured session token lifetime for the RP is configurable in web.config:

<system.identityModel>
  <identityConfiguration>

    <securityTokenHandlers>
      <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler,
                    System.IdentityModel, Version=4.0.0.0, Culture=neutral,
                    PublicKeyToken=B77A5C561934E089" />

      <add type="System.IdentityModel.Tokens.SessionSecurityTokenHandler,
                 System.IdentityModel, Version=4.0.0.0, Culture=neutral,
                 PublicKeyToken=B77A5C561934E089">
        <sessionTokenRequirement lifetime="00:30:00"></sessionTokenRequirement>
      </add>

  </identityConfiguration>
</system.identityModel>

Notice the approach involves un-registering the session security token handler and then re-registering it with a <sessionTokenRequirement> element with a lifetime attribute. While this approach is possible, it’s tedious, so in Thinktecture IdentityModel there is now a ConfigureDefaultSessionDuration API on the PassiveSessionConfiguration class to allow this configuration from code:

protected void Application_Start()
{
    var duration = TimeSpan.FromMinutes(30);
    PassiveSessionConfiguration.ConfigureDefaultSessionDuration(duration);
}

The code based approach is slightly more convenient, with the tradeoff that the duration is embedded in the code.

6 Comments leave one →

RonyK permalink

October 24, 2013 6:25 am

Just to make sure I understand. Is it correct that when using Identity Server, even when the token would expire (configured as above) the user will be passively re-authenticated by the STS? Meaning that even if the token has expired, he will be automatically redirected to Identity Server, since the Identity Server has it’s own valid cookiea, a new token will be issued and the user will be redirected back to the RP, authenticated?

Reply
brockallen permalink*

October 24, 2013 8:19 am

Depends how the RP is coded. But when the RP triggers the redirect to the STS for authentication, if the user is still logged into the STS then they will get automatically logged into the RP (after token is issued and issued back to the RP, etc.). This is just normal WS-Federation and SSO. So I wonder if this is not the question you meant to ask…

Reply
Balaji Aasapu permalink

January 22, 2015 6:28 am

How can we set lifetime through programmatically in .net 3.5 and 4 version.

Reply
- brockallen permalink*
  
  January 24, 2015 12:07 pm
  
  I think there’s a similar API or configuration setting on the older WIF 3.5 version. Check the docs.
  
  Reply
windump (@windump) permalink

August 31, 2015 10:17 am

the token expiration sent by my STS is valid for 6 hours, I am trying to use sessionTokenRequirement with lifetime = 10 minutes and trying to also add tokenReplayDetection with an expirationPeriod of also 10 minutes, but tokenReplayDetection throws this error:
ID1069: Replay detection requires that token’s expiration period, ‘8/31/2015 4:04:20 PM’, does not exceed the expiration period configured with ’00:10:00′ on the TokenReplayCache.

My configuration doesn’t seem to be selecting the “resultant session token lifetime is the shorter of the two values”

Any ideas?

Reply
- brockallen permalink*
  
  August 31, 2015 10:19 am
  
  No, sorry. Never run into that one.
  
  Reply