Directory Programming .NET

In this thread I want to discuss timeout topics for ADFS.

• cookies
• OWA
• web apps
• SharePoint

There seem to be a few different places that timeouts are found, but you need to know what properties to change when and where.

For web apps there is a section in the web.config as follows:

<cookies writecookies="true">

<path>/</path>

<lifetime>1</lifetime>

</cookies>

What does writecookies do when set to false?  What should path be set to?  What is the effect of the lifetime property?

It appears that setting writecookies to false disables the lifetime setting.

Claims appear to have a "grace period" of 5 minutes. Looks like (reflector) this is hardcoded in the singlesignon dll. The claim is valid until 5 minutes after the <saml:Conditions NotBefore="x" NotOnOrAfter="y"> timeframe. I can not find any reference to a grace period in the ADFS docs. Anybody else seen something?

I could not discover the grace period for a token. There is a grace period, but it appears to be sliding.

Does anybode have more info on the grace periods?  Would be very nice!

Thanks in advance,

Mtop

I don't know if this is documented anywhere and I'm not sure I have a complete picture on what the behavior is, but your analysis sounds right.  I think they are just using this as a caching mechanism to boost performance of the server so they don't have to retrieve claims for users too often.

What I'm not sure about is if you have a logon accelerator token, whether the server just takes the claims out of the token or whether it looks them up again and generates a new token.  I think it may be the former, but Jim might be a resource here.  I can look at the code in reflector as well, but it is sometimes hard to follow all the details.  :) 

Hello Joe,

I don't think caching has anything to do with the timeouts. I disabled caching everywhere and the timeout for claims is still "app timeout" + 5 minutes. There is no request to the resource server (checked with Fiddler), the websso dll makes the decesion that the claim is valid 5 minutes beyond the "notbefere/after" timeframe. Looks like the claim does not behave correctly according to the SAML specs from OASIS. The spec says that the claim is valid only at the time between "notbefore" and "notafter". The actual behaviour is that the claim is valid during the timeframe notbefore  notafter + 5 minutes. I have attached the reflector code to check if a claim is valid below. The timespan part indicates there is a 5 minute grace period.

internal bool IsValidAtTime(DateTime validationTime)

{

DebugWrite("effectivetime = {0}{2}expirationtime = {1}", new object[] { this.m_effectiveTime, this.m_expirationTime, Environment.NewLine });

if ((this.m_effectiveTime == DateTime.MinValue) || (this.m_expirationTime == DateTime.MinValue))

{

DebugWrite("IsValidAtTime: First condition failed", new object[0]);

return false;

}

TimeSpan span = TimeSpan.FromMinutes(5.0);

return ((this.m_effectiveTime <= (validationTime + span)) && ((validationTime - span) < this.m_expirationTime));

I think the 5 minutes might be a "clock skew" fudge factor that ADFS uses.  I know it allows for 5 minutes of drift in server clocks for verification of tokens and such, so this might be the same "policy" being applied.  I'm not sur though.

Joe - you are correct about the 5 minute fudge factor