WIF BootstrapToken expired
https://stackoverflow.com/questions/9396208
-
29-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm developing web application using ASP.NET MVC + WCF secured by WIF. I'm using active STS. I have a problem with situation where BootstrapToken expired but SessionSecurityToken is still valid because of sliding expiration. I got exception:
ID3242: The security token could not be authenticated or authorized.
- Can I extend bootstraptoken expiration time?
- Is it valid behavior of SAM that it doesn't check if bootstraptoken inside cookie expired. What is the best place to check that - in the same event where I slid session expiration?
Solution
The SAM does not include the bootstrap token in the session cookie. Once the SAM validates it and establishes a session, the bootstrap token is actually discarded by default. So to answer your questions:
Only the identity provider that signed the bootstrap token has control over the token's lifetime. The SAM cannot change this.
The SAM only validates the bootstrap expiration time during authentication. Once it's done this and a session is established, the SAM no longer needs the bootstrap token.
OTHER TIPS
Below is a copy of my answer from this post.
If you're using Microsoft's Active Directory Federation Services (AD FS), then you can adjust/increase the timeout of the AD FS relying party token to be longer, which will extend the lifetime of the bootstrap token.
For example, we had an issue where we were getting new session tokens, but we still had timeouts before the AD FS Web SSO timeout. One of the developers discovered that there is a setting to extend the relying party token's lifetime, which correlates to the bootstrap token in Windows Identity Foundation (WIF).
The setting is below:
Set-ADFSRelyingPartyTrust -TargetName YourTargetName -TokenLifetime 480
After we set the relying party token's timeout to be the same as the Web SSO token timeout, then it worked.
Note: You can check the current relying party token's timeout with the following command:
Get-ADFSRelyingPartyTrust -Name YourTargetName
Note II: You can check the Web SSO token's timeout by opening the AD FS Management tool, clicking "AD FS" in the left navigation pane, then click "Edit Federation Service Properties..." in the Actions pane in the right pane.
