ADFS TokenLifeTime Maximum?

Question

I am using ADFS 2.0 for authentication for my mvc 3.0 web app. I set my TokenLifeTime on my relying party to 1440 (24 hours), but when I step through my code after I log in I can see that the ValidTo date of the session token is only 600 mins (10 hours) from now. If I change TokenLifeTime to be less than 600 the datetime matches what I expect when I log in. i.e. if I set TokenLifeTime to 5, the ValidTo date on my session token is 5 mins from when I logged in.

I haven't found any reference to a maximum number for this value, but I also haven't been able to account for why I can't increase the ValidTo time on my session token to longer than 600 mins.

So...

Is 600 the maximum value for TokenLifeTime?

Is there anything else that affects the ValidTo time on the session tokens issued by ADFS?

Answer 1

I've been looking at this and I think I've come up with a working solution - I've not used it in anger yet so I can't be sure that it doesn't contain any issues!

Essentially it intercepts the token after it has been created but before anything has started using it. Then replaces it with a token that contains all the underlying detail of the original but with a much longer validTo date, as decided by the value of validForDays

void WSFederationAuthenticationModule_SessionSecurityTokenCreated(object sender, SessionSecurityTokenCreatedEventArgs e)
{
    var currentToken = e.SessionToken;
    var validForDays = 1;

    e.SessionToken = new SessionSecurityToken(
        currentToken.ClaimsPrincipal,
        currentToken.Context,
        currentToken.EndpointId,
        DateTime.UtcNow,
        DateTime.UtcNow.AddDays(validForDays));

    e.SessionToken.IsPersistent = true;
}

This lives in Global.asax.cs