Share via

Timeout settings on ADFS

HK G 516 Reputation points
2021-10-26T03:11:05.097+00:00

I am trying to figure out the timeout behavior on ADFS (2016). We have the default ssolifetime (8 hours) and tokenlifetime (1 hrs). I understand that the ssolifetime is refresh token while tokenlifetime is the access token. Can someone clarify when a user will need to re-authenticate again with the above settings? Is it 8 hours? Or the ssolifetime get reset automatically when it expired and renew automatically until the persistent SSOlife (default of 90 days) value is reached?

Thanks

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Answer accepted by question author
  1. Vipul Sparsh 16,336 Reputation points Microsoft Employee Moderator
    2021-10-26T11:24:07.017+00:00

    @HK G Thanks for reaching out.

    Yes for 2016, if the device is registered the SSO can get reset till 90 days with 14 days window.
    This is also documented here in detail : https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-settings#enable-psso-for-office-365-users-to-access-sharepoint-online

    143730-image.png

    -----------------------------------------------------------------------------------------------------------------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. HK G 516 Reputation points
    2021-10-26T15:17:34.12+00:00

    Thanks, our ADFS is not setup with device registration and kmsi is not enabled. Does that mean user will need to reauthenticate after 8 hour by default unless the application also assign a timeout value for the session.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.