Link to home
Start Free TrialLog in
Avatar of compdigit44
compdigit44

asked on

Windows 2012 R2 ADFS Token Life Times

We currently are using Windows 2012 R2 ADFS servers setup in a farm and federated with Office 365 and supporting 10K users. We are also piloting a third party MFA product and the following question as been asked we need to find out how to define policy where if a session lifetime post initial logon is set to a specific amount of time, say, 8 hours, that the authenticating end-user will not be prompted for 2-factor authentication until the session expires.  The relying party trust (application subject to 2FA under ADFS) is Office365.

From my understanding, the sessin lifetime is a global setting correct? Also I only other way to change ADFS token liftimes is using the new Preview feature in AZure which allows you to do so. Is this correct?
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image
If you are authenticating against O365, the lifetime of the Azure AD token is the most important one. By default they are set to relaxed values, so users should not see too many prompts:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-configurable-token-lifetimes/
Avatar of compdigit44
compdigit44

ASKER

but does ADFS tokens come into play here
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image
Not as often as you would expect, and that's a good thing. AAD will issue an access and refresh token upon successful authentication (with AD FS included), and as long as the refresh token is valid, it will *never* talk to the AD FS. This is the behavior you should be aiming for, if you want to minimize the number of credential prompts the users see. Only after the AAD refresh token has expired, users will be redirected to the AD FS server.
Avatar of compdigit44
compdigit44

ASKER

After talking with our PM for this project, they "upper management" want it set so when user access the Office 365 portal, they enter in their user name , pwd and 2FA but will not have to renter in their 2FA passcode or password in Office 365 on the same workstation for up to 10 hours. In ADFS persistence is already enabled and set to 10080 minutes

Global Setting SSo LifeTime = 480
Relay Party Trust = 0 ( default) 60 minutes I believe

Thoughts??
ASKER CERTIFIED SOLUTION
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial