People are just beginning to develop custom Security Token Service (STS) often have a problems with Security Token lifetime. I have in mind the following questions:
- How long a Security Token is valid?
- How can I setup lifetime of issued Security Token?
SAML Security Token contain information about lifetime itself. Its saved into two parameters:
<saml:Conditions NotBefore="2006-07-17T20:31:41" NotOnOrAfter="2006-07-18T20:21:41"> </saml:Conditions>
1. Security Token lifetime depends on parameters from example above, but if you will attempt to use expired token with RP you will really confused. You can use expired token without problems. This occurs because another parameter affects the lifetime of the token. I'm talking about MaxClockSkew parameter.
maximum allowable time difference between the system clocks of the two parties that are communicating.
Thus the lifetime of the token is affected by two parameters:
- The information about lifetime stored in token
- The MaxClockSkew parameter
Default value of token lifetime provided by WIF is 1 hour.
Default value of MaxClockSkew is 5 minutes.
2. You can configure Security Token lifetime at three locations:
- property DefaultTokenLifetime of SecurityTokenServiceConfiguration class
- property MaxClockSkew
- GetTokenLifetime Method of your custom SecurityTokenService
I usually create a derived class of SecurityTokenServiceConfiguration and configure property DefaultTokenLifetime and MaxClockSkew.
You also can override GetTokenLifetime Method of your SecurityTokenService to adjust token lifetime according to input claims automatically generated by user credentials.
