Updating BootStrapContext with a new SessionSecurityToken when using Sliding Sessions in WIF with SAM and Thinktecture IdentityModel
When using Sliding Sessions in WIF with Session Authentication Module (SAM) and Thinktecture IdentityModel as described in the brockallen blog , the Session Security Token that is issued and written to the cookie is "valid" to expand as needed and the cookie is set accordingly way.
But, BootStrapToken serialized for current claims Identity remains old, with a potentially expired token. This causes problems when trying to use the load context token for a variety of reasons (among them may be the Implementation of the Bad Delegation ).
What is the best way to update bootstrap token with new issued token?
source to share
If you are using Microsoft Active Directory Federation Services (AD FS), then you can configure / increase the token timeout using the AD FS token longer, which will extend the lifetime of the WIF bootstrap token.
For example, we had a problem where we were getting new session tokens, but we still had timeouts before the SSF timeout on the network. One developer discovered that there is a setting to extend the lifetime of relying party tokens, which correlates with the Windows Identity Foundation (WIF) bootstrap token.
Setting below:
Set-ADFSRelyingPartyTrust -TargetName YourTargetName -TokenLifetime 480
After we set the relying party token timeout the same as the web SSO token timeout, it worked.
Note. You can check the current timeout of the current queue marker with the following command:
Get-ADFSRelyingPartyTrust -Name YourTargetName
Note. You can check the Web SSO token timeout by opening the AD FS management tool, clicking AD FS in the left navigation pane, then clicking Edit Federation Service Properties ... in the Actions pane in the right pane.
source to share